Beruflich Dokumente
Kultur Dokumente
Part
Part 1 Business Analysis
1 Business Analysis
Internal Controls
(15% - Level A)
PREPARED BY
sameh Y. El lithy, CMA, CIA.
Internal
Internal Controls
Controls (15%
(15% -- Level
Level A)
A)
3.Systems
3.Systems Controls
Controls and
and
Security
Security Measures
Measures
A. General accounting system controls
B. Application and transaction controls
C. Network controls
D. Flowcharting to assess controls
E. Backup controls
F. Disaster recovery procedures
A. General
General Accounting
Accounting System
System
Controls
Controls
Introduction
Introduction
8
Segregation of functions. Many controls once
performed by separate individuals may be
concentrated in computer systems.
Hence, an individual who has access to the computer
may perform incompatible functions. As a result,
other control procedures may be necessary to
achieve the control objectives ordinarily accomplished
by segregation of functions. Other controls may
include
1) Adequate segregation of functions within the computer
processing activities.
2) Establishment of a control group to prevent or detect
processing errors or fraud.
3) Use of password controls to prevent incompatible
functions from being performed by individuals with online
access to assets and records.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
Internal
Internal Control
Control For
For IS
IS
Internal control for an information system has the
same goals and components as overall
organizational internal control
The ultimate responsibility for internal control
lies with management and the board.
10
The
The Classification
Classification of
of
Controls
Controls
General controls
Application controls
The
The Classification
Classification of
of Controls
Controls
Controls within a computer system are broken
down into two types.
General controls, which relate to the environment;
Application controls, which are controls that are
specific to individual applications and are designed to
prevent, detect and correct errors and irregularities in
transactions during the input, processing and output
stages.
Both general controls and application controls are
essential.
12
General
General Controls
Controls
General
General Controls
Controls
General controls relate to the general
environment within which transaction processing
takes place.
They are designed to ensure that the companys
control environment is stable and well managed.
A stable and well-managed control environment
strengthens the effectiveness of the companys
application controls.
General controls include controls over the
development, modification and maintenance of
computer programs.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
14
Categories
Categories of
of General
General
Control
Control
Categories
Categories of
of General
General Control
Control
The plan of organization and operation of the
computer activity
including provision for segregation of duties
(preventive control).
General operating procedures
Equipment and hardware controls
Access controls to equipment and data
16
The
The Plan
Plan of
of Organization
Organization &
& Operation
Operation of
of
the Computer Activity
the Computer Activity
The
The plan
plan of
of organization
organization and
and operation
operation of
of the
the
computer activity
computer activity
Organizational controls are concerned with the
proper segregation of duties and responsibilities
within the computer processing environment.
There should be an IT Planning or Steering
Committee that will oversee the IT function. Members
should include senior management, user
management and representatives from the IT
function. The committee should have regular
meetings and report to senior management.
18
The
The plan
plan of
of organization
organization and
and operation
operation of
of the
the
computer
computer activity
activity (contd)
(contd)
Segregation of duties should be maintained between and among
the following functions:
Systems analysts
Information systems use
Data entry
Data control clerks
Programmers
Computer operation
Network management
System administration
Librarian
Systems development and maintenance
Change management
Security administration
Security audit
The
The plan
plan of
of organization
organization and
and operation
operation of
of the
the
computer activity (contd)
computer activity (contd)
For example: The responsibilities of systems analysts,
programmers, operators, file librarians, and the control
group should be performed by different individuals, and
proper supervision should be provided.
Operating controls ensure efficient and effective
operation within the computer department.
These controls also assure proper procedures in case of data
loss because of error or disaster.
Typical operating controls include the proper labeling of all files
both internally (machine-readable file header and trailer labels)
and externally, halt and error procedures, duplicate files, and
reconstruction procedures for files.
20
General
General Operating
Operating
Procedures
Procedures
22
24
26
Changes in the computer system should be subject
to strict controls. For example, a written request for
an application program change should be made by a
user department and authorized by a designated
manager or committee.
The program should then be redesigned using a working
copy, not the version currently in use. Also, the systems
documentation must be revised.
Changes in the program will be tested by the user, the
internal auditor, and a systems employee who was not
involved in designing the change.
Approval of the documented change and the results of
testing should be given by a systems manager. The change
and test results may then be accepted by the user.
Unauthorized program changes can be detected by code
comparison. The version in use should be periodically
compared with a copy controlled by the auditors. Software
can be used to perform this procedure.
