Auditing IT Controls Part II: Security and Access

Chapter 15
Auditing IT
Controls Part II:
Security and
Access
James A. Hall, Accounting Information Systems, 10th Edition. © 2019

Cengage. All Rights Reserved. May not be scanned, copied or duplicated,
or posted to a publicly accessible website, in whole or in part.
Learning Objectives
• Be able to identify the principal threats to the operating system
and the control techniques used to minimize the possibility of
actual exposures.
• Be familiar with the principal risks associated with electronic
commerce conducted over intranets and the Internet and
understand the control techniques used to reduce these risks.
• Be familiar with the risks to database integrity and the controls
used to mitigate them.
• Recognize the unique exposures that arise in connection with
electronic data interchange and understand how these
exposures can be reduced.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
Controlling the Operating System
• The operating system is the computer’s control program.
• It allows users and their applications to share and access
common computer resources, such as processors, main
memory, databases, and printers.
• If operating system integrity is compromised, controls
within individual accounting applications may also be
circumvented or neutralized.
• It performs 3 main tasks:
1. Translates high-level languages into the machine-level language.
2. Allocates computer resources to user applications.
3. Manages the tasks of job scheduling and multiprogramming
OPERATING SYSTEM OBJECTIVES
Language Translator Modules of OS
• Compilers are language translation modules of the
operation system.
• Interpreters are language translation modules of the
operation system that convert one line of logic at a time.
OPERATING SYSTEM OBJECTIVES
Fundamental control objectives – operating system must:
1. Protect itself from users.
2. Protect users from each other.
3. Protect users from themselves.
4. Be protected from itself.
5. Be protected from its environment.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
OPERATING SYSTEM SECURITY
• Operating system security controls the system in an
ever-expanding user community sharing more and more
computer resources.
• Log-On Procedure
• A log-on procedure is the operating system’s first line of
defense against unauthorized access.
• Access Token
• An access token contains key information about the user,
including user ID, password, user group, and privileges granted
to the user.
OPERATING SYSTEM SECURITY (continued)
• Access Control List
• Access control list (ACL) are lists containing information that
defines the access privileges for all valid users of the resource.
An access control list assigned to each resource controls
access to system resources such as directories, files,
programs, and printers.
• Discretionary Access Privileges
• Discretionary access privileges grant access privileges to
other users. For example, the controller, who is the owner of
the general ledger, may grant read-only privileges to a
manager in the budgeting department.
THREATS TO OPERATING SYSTEM INTEGRITY
• Accidental Threats – hardware failures that cause the system
to crash
• Errors in User Application – OS cannot interpret, can result to
OS failures
• Accidental System Failures – may cause dumping of memory
to disks/printers thus unintentionally disclosing confidential
information
• Intentional Threats – privileged personnel abuse their authority
(e.g. systems administrators and programmers; individuals
who browse the OS and exploit security flaws)
• Destructive Programs – individuals who insert (intentionally or
accidentally) computer viruses and other destructive programs
into the system
OPERATING SYSTEM CONTROLS AND
TESTS OF CONTROLS
• Controlling Access Privileges
• AUDIT OBJECTIVES RELATING TO ACCESS PRIVILEGES
Verify access privileges are granted consistent with
separation of incompatible functions and organization policies
• AUDIT PROCEDURES RELATING TO ACCESS PRIVILEGES

