Beruflich Dokumente
Kultur Dokumente
Auditing IT
Controls Part II:
Security and
Access
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
Controlling the Operating System
• The operating system is the computer’s control program.
• It allows users and their applications to share and access
common computer resources, such as processors, main
memory, databases, and printers.
• If operating system integrity is compromised, controls
within individual accounting applications may also be
circumvented or neutralized.
• It performs 3 main tasks:
1. Translates high-level languages into the machine-level language.
2. Allocates computer resources to user applications.
3. Manages the tasks of job scheduling and multiprogramming
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
OPERATING SYSTEM OBJECTIVES
Language Translator Modules of OS
• Compilers are language translation modules of the
operation system.
• Interpreters are language translation modules of the
operation system that convert one line of logic at a time.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
OPERATING SYSTEM OBJECTIVES
Fundamental control objectives – operating system must:
1. Protect itself from users.
2. Protect users from each other.
3. Protect users from themselves.
4. Be protected from itself.
5. Be protected from its environment.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
OPERATING SYSTEM SECURITY
• Operating system security controls the system in an
ever-expanding user community sharing more and more
computer resources.
• Log-On Procedure
• A log-on procedure is the operating system’s first line of
defense against unauthorized access.
• Access Token
• An access token contains key information about the user,
including user ID, password, user group, and privileges granted
to the user.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
OPERATING SYSTEM SECURITY (continued)
• Access Control List
• Access control list (ACL) are lists containing information that
defines the access privileges for all valid users of the resource.
An access control list assigned to each resource controls
access to system resources such as directories, files,
programs, and printers.
• Discretionary Access Privileges
• Discretionary access privileges grant access privileges to
other users. For example, the controller, who is the owner of
the general ledger, may grant read-only privileges to a
manager in the budgeting department.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
THREATS TO OPERATING SYSTEM INTEGRITY
• Accidental Threats – hardware failures that cause the system
to crash
• Errors in User Application – OS cannot interpret, can result to
OS failures
• Accidental System Failures – may cause dumping of memory
to disks/printers thus unintentionally disclosing confidential
information
• Intentional Threats – privileged personnel abuse their authority
(e.g. systems administrators and programmers; individuals
who browse the OS and exploit security flaws)
• Destructive Programs – individuals who insert (intentionally or
accidentally) computer viruses and other destructive programs
into the system
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
OPERATING SYSTEM CONTROLS AND
TESTS OF CONTROLS
• Controlling Access Privileges
• AUDIT OBJECTIVES RELATING TO ACCESS PRIVILEGES
Verify access privileges are granted consistent with
separation of incompatible functions and organization policies
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
OPERATING SYSTEM CONTROLS AND
TESTS OF CONTROLS
• Password Control
• A password is a code, usually kept secret, entered by the user
to gain access to data files.
• A reusable password is a network password that can be used
more than one time.
• The one-time password is a network password that
constantly changes.
AUDIT OBJECTIVES RELATING TO PASSWORDS
Ensure an adequate password policy which is accomplished
AUDIT PROCEDURES RELATING TO PASSWORDS - review
1. that all users are required to have passwords.
2. that new users are instructed in the use of passwords and
password control.
3. the password control procedures.
4. the password file to identify weak passwords and ensure
encryption.
5. the adequacy of password standards.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
OPERATING SYSTEM CONTROLS AND
TESTS OF CONTROLS (continued)
• Controlling Malware
• Audit Objective Relating to Malware
Verify effectiveness of procedures that guard against viruses
and other destructive programs
• AUDIT PROCEDURES RELATING TO MALWARE
1. Determining that personnel are educated and aware of
practices that can spread viruses and other malicious
programs.
2. Verifying new software is tested prior to implementation.
3. Verifying up-to-date antiviral software.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
OPERATING SYSTEM CONTROLS AND
TESTS OF CONTROLS (continued)
• System Audit Trail Controls
• System audit trails are logs that record activity at the
system, application, and user levels.
• Keystroke monitoring involves recording both the user’s
keystrokes and the system’s responses.
• Event monitoring summarizes key activities related to
system resources.*
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
OPERATING SYSTEM CONTROLS AND
TESTS OF CONTROLS (continued)
• Setting Audit Trail Objectives (to support security objectives)
• DETECTING UNAUTHORIZED ACCESS – real-time or after the
fact detection*
• RECONSTRUCTING EVENTS – reconstruct the steps that led to
events such as system failures or security violations
• PERSONAL ACCOUNTABILITY – preventive or detective
control**
• Implementing a System Audit Trail
• AUDIT OBJECTIVES RELATING TO SYSTEM AUDIT TRAILS
Ensure established system audit trail is adequate to prevent and
detect abuse, reconstruct key events, and plan resource allocation
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
OPERATING SYSTEM CONTROLS AND
TESTS OF CONTROLS (continued)
AUDIT PROCEDURES RELATING TO SYSTEM AUDIT TRAILS
1. Most operating systems provide some audit manager function to
specify events to be audited.