28
Equipment
Equipment Controls
Controls
30
Equipment
Equipment Controls
Controls
Controls built into the equipment by the manufacturer
(hardware controls)
Hardware controls assure the proper internal handling of data
as they are moved and stored.
Hardware controls include parity checks, echo checks, read-after-write
checks, and any other procedure built into the equipment to assure data
integrity.
A defined backup procedure should be in place, and the
usability of the backups should be verified regularly.
Transaction trails should be available for tracing the
contents of any individual transaction record backward
or forward, and between output, processing, and source.
Records of all changes to files should be maintained.
Hardware
Hardware Controls
Controls
Boundary (storage) protection.
Diagnostic routines.
Dual read.
Dual read-write heads.
Duplicate circuitry.
echo check.
File protection.
parity check.
Preventive maintenance.
Read-write suppression.
Validity checks.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
32
34
Equipment
Equipment Access
Access and
and Data
Data Access
Access
Controls
Controls
36
Logical security Physical security
Consists of access and ability to Involves things such as keeping
use the equipment and data. servers and associated
It includes Internet security peripherals in a separate, secure
(firewalls) and virus protection room with bars on the windows
procedures; access controls for and use of blinds or reflective
users to minimize actions they film on the windows for heat
can perform; authentication blocking as well as physical
processes to verify the identity of protection.
users; and cryptographic Monitoring of hardware
techniques such as encryption of components to prevent them
messages and digital signatures. being removed from the
premises; security for offsite
backup tapes; and biometrics to
identify a person based on
physical or behavioral
characteristics (fingerprints,
voice verification, etc.).
Physical security also involves
the locations of wiring that
connects the system, backup
media, and maintenance of
uninterruptible power supplies.
38
Access
Access Controls
Controls
Access controls, such as
ID numbers,
passwords,
access logs, and
device authorization tables,
prevent improper use or manipulation of data files and
programs.
They help ensure that only those persons with a bona fide
purpose and authorization have access to data processing.
40
42
Biometric technologies. These are automated methods of
establishing an individuals identity using physiological or
behavioral traits.
These characteristics include fingerprints, retina patterns, hand geometry,
signature dynamics, speech, and keystroke dynamics.
Automatic log-off (disconnection) of inactive data terminals may
prevent the viewing of sensitive data on an unattended data
terminal.
Utility software restrictions. Utility software may have privileged
access and therefore be able to bypass normal security
measures.
Performance monitors, tape and disk management systems, job
schedulers, online editors, and report management systems are examples
of utility software.
Management can limit the use of privileged software to security personnel
and establish audit trails to document its use. The purpose is to gain
assurance that its uses are necessary and authorized.
Security personnel. An organization may need to hire security
specialists.
For example, developing an information security policy for the organization,
commenting on security controls in new applications, and monitoring and
investigating unsuccessful access attempts are appropriate duties of the
information security officer.
More
More About
About Segregation
Segregation of
of
Duties
Duties
44
More
More About
About Segregation
Segregation of
of Duties
Duties
The most important organizational and operating
control is the segregation of duties.
Although the traditional segregation practiced in
accounting of separating the responsibilities of
authorization, record keeping and custody of
assets may not be practiced in the same manner
in Information Systems (since the work is quite
different), there are still specific duties in the IS
environment that should be separate from one
another.
Separate
Separate Responsibilities
Responsibilities within
within the
the Information
Information
Systems
Systems Department
Department
46
Various
Various Positions
Positions within
within a
a Computer
Computer
System
System
Systems
Systems Analysts
Analysts
48
Programmers
Programmers
50
Computer
Computer (console)
(console)
Operators
Operators
52
54
The
The Data
Data Control
Control Group
Group
56
Transaction
Transaction Authorization
Authorization
Users should submit a signed form with each
batch of input data to verify that the data has
been authorized and that the proper batch control
totals have been prepared.
Data control group personnel should verify the
signatures and batch control totals before
submitting the input for processing.
This would prevent a payroll clerk, for instance, from
submitting an unauthorized pay increase for himself
or herself.
Librarians
Librarians
Librarians should maintain control over and
accountability for documentation, programs, and
data files.
They should have no access to equipment. The
librarian should restrict access to the data files
and programs to authorized personnel at
scheduled times.
Furthermore, the librarian maintains records of all
usage, and those records should be reviewed
regularly by the data control group for evidence
of unauthorized use.
58
Data
Data Conversion
Conversion Operators
Operators
Data conversion operators perform tasks of
converting and transmitting data.