This is accomplished by reviewing:
1. Policies for separating incompatible functions.
2. Privileges of a sample of user groups and individuals.
3. Personnel records to determine if security clearance checks of
privileged employees are adequate.
4. Formal acknowledgements of responsibility to maintain
confidentiality of data.
5. Users’ permitted log-on times.*
TESTS OF CONTROLS
• Password Control
• A password is a code, usually kept secret, entered by the user
to gain access to data files.
• A reusable password is a network password that can be used
more than one time.
• The one-time password is a network password that
constantly changes.
AUDIT OBJECTIVES RELATING TO PASSWORDS
Ensure an adequate password policy which is accomplished
AUDIT PROCEDURES RELATING TO PASSWORDS - review
1. that all users are required to have passwords.
2. that new users are instructed in the use of passwords and
password control.
3. the password control procedures.
4. the password file to identify weak passwords and ensure
encryption.
5. the adequacy of password standards.
TESTS OF CONTROLS (continued)
• Controlling Malware
• Audit Objective Relating to Malware
Verify effectiveness of procedures that guard against viruses
and other destructive programs
• AUDIT PROCEDURES RELATING TO MALWARE
1. Determining that personnel are educated and aware of
practices that can spread viruses and other malicious
programs.
2. Verifying new software is tested prior to implementation.
3. Verifying up-to-date antiviral software.
• System Audit Trail Controls
• System audit trails are logs that record activity at the
system, application, and user levels.
• Keystroke monitoring involves recording both the user’s
keystrokes and the system’s responses.
• Event monitoring summarizes key activities related to
system resources.*
• Setting Audit Trail Objectives (to support security objectives)
• DETECTING UNAUTHORIZED ACCESS – real-time or after the
fact detection*
• RECONSTRUCTING EVENTS – reconstruct the steps that led to
events such as system failures or security violations
• PERSONAL ACCOUNTABILITY – preventive or detective
control**
• Implementing a System Audit Trail
• AUDIT OBJECTIVES RELATING TO SYSTEM AUDIT TRAILS
Ensure established system audit trail is adequate to prevent and
detect abuse, reconstruct key events, and plan resource allocation
AUDIT PROCEDURES RELATING TO SYSTEM AUDIT TRAILS
1. Most operating systems provide some audit manager function to
specify events to be audited.
• Auditor should verify audit trail has been activated according to
organization policy.
2. Many operating systems provide an audit log viewer that auditor
can scan for unusual activity.
• Auditor can search for conditions such as: unauthorized or
terminated users, periods of inactivity, activity by user, group or
department, log-on and log-off times, failed log-on attempts
and access to specific files.
3. Security group has responsibility for monitoring and reporting
security violations.
• Sample of violations should be evaluated by the auditor.
Controlling Database Management
Systems
• Access controls are controls that ensure that only
authorized personnel have access to the firm’s assets;
these are designed to prevent unauthorized individuals
from viewing, retrieving, corrupting or destroying data.
• Backup controls ensure that in the event of data loss
due to unauthorized access, equipment failure, or physical
disaster, the organization can recover its files and
databases.
ACCESS CONTROLS
• User Views
• The user view is a set of data that a particular user needs to achieve
his or her assigned tasks. It a subset of the total database that defines
and restricts access to the database accordingly.
• Database Authorization Table
• The database authorization table is a table that contains rules that
limit the actions a user can take.
• User-Defined Procedures
• A user-defined procedure allows the user to create a personal
security program or routine to provide more positive user identification
than a password.
• Data Encryption
• Data encryption is the use of an algorithm to scramble selected data,
making it unreadable to an intruder browsing the database.
• Biometric Devices
• Biometric devices are devices that measure various personal
characteristics, such as finger, voice, or retina prints, or other signature
characteristics to allow access
Subschema Restricting Access to Database
Database Authorization Table
ACCESS CONTROLS (continued)
• Audit Objectives Relating to Database Access
1. (1) Authorized users are limited to accessing data needed to
perform duties and,
2. (2) Unauthorized users are denied access.
• Audit Procedures for Testing Access Controls