• Auditor should verify audit trail has been activated according to
organization policy.
2. Many operating systems provide an audit log viewer that auditor
can scan for unusual activity.
• Auditor can search for conditions such as: unauthorized or
terminated users, periods of inactivity, activity by user, group or
department, log-on and log-off times, failed log-on attempts
and access to specific files.
3. Security group has responsibility for monitoring and reporting
security violations.
• Sample of violations should be evaluated by the auditor.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
Controlling Database Management
Systems
• Access controls are controls that ensure that only
authorized personnel have access to the firm’s assets;
these are designed to prevent unauthorized individuals
from viewing, retrieving, corrupting or destroying data.
• Backup controls ensure that in the event of data loss
due to unauthorized access, equipment failure, or physical
disaster, the organization can recover its files and
databases.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
ACCESS CONTROLS
• User Views
• The user view is a set of data that a particular user needs to achieve
his or her assigned tasks. It a subset of the total database that defines
and restricts access to the database accordingly.
• Database Authorization Table
• The database authorization table is a table that contains rules that
limit the actions a user can take.
• User-Defined Procedures
• A user-defined procedure allows the user to create a personal
security program or routine to provide more positive user identification
than a password.
• Data Encryption
• Data encryption is the use of an algorithm to scramble selected data,
making it unreadable to an intruder browsing the database.
• Biometric Devices
• Biometric devices are devices that measure various personal
characteristics, such as finger, voice, or retina prints, or other signature
characteristics to allow access
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
Subschema Restricting Access to Database
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
Database Authorization Table
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
ACCESS CONTROLS (continued)
• Audit Objectives Relating to Database Access
1. (1) Authorized users are limited to accessing data needed to
perform duties and,
2. (2) Unauthorized users are denied access.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
ACCESS CONTROLS (continued)
• Audit Procedures for Testing Access Controls
• APPROPRIATE ACCESS AUTHORITY
• Select a sample of users and verify appropriateness of access
privileges.
• BIOMETRIC CONTROLS
• Evaluate costs and benefits of biometric controls.
• ENCRYPTION CONTROLS
• Verify that sensitive data are properly encrypted
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
BACKUP CONTROLS
• Database Backup
• It is automatic and should be done at least daily.
• Transaction Log (Journal)
• The transaction log is a listing of transactions that provides an
audit trail of all processed events.
• Checkpoint Feature
• The checkpoint feature is a feature that suspends all data
processing while the system reconciles the transaction log and the
database change log against the database.
• Recovery Module
• The recovery module uses the logs and backup files to restart
the system after a failure.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
BACKUP CONTROLS
• Audit Objectives Relating to Database Backup
• Ensure that controls are adequate in the event of a loss;
• Audit Procedures for Testing Backup Controls
• Verify that databases are copied at regular intervals and that the
backup copies are stored off-site to support disaster recovery
procedures.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
Database Backup and Recovery
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
Controlling Networks
• Network topologies consist of various configurations of (1)
communications lines, (2) hardware components, and (3)
software.
• The technology of network communications are subject to
two general forms of risk:
1. Risks from subversive* threats
2. Risks from equipment failure
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
CONTROLLING RISKS FROM SUBVERSIVE
THREATS
• Firewalls
• A firewall is software and hardware that provide a focal point for
security by channeling all network connections through a control
gateway.
• Network-level firewalls are systems that provide basic screening
of low-security messages (for example, e-mail) and routes them to
their destinations based on the source and destination addresses
attached; Screening router, a part of the network level firewall,
examines the source and destination addresses attached to
incoming message packets; Insecure because they are designed to
facilitate, not restrict, the free flow of information; outside users are
not explicitly authenticated
• Application-level firewalls provide higher level customizable
network security but add overhead to connectivity.
• Trade-off between convenience and security. The more
security the firewall provides, the less convenient it is for
authorized users to pass through it and conduct business.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
Dual-Homed Firewall
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
SYN Flood DOS Attack
Sender Receiver
Step 2: SYN/ACK
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights 27Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Controlling Denial of Service Attacks
• An Intrusion Prevention System (IPS) uses deep packet
inspection (DPI) to determine when an attack is in progress.
• Deep packet inspection (DPI) is a program used to determine
when a DOS attack is in progress through a variety of
analytical and statistical techniques that evaluate the contents
of message packets.