Data conversion operators perform the tasks of
data preparation and transmission,
for example, conversion of source data to magnetic
disk or tape and entry of transactions from remote
terminals.
Database
Database Administrator
Administrator
The database administrator controls access to various
files, making program changes, and making source
code details available only to those who need to know.
The database administrator (DBA) is the individual
who has overall responsibility for developing and
maintaining the database and for establishing controls to
protect its integrity.
Thus, only the DBA should be able to update data
dictionaries.
In small systems, the DBA may perform some functions of a
database management system (DBMS). In larger
applications, the DBA uses a DBMS as a primary tool.
60
Other
Other
The webmaster is responsible for the content of the
organizations website. (S)he works closely with programmers
and network technicians to ensure that the appropriate content is
displayed and that the site is reliably available to users.
Help desks are usually a responsibility of computer operations
because of the operational nature of their functions. Help desk
personnel log reported problems, resolve minor problems, and
forward more difficult problems to the appropriate information
systems resources, such as a technical support unit or vendor
assistance.
Network technicians maintain the bridges, hubs, routers,
switches, cabling, and other devices that interconnect the
organizations computers. They are also responsible for
maintaining the organizations connection to other networks, such
as the Internet.
End users need access to applications data and functions only.
File
File Security
Security Controls
Controls
62
File
File Security
Security Controls
Controls
File Security Control procedures include:
Labeling the contents of a disk or tape, both externally and internally as
part of the data file.
The read-only file designation is used to prevent data from being altered
or written over by users.
Database Management Systems use lockout procedures to prevent
two applications from updating the same record or data item at the same
time.
Note: A deadly embrace occurs when two different applications
or transactions each have a lock on data that is needed by the
other application or transaction. Neither process is able to
proceed, because each is waiting for the other to do something. In
these cases the system must have a method of determining which
transaction goes first, and then it must let the second transaction
be completed using the updated information after the first
transaction.
File
File Security
Security Controls
Controls
The librarians function is particularly critical,
because documentation, programs and data files
are assets of the organization and require
protection the same as any other asset would.
The data files contain information that is critical to
the enterprise, such as accounting records.
Although backup procedures could reconstruct
lost or damaged data, it is less costly to prevent a
data loss than to repair it. Furthermore,
confidential information is contained in the data
files and must be protected from misuse by
unauthorized individuals.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
64
B. Application
Application Controls
Controls
66
Input
Input Controls
Controls
68
Data
Data Observation
Observation and
and Recording
Recording
One or more observational control procedures may be practiced:
1) Feedback mechanisms are manual systems that attest to the accuracy of a
document.
For instance, a sales person might ask a customer to confirm their order with a
signature, attesting to the accuracy of the data in the sales order.
Feedback mechanisms include authorization, endorsement and cancellation.
2) Dual observation means more than one employee sees the input
documents.
In some cases this might mean a supervisor reviews and approves the work.
3) Point-of-sale devices used to encode data can decrease errors
substantially.
In addition, point-of-sale devices eliminate the need to manually convert the data to
machine-readable format.
4) Preprinted forms such as receipt and confirmation forms can ensure that all
the data required for processing has been captured.
For example, if a form utilizes boxes for each character in an inventory part number,
it is more likely that the correct number of characters will be entered.
70
Data
Data Transcription
Transcription
Data transcription is the preparation of the data for
processing. If data is entered from source documents,
the source documents should be organized in a way
that facilitates the input process.
The actual data input usually takes place at a
workstation with a display terminal.
A preformatted input screen can assist in the transcription
process.
For example, a date field to be filled in would be presented onscreen as
_/_/__.
Format checks are used to verify that data is entered in the
proper mode: numeric data in a numeric field, a date in a date
field, etc.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
72
Completeness checks of transmission of data
determine whether all necessary information has been
sent.
The software notifies the sender if something is omitted.
Limit and range checks are based on known limits for
given information. These which ensure that only data
within predefined limits will be accepted by the system.
For example, hours worked per week will not equal 200.
Validity checks, which match the input data to an
acceptable set of values or match the characteristics of
input data to an acceptable set of characteristics.
Validity checks are tests of identification numbers or
transaction codes for validity by comparison with items already
known to be correct or authorized.
For example, Social Security numbers on payroll input records can be
compared with Social Security numbers authorized by the personnel
department.
74
Key verification is the process of inputting the
information again and comparing the two results.