• RESPONSIBILITY FOR AUTHORITY TABLES AND
SUBSCHEMAS
• Verify database administration personnel retain sole responsibility for
creating authority tables and designing user views.
• Review company policy, examine programmer authority tables, and
interview programmers and database administrative personnel.
ACCESS CONTROLS (continued)
• Audit Procedures for Testing Access Controls
• APPROPRIATE ACCESS AUTHORITY
• Select a sample of users and verify appropriateness of access
privileges.
• BIOMETRIC CONTROLS
• Evaluate costs and benefits of biometric controls.
• ENCRYPTION CONTROLS
• Verify that sensitive data are properly encrypted
BACKUP CONTROLS
• Database Backup
• It is automatic and should be done at least daily.
• Transaction Log (Journal)
• The transaction log is a listing of transactions that provides an
audit trail of all processed events.
• Checkpoint Feature
• The checkpoint feature is a feature that suspends all data
processing while the system reconciles the transaction log and the
database change log against the database.
• Recovery Module
• The recovery module uses the logs and backup files to restart
the system after a failure.
BACKUP CONTROLS
• Audit Objectives Relating to Database Backup
• Ensure that controls are adequate in the event of a loss;
• Audit Procedures for Testing Backup Controls
• Verify that databases are copied at regular intervals and that the
backup copies are stored off-site to support disaster recovery
procedures.
Database Backup and Recovery
Controlling Networks
• Network topologies consist of various configurations of (1)
communications lines, (2) hardware components, and (3)
software.
• The technology of network communications are subject to
two general forms of risk:
1. Risks from subversive* threats
2. Risks from equipment failure
CONTROLLING RISKS FROM SUBVERSIVE
THREATS
• Firewalls
• A firewall is software and hardware that provide a focal point for
security by channeling all network connections through a control
gateway.
• Network-level firewalls are systems that provide basic screening
of low-security messages (for example, e-mail) and routes them to
their destinations based on the source and destination addresses
attached; Screening router, a part of the network level firewall,
examines the source and destination addresses attached to
incoming message packets; Insecure because they are designed to
facilitate, not restrict, the free flow of information; outside users are
not explicitly authenticated
• Application-level firewalls provide higher level customizable
network security but add overhead to connectivity.
• Trade-off between convenience and security. The more
security the firewall provides, the less convenient it is for
authorized users to pass through it and conduct business.
Dual-Homed Firewall
SYN Flood DOS Attack
Sender Receiver
Step 1: SYN messages
Step 2: SYN/ACK
Step 3: ACK packet code
In a DOS Attack, the sender sends hundreds of messages, receives the

SYN/ACK packet, but does not respond with an ACK packet. This leaves
the receiver with clogged transmission ports, and legitimate messages
cannot be received.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights 27Reserved.
THREATS (continued)
• Controlling Denial of Service Attacks
• An Intrusion Prevention System (IPS) uses deep packet
inspection (DPI) to determine when an attack is in progress.
• Deep packet inspection (DPI) is a program used to determine
when a DOS attack is in progress through a variety of
analytical and statistical techniques that evaluate the contents
of message packets.
• Encryption
• Encryption is the use of a computer program to transform a
standard message being transmitted into a coded (cipher text)
form.
• Private key is one method of encryption.
• Public key encryption is a technique that uses two encryption
keys: one for encoding the message, the other for decoding it.
THREATS (continued)
• Encryption (continued)
• PRIVATE KEY ENCRYPTION: Advanced encryption
standard (AES) is a 128-bit encryption technique, also known
as Rijndael, a private key (or symmetric key) encryption
technique. Triple-Data Encryption Standard (DES)
encryption is an enhancement to an older encryption
technique for transmitting transactions. EEE3 is encryption that
uses three different keys to encrypt the message three times.
EDE3 is encryption that uses one key to encrypt the message.
• PUBLIC KEY ENCRYPTION: RSA (Rivest-Shamir-Adleman)
is one of the most trusted public key encryption methods. This
method, however, is computationally intensive and much
slower than private key encryption. A digital envelope is an
encryption method in which both DES and RSA are used
together.
The Advanced Encryption Standard
Technique
EEE3 and EDE3 Encryption
THREATS (continued)
• Digital Signatures
• A digital signature is an electronic authentication technique
that ensures the transmitted message originated with the
authorized sender and that it was not tampered with after the
signature was applied.
• A digest is a mathematical value calculated from the text
content of the message.
• Digital Certificate
• A digital certificate is used in conjunction with a public key
encryption to authenticate the sender of a message
• A certification authority (CA) is a trusted third party that
issues digital certificates.
• A digital certificate is a sender’s public key* that has been
digitally signed by trusted third parties or CAs.
Digital Signature
THREATS (continued)
• Message Sequence Numbering
• Message sequence numbering is a sequence number
inserted in each message to foil any attempt by an intruder in
the communications channel to delete a message from a
stream of messages, change the order of messages received,
or duplicate a message.
• Message Transaction Log
• A message transaction log is a log in which all incoming and
outgoing messages, as well as attempted (failed) access,
should be recorded.
• Request-Response Technique
• The request-response technique is a technique in which a
control message from the sender and a response from the
sender are sent at periodic synchronized intervals.
THREATS (continued)
• Call-Back Devices
• A call-back device is a hardware component that asks the
dial-in caller to enter a password and then breaks the
connection to perform a security check.
• Audit Objectives Relating to Subversive Threats
• Verify the security and integrity of financial transactions by
determining network controls can:
(1) Prevent and detect illegal internal and Internet network
access.
(2) Render any data captured by a perpetrator useless.
(3) Preserve integrity and physical security of data connected
to the network.
THREATS (continued)
• Audit Procedures Relating to Subversive Threats
1. Review firewall adequacy in achieving balance between control
and convenience based on the following criteria:
• Flexibility, proxy services, filtering, segregation of systems, audit tools,
and probing for weaknesses.
2. Verify data encryption security procedures and encryption
process.
3. Review message transaction logs.
4. Test operation of the call-back feature.
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
• Line Errors
• Most common problem in data communications is data loss due
to line errors from communications noise.
• A line error is an error caused when the bit structure of the
message is corrupted through noise on the communications
lines.
Two techniques to detect and correct such data errors are:
• The echo check is a technique that involves the receiver of
the message returning the message to the sender.
• The parity check is a technique that incorporates an extra bit
into the structure of a bit string when it is created or
transmitted.
Vertical and Horizontal Parity Using Odd
Parity
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
• Audit Objectives Relating to Equipment Failure
• Verify the integrity of the electronic commerce transactions by
determining that controls are in place to detect and correct
message loss due to equipment failure.
• Audit Procedures Relating to Equipment Failure
• Selecting a sample of messages, examining them for garbled
content and verifying that all corrupted messages were
successfully retransmitted.
Electronic Data Interchange Controls
• Electronic data interchange (EDI) substantially changes