• Encryption
• Encryption is the use of a computer program to transform a
standard message being transmitted into a coded (cipher text)
form.
• Private key is one method of encryption.
• Public key encryption is a technique that uses two encryption
keys: one for encoding the message, the other for decoding it.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Encryption (continued)
• PRIVATE KEY ENCRYPTION: Advanced encryption
standard (AES) is a 128-bit encryption technique, also known
as Rijndael, a private key (or symmetric key) encryption
technique. Triple-Data Encryption Standard (DES)
encryption is an enhancement to an older encryption
technique for transmitting transactions. EEE3 is encryption that
uses three different keys to encrypt the message three times.
EDE3 is encryption that uses one key to encrypt the message.
• PUBLIC KEY ENCRYPTION: RSA (Rivest-Shamir-Adleman)
is one of the most trusted public key encryption methods. This
method, however, is computationally intensive and much
slower than private key encryption. A digital envelope is an
encryption method in which both DES and RSA are used
together.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
The Advanced Encryption Standard
Technique
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
EEE3 and EDE3 Encryption
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Digital Signatures
• A digital signature is an electronic authentication technique
that ensures the transmitted message originated with the
authorized sender and that it was not tampered with after the
signature was applied.
• A digest is a mathematical value calculated from the text
content of the message.
• Digital Certificate
• A digital certificate is used in conjunction with a public key
encryption to authenticate the sender of a message
• A certification authority (CA) is a trusted third party that
issues digital certificates.
• A digital certificate is a sender’s public key* that has been
digitally signed by trusted third parties or CAs.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
Digital Signature
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Message Sequence Numbering
• Message sequence numbering is a sequence number
inserted in each message to foil any attempt by an intruder in
the communications channel to delete a message from a
stream of messages, change the order of messages received,
or duplicate a message.
• Message Transaction Log
• A message transaction log is a log in which all incoming and
outgoing messages, as well as attempted (failed) access,
should be recorded.
• Request-Response Technique
• The request-response technique is a technique in which a
control message from the sender and a response from the
sender are sent at periodic synchronized intervals.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Call-Back Devices
• A call-back device is a hardware component that asks the
dial-in caller to enter a password and then breaks the
connection to perform a security check.
• Audit Objectives Relating to Subversive Threats
• Verify the security and integrity of financial transactions by
determining network controls can:
(1) Prevent and detect illegal internal and Internet network
access.
(2) Render any data captured by a perpetrator useless.
(3) Preserve integrity and physical security of data connected
to the network.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Audit Procedures Relating to Subversive Threats
1. Review firewall adequacy in achieving balance between control
and convenience based on the following criteria:
• Flexibility, proxy services, filtering, segregation of systems, audit tools,
and probing for weaknesses.
2. Verify data encryption security procedures and encryption
process.
3. Review message transaction logs.
4. Test operation of the call-back feature.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
• Line Errors
• Most common problem in data communications is data loss due
to line errors from communications noise.
• A line error is an error caused when the bit structure of the
message is corrupted through noise on the communications
lines.
Two techniques to detect and correct such data errors are:
• The echo check is a technique that involves the receiver of
the message returning the message to the sender.
• The parity check is a technique that incorporates an extra bit
into the structure of a bit string when it is created or
transmitted.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 39
Vertical and Horizontal Parity Using Odd
Parity
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 40
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
• Audit Objectives Relating to Equipment Failure
• Verify the integrity of the electronic commerce transactions by
determining that controls are in place to detect and correct
message loss due to equipment failure.
• Audit Procedures Relating to Equipment Failure
• Selecting a sample of messages, examining them for garbled
content and verifying that all corrupted messages were
successfully retransmitted.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 41
Electronic Data Interchange Controls
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 42
EDI System
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 43
TRANSACTION AUTHORIZATION AND
VALIDATION
• Both the customer and the supplier must establish that the
transaction being processed is to (or from) a valid trading
partner and is authorized.
• This can be accomplished at three points in the process:
1. Some VANs have the capability of validating passwords and
user ID codes for the vendor by matching these against a valid
customer file.
2. Before being converted, the translation software can validate
the trading partner’s ID and password against a validation file
in the firm’s database.
3. Before processing, the trading partner’s application software
references the valid customer and vendor files to validate the
transaction.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 44
ACCESS CONTROL
• EDI trading partners must permit a degree of access to
private data files that would be forbidden in a traditional
environment.
• The trading partner agreement will determine the degree
of access control in place.
• To guard against unauthorized access, each company
must establish valid vendor and customer files.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 45
EDI AUDIT TRAIL
• EDI audit trail including a control log which records
transaction
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 46
Appendix - Malicious and Destructive
Programs
• A virus is a program that attaches itself to a legitimate
program to penetrate the