Error listing. Editing (validation) of data should
produce a cumulative automated error listing that
includes not only errors found in the current
processing run but also uncorrected errors from
earlier runs. Each error should be identified and
described, and the date and time of detection
should be given. Sometimes, the erroneous
transactions may need to be recorded in a
suspense file. This process is the basis for
developing appropriate reports.
76
Preformatting. To avoid data entry errors in online
systems, a screen prompting approach may be used
that is the equivalent of the preprinted forms routinely
employed as source documents.
The dialogue approach, for example, presents a series of
questions to the operator. The preformatted screen approach
involves the display of a set of boxes for entry of specified data
items. The format may even be in the form of a copy of a
transaction document.
Reasonableness (relationship) tests check the logical
correctness of relationships among the values of data
items on an input and the corresponding master file
record.
For example, it may be known that employee John Smith
works only in departments A, C, or D; thus, a reasonableness
test could be performed to determine that the payroll record
contains one of the likely department numbers. In some texts,
the term reasonableness test is defined to encompass limit
checks.
78
A redundancy check requires sending
additional data items to serve as a check on the
other transmitted data;
for example, part of a customer name could be
matched against the name associated with the
transmitted customer number.
An echo check is an input control over
transmission along communications lines. Data
are sent back to the users terminal for
comparison with the transmitted data.
(CMA
(CMA Adapted,
Adapted, June
June 1987)
1987)
80
(CMA
(CMA Adapted,
Adapted, June
June 1987)
1987)
(CMA
(CMA Adapted,
Adapted, June
June 1995)
1995)
82
(CMA
(CMA Adapted,
Adapted, June
June 1995)
1995)
Processing
Processing Controls
Controls
84
Data
Data Access
Access Controls
Controls &
& Data
Data Manipulation
Manipulation Controls
Controls
Data
Data Access Controls
Transmittal documents
Batch control totals
hash total
record count
Data
Data Manipulation Controls
Examining software documentation,
System testing
86
Data
Data Access
Access Controls
Controls
Transmittal documents such as batch control tickets
are used to control movement of data from the source to
the processing point or from one processing point to
another. Batch sequence numbers are used to
number batches consecutively to make sure all batches
are accounted for.
A hash total is another type of control total.
For instance, if a batch contains data on receipts from
accounts receivable customers, the sum of all the customers
account numbers might be computed to create a hash total.
This sum is useful only for control purposes, and it is
compared with the total computed during processing to make
sure nothing was lost or altered during processing.
A record count utilizes the number of transaction items
and counts them twice, once when preparing the
transactions in a batch and again when performing the
processing.
88
Data
Data Manipulation
Manipulation Controls
Controls
Standard procedures should be developed and used for
all processing.
Examining software documentation, such as system
flowcharts, program flowcharts, data flow diagrams
and decision tables, can also be a control, because it
makes sure that the programs are complete in their data
manipulation.
Computer programs are error tested by using a
compiler, which checks for programming language
errors.
Test data can be used to test a computer program.
System testing can be used to test the interaction of
several different computer programs. Output from one
program is often input to another, and system testing
tests the linkages between the programs.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
90
Other tests of the logic of processing are posting, cross-
footing, and zero-balance checks.
a) Comparing the contents of a record before and after
updating is a posting check.
b) Cross-footing compares an amount to the sum of its
components.
c) A zero-balance check adds the positive and negative
amounts posted. The result should be zero.
Internal header and trailer labels ensure that incorrect
files are not processed.
a) A matching test should make certain an updating
transaction is matched with the appropriate master file.
An audit trail should be created through the use of
input-output control logs, error listings, transaction logs,
and transaction listings.
Output
Output Controls
Controls
92
94
Validating
Validating processing
processing results
results
96
Printed
Printed Output
Output Controls
Controls
98
Output control also concerns report distribution.
For example, a payroll register with all the employees social
security numbers and pay rates is confidential information and
thus its distribution must be restricted.
There should be an authorized distribution list, and only
enough copies of the report to permit one report to be
distributed to each person on the list should be processed.
For a confidential report, it is preferable to have a
representative pick the report up personally and sign for it. If
this is not possible, a bonded employee can be used to hand
deliver the reports. The employees supervisor should make
random checks on this distribution.
Confidential reports should be shredded when they are
no longer needed.
Controls
Controls Classified
Classified as
as Preventive,
Preventive,
Detective
Detective and
and Corrective
Corrective
100
Preventive controls prevent errors and fraud before they occur.
Examples of preventive controls are segregation of duties, job
rotation, training and competence of personnel, dual access
controls, authorization, approval, endorsement and cancellation,
and preformatted input.