the way companies do business and creates unique
control issues that accountants need to recognize.
• Electronic data interchange (EDI) uses computer-to-
computer technologies to automate B2B purchases
• The absence of human intervention in this process
presents a unique twist to traditional control problems,
including: a) ensuring that transactions are authorized and
valid, b) preventing unauthorized access to data files, and
c) maintaining an audit trail of transactions.
EDI System
TRANSACTION AUTHORIZATION AND
VALIDATION
• Both the customer and the supplier must establish that the
transaction being processed is to (or from) a valid trading
partner and is authorized.
• This can be accomplished at three points in the process:
1. Some VANs have the capability of validating passwords and
user ID codes for the vendor by matching these against a valid
customer file.
2. Before being converted, the translation software can validate
the trading partner’s ID and password against a validation file
in the firm’s database.
3. Before processing, the trading partner’s application software
references the valid customer and vendor files to validate the
transaction.
ACCESS CONTROL
• EDI trading partners must permit a degree of access to
private data files that would be forbidden in a traditional
environment.
• The trading partner agreement will determine the degree
of access control in place.
• To guard against unauthorized access, each company
must establish valid vendor and customer files.
EDI AUDIT TRAIL
• EDI audit trail including a control log which records
transaction
Appendix - Malicious and Destructive
Programs
• A virus is a program that attaches itself to a legitimate
program to penetrate the operating system and destroy
application programs, data files and the operating system
itself.
• Worm is used interchangeably with virus.
• Software program that burrows into computer’s memory and
replicates itself into areas of idle memory.
• Logic bomb is a destructive program that some
predetermined event – such as a date – triggers.
• Back door (or trap door) allows unauthorized access to a
system without normal log-on procedures.
• Trojan horse captures IDs and passwords from
unsuspecting users.

Auditing IT Controls Part II: Security and Access

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Auditing IT Controls Part II: Security and Access

Hochgeladen von

Copyright:

Verfügbare Formate

Chapter 15

James A. Hall, Accounting Information Systems, 10th Edition. © 2019

• AUDIT PROCEDURES RELATING TO ACCESS PRIVILEGES

• Audit Procedures for Testing Access Controls

Step 1: SYN messages

Step 3: ACK packet code

In a DOS Attack, the sender sends hundreds of messages, receives the

• Electronic data interchange (EDI) substantially changes

Das könnte Ihnen auch gefallen