Detective controls uncover errors and fraud after they have
occurred. Examples of detective controls are transmittal
documents, batch control totals and other batch transmittal
documents, completeness checks, hash totals, batch balancing,
check digits, limit checks, and validity checks.
The use of a turnaround document is also a detective control, because it
checks on completeness of input. Completeness of processing detective
controls includes run-to-run totals, reconciliations, use of suspense
accounts, and error logs. Correctness of processing detective controls are
redundant processing, overflow checks and summary processing.
Corrective controls are used to correct errors. Examples of
corrective controls are discrepancy reports and upstream
resubmissions.
(CMA
(CMA Adapted,
Adapted, December
December 1984)
1984)
102
(CMA
(CMA Adapted,
Adapted, December
December 1987)
1987)
An employee in the receiving department keyed
in a shipment from a remote terminal and
inadvertently omitted the purchase order number.
The best systems control to detect this error
would be:
Completeness test.
Batch total.
Reasonableness test.
Sequence check.
104
(CMA
(CMA Adapted,
Adapted, June
June 1991)
1991)
Preventive controls are:
Usually more cost beneficial than detective controls.
Usually more costly to use than detective controls.
Found only in accounting transaction controls.
Found only in general accounting controls.
106
(CMA
(CMA Adapted,
Adapted, June
June 1991)
1991)
Edit checks in a computerized accounting
system:
Are preventive controls.
Must be installed for the system to be operational.
Should be performed on transactions prior to
updating a master file.
Should be performed immediately prior to output
distribution.
108
Auditing
Auditing
110
Auditing
Auditing
In a computer system there is still a need for auditing, or
checking the data and processing that occurs within the
system. Outlined below are brief explanations of the
different types of audit testing methods used to test the
processing of information and data within the system.
Test Data
Integrated Test Facility (ITF)
Parallel Simulation
Embedded Audit Data Collection
Mapping
Generalized Audit Software Package (GASP)
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
Test
Test Data
Data
Test data is used to determine
whether control procedures in a particular computer application are working
properly;
whether the computer is processing transactions correctly;
whether all transaction files and master files are fully and correctly being updated;
and
whether program changes have been made correctly.
The auditor prepares input that contains both valid and invalid data for
processing by the computer.
Before it is processed by the computer, the data is manually processed.
After processing, the output of the test is compared with the manually processed
results to determine whether they are the same.
If not, the auditor tries to find out what caused the difference.
Test data must be processed in a special test run, because a
fictitious master file is used to run the test transactions against so
that the actual master files will not be affected. Test data may also
consist of a review of actual data. Real transactions are selected
in advance for processing as test data
112
There
There are
are several
several limitations
limitations to
to using
using test
test data
data
Integrated
Integrated Test
Test Facility
Facility (ITF)
(ITF)
An Integrated Test Facility (ITF) involves the use of test data but
also the creation of fictitious entities, such as fictitious employees,
vendors, products, and accounts, within the master files of the
computer system. Or alternatively, a separate, fictitious company
may be used. The major difference between test data and an
ITF is that the test data in an ITF is processed along with real
data.
No one knows that the data being processed includes these fictitious
entries to fictitious records. In this way, the auditor can be sure that the
programs being checked are the same programs as those used to process
the real data.
Advantages
Enables testing of the system as it routinely operates
Low processing costs
No special processing
Disadvantages
Effects of transactions on operations (books) must be nullified.
Quantity of live data inputs may be limited when submitted with regular runs.
114
Integrated
Integrated Test
Test Facility
Facility (ITF)
(ITF)
The difficulty with using the ITF approach is that the fictitious
transactions have to be excluded from the normal outputs of the
system in some way. This may be done manually, or it may be
done by designing or modifying the application programs.
Either way, the fictitious transactions must be identified by means of
special codes so they can be segregated from the real data. Careful
planning is required to make sure that the ITF data does not become mixed
in with the real data, corrupting the real data.
If this careful planning is done, the costs of using ITF are minimal,
because there is no special processing required and thus no
interruption of normal computer activity. There are costs involved
in developing an ITF, either while the application is being
developed or as a later modification to it. However, once the initial
costs are past, the ongoing operating costs are low.
ITF is normally used to audit large computer systems that use
real-time processing.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
Parallel
Parallel Simulation
Simulation
In a parallel simulation the auditor will run a set of actual data through some
type of generalized audit program that processes data and produces output in
the same manner as the program being audited. Then the results as processed
by both programs are compared.
Parallel simulation is expensive and time-consuming and is usually limited to
sections of an audit that are of major concern and are important enough that
they require an audit of 100% of the transactions. Parallel simulation uses
actual data rather than test data. Furthermore, it can be performed off-site
because it does not use the clients computer system.
Advantages
Testing can be done on a surprise basis.
Cost of preparing test data is eliminated.
Can process many of auditees transactions, eliminating need for small samples
More thorough than sampling
Disadvantages
Cost of developing program may be prohibitive.
Auditor may need special skills.
Does not have broad application
116
Embedded
Embedded Audit
Audit Data
Data Collection
Collection
Use of embedded audit routines involves modifying
computer programs by building special auditing routines
into them so that transaction data can be analyzed for
audit purposes.
Embedded audit data collection is one such
technique. It uses one or more specially programmed
modules within the regular program code to select data
for subsequent analysis by the auditor. To do this, the
programmed modules are embedded as in-line code in
the regular program code. When in-line code is used,
the application program will perform the audit data
collection function while it is processing the normal data.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
Embedded
Embedded Audit
Audit Data
Data Collection
Collection
Advantages
All system activity is subject to review.
Can be used with online systems
Not limited to input transactions
Disadvantages
Additional processing cost of extra audit module
program steps that must be executed
Difficult to implement unless it can be developed
along with the system
118
Generalized
Generalized Audit
Audit Software
Software Package
Package (GASP)
(GASP)
Mapping
Mapping
Involves monitoring the execution of an application
program to determine certain statistical information
about the run, e.g., program lines not executed, CPU
time for certain program lines, and the number of times
certain lines were executed
Advantages
Can aid in evaluating how well test data tested a run
Can indicate lines of code which are extraneous or not often
used
Disadvantages
High cost
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
120
(CMA
(CMA Adapted,
Adapted, June
June 1995)
1995)
(CMA
(CMA Adapted,
Adapted, June
June 1995)
1995)
122
Source:
Source: CMA
CMA 1284
1284 5-
5--28
5
5- 28
Source:
Source: CMA
CMA 1284
1284 5-
5--28
5
5- 28
Answer (A) is incorrect because the auditor must still use audit
judgment.
Answer (B) is correct. The primary use of generalized
computer programs is to select and summarize a client's
records for additional testing. Generalized audit software
packages permit the auditor to audit through the computer,
to extract, compare, analyze, and summarize data and
generate output as part of the audit program. They allow the
auditor to exploit the computer to examine many more
records than otherwise possible with far greater speed and
accuracy.
Answer (C) is incorrect because an auditor must have a
knowledge of computer auditing to use a generalized software
package.
Answer (D) is incorrect because using a generalized software
package is a means of auditing through the computer.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
124
C. Network
Network controls
controls
Internet
Internet Security
Security
Once a company is connected to an outside network
(usually the World Wide Web) there are a number of
additional security issues that must be properly
addressed.
The policies that are put in place need to ensure that the
intended and authorized users of the network have access to it
as needed.
However, accessibility also creates vulnerability.
So organizations must be certain that information sent over
the network is properly protected to maintain the confidentiality
of company information and ensure that the files within the
company cannot be accessed or changed without
authorization.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
126
Internet
Internet Security
Security
At a minimum, the system should include user
account management, a firewall, antivirus
protection and encryption.
User account management is the simple
process of giving people accounts and
passwords.
For this to be as effective as possible, it must be kept
up to date. Inactive accounts need to be eliminated,
and active passwords need to be changed frequently
128
Trojan
Trojan Horse
Horse
A Trojan horse is different from a virus. A very
important distinction between Trojan horses and viruses
is that Trojan horses do not replicate themselves,
whereas viruses do. Trojan horses appear to be
something desirable but in fact they contain malicious
code that, when triggered, can cause loss or even theft
of data. You can get a Trojan horse only by inviting it
into your computer.
Two examples of ways to get a Trojan horse include
(1) opening an email attachment, or
(2) downloading and running a file from the Internet.
Worm
Worm
A worm is a program that replicates itself from system
to system without the use of any host file. The difference
between a worm and a virus is that the worm does not
require the use of an infected host file, while the virus
does require the spreading of an infected host file.
Worms generally exist inside of other files, often Word
or Excel documents. However, worms use the host file
differently from viruses. Usually the worm releases a
document that has the worm macro inside the
document. This entire document spreads from computer
to computer, so the entire document is considered to be
the worm.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
130
Virus
Virus Hoax
Hoax
A virus hoax is an e-mail that tells you a file on
your computer is a virus when it isnt. These often
tell you to look on your system for a file by a
specific name and, if you see it, delete it because
it is a virus that your anti-virus program cant
recognize. Everyone will find that file on their
system, because it is a system file that is needed
for the computer to operate correctly. If you
believe this e-mail and delete the file, your
computer may malfunction.
Note:
132
Firewall
Firewall
A firewall is a barrier between the internal and
the external networks. This firewall prevents
unauthorized access to the internal network. A
firewall will usually also prepare a report of
Internet usage and then report any abnormal or
excessive usage, as well as attempts to gain
unauthorized entry to the network. A firewall can
be in the form of software directly installed on a
computer; or it can be in the form of a piece of
hardware that is installed between the computer
and its connection to the Internet. A firewall is a
good Internet security control, but it is not
foolproof.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
Proxy
Proxy Server
Server
An organization may also use a proxy server. A proxy server is a
computer and software that creates a gateway to and from the
Internet.
The proxy server contains an access control list of approved
websites and handles all web access requests, limiting access to
only those IP addresses contained in the access control list. This
enables an employer to deny its employees access to websites
that are unlikely to have any productive benefits.
The proxy server also examines all incoming requests for
information and tests them for authenticity. In this way, a proxy
server functions as a firewall. The proxy server can also limit the
information that is stored on it to information that the company
can afford to lose.
Thus, if this server is broken into, the organizations main servers
remain functional.
134
Encryption
Encryption
Encryption is the technology that converts data
into a code and then requires a key to convert the
code back to data. Unauthorized people may
receive the coded information, but without the
proper key they will be unable to read the
information. The encryption process may be
either in the hardware or the software. There are
two methods of software encryption.
136
138
E. Backup
Backup and
and Contingency
Contingency
Planning
Planning
140
Grandparent-parent-child processing is used
because of the risk of losing data before, during or
after processing work. Files from previous periods are
retained, and if a file is damaged during updating, the
previous files can be used to reconstruct a new
current file. These files should be stored off-premises.
Computers should be on an Uninterruptible Power
Supply (UPS) to provide some protection in the event
of a power failure. While these do not always work,
they may save data by providing a short period of
power.
Fault-Tolerant Systems are systems designed to
tolerate faults or errors. They often utilize
redundancy in hardware design, so that if one
system fails, another one will take over.
142
F. Disaster
Disaster Recovery
Recovery
Disaster
Disaster Recovery
Recovery
Not many firms could survive for long without
computing facilities. Therefore, an organization
should have a formal disaster recovery plan to
fall back on in the event of a hurricane, fire,
earthquake, flood, or criminal or terrorist act. A
disaster recovery plan specifies:
Which employees will participate in disaster recovery
and what their responsibilities will be. One person
should be designated in charge of disaster recovery,
and another should be second in command.
What hardware, software, and facilities will be used.
The priority of applications that should be processed.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
144
Disaster
Disaster Recovery
Recovery
Arrangements for alternative facilities as a
disaster recovery site and offsite storage of the
companys databases are also part of the
disaster recovery plan. An alternative facility
might be a different facility owned by the
company; or it might be a facility contracted by a
different company.
The different locations should be a good distance
away from the original processing site.
Disaster
Disaster Recovery
Recovery Sites
Sites
Disaster recovery sites may be either hot sites or cold
sites.
A hot site is a backup facility that has a computer
system similar to the one used regularly. The hot site
must be fully operational and immediately available.
A hot site is a service bureau. It is a fully operational
processing facility that is immediately available
A cold site is a facility where power and space are
available to install processing equipment, but it is not
immediately available. If an organization uses a cold
site, its disaster recovery plan must include
arrangements to get computer equipment installed there
quickly.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
146
Mobile
Mobile Recovery
Recovery
There are also several companies that operate mobile
recovery centers.
On a contracted basis, in the event of a disaster that destroys
operations facilities, they arrive within hours in a tractor-trailer
or van that is fully equipped with their clients platform
requirements, 50 to 100 workstations, and staffed with
technical personnel to assist in recovery.
Personnel should be trained in emergency procedures,
and re-training should be done regularly to keep their
knowledge fresh.
The disaster recovery plan should be tested periodically by
simulating a disaster, in order to reveal any weaknesses in the
plan.
The disaster recovery plan should be reviewed regularly and
revised when necessary; and the members of the disaster
recovery team should each keep a current copy of the plan at
home.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
(CMA
(CMA Adapted,
Adapted, June
June 1996)
1996)
148
(CMA
(CMA Adapted,
Adapted, June
June 1996)
1996)
150
What
What are
are the
the Goals
Goals of
of Internal
Internal Control
Control in
in an
an
Information System?
Information System?
152
What
What Documents
Documents Provide
Provide Information
Information
System
System Internal
Internal Control
Control Guidelines?
Guidelines?
154
How
How does
does the
the Internal
Internal Control
Control Integrated
Integrated
Framework define Internal Control and
Framework define Internal Control and What
What are
are
its Components?
its Components?
156
In Internal Control Integrated Framework,
internal control is defined as:
a process, effected by an entitys board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories: effectiveness and efficiency
of operations, reliability of financial reporting, and
compliance with applicable laws and regulations.
According to that document, the internal control
system should consist of five interrelated
components:
(1) the control environment, (2) risk assessment, (3)
control activities, (4) information and communication,
and (5) monitoring.
What
What are
are the
the General
General Controls?
Controls?
158
What
What are
are Systems
Systems and
and Program
Program
Development
Development Controls?
Controls?
160
What
What are
are System,
System, Program
Program and
and
Operating
Operating Documentation?
Documentation?
162
What
What are
are Access
Access
Controls?
Controls?
164
What
What are
are the
the Organizational
Organizational and
and
Operating
Operating Controls?
Controls?
166
What
What are
are the
the Hardware
Hardware
Controls?
Controls?
168
170
What
What are
are the
the Application
Application
Controls
Controls
172
What
What are
are Input
Input Controls?
Controls?
174
What
What are
are Data
Data Observation
Observation
and
and Recording
Recording Controls?
Controls?
176
What
What are
are Data
Data
Transcription
Transcription Controls?
Controls?
178
180
What
What are
are Processing
Processing Controls
Controls
and
and Data
Data Access
Access Controls?
Controls?
182
What
What are
are Data
Data
Manipulation
Manipulation Controls?
Controls?
184
What
What are
are Other
Other
Processing
Processing Controls?
Controls?
186
188
What
What is
is Internet
Internet Security
Security
and
and How
How isis it
it Maintained?
Maintained?
190
192
In a computer system there is still a need for auditing.
Test data is the use of a prepared set of input data that
are then run through the system being audited. The
results from this system are compared to the
predetermined results.
An integrated test facility is the process of setting up
artificial transactions that are then run through the
computer system as it is normally operating. This may
be done without the knowledge of the computer
operator.
In a parallel simulation the auditor will run a set of actual data
through another computer system that is known to be working.
The results from the test computer and the actual computer are
then compared.
Embedded data collection is a process whereby a
program within the system identifies specific types of
transactions for further testing.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
What
What is
is Backup
Backup and
and
Contingency
Contingency Planning?
Planning?
194
In any computer system, it is essential that the company
has plans for the backup and recovery of data
(especially disaster recovery).
Programs, as well as data files, should be backed up regularly.
Copies of all transaction data are stored as a transaction log
as they are entered into the system. Should the master file be
destroyed, computer operations will roll back to the most
recent backup; recovery takes place by reprocessing the data
transaction log against the backup copy.
Backups should be stored at a secure remote location,
so that in the event data is destroyed due to a physical
disaster, it can be reconstructed. Backup data can be
transmitted electronically to the backup site, through a
process called electronic vaulting.
Computers should be on an Uninterruptible Power
Supply (UPS) to provide some protection in the event of
a power failure.
What
What are
are Grandparent-
Grandparent--parentchild
Grandparent
Grandparent- parentchild
Systems,
Systems, Fault-
Fault--tolerant
Fault
Fault- tolerant systems
systems and
and Disk
Disk
Mirroring?
Mirroring?
196
In grandparent-parent-child processing, files from
previous periods are retained, and if a file is damaged
during updating, the previous files can be used to
reconstruct the current file.
These files should be stored off-premise.
Fault-tolerant systems are designed to tolerate faults
or errors.
They often utilize redundancy, so that if one system fails,
another one will take over. With multiple processors,
consensus-based protocols specify that if one processor
disagrees with the others, it is to be ignored; with two
processors, the second processor can serve as a watchdog
processor. If something happens to the primary processor, the
watchdog processor takes over.
A CPU could have two disks, and all data on the first
disk is mirrored on the second disk.
This is called disk mirroring or disk shadowing.
Rollback processing may be used to prevent any
transactions from being written to disk until they are
complete.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1
What
What is
is Disaster
Disaster
Recovery?
Recovery?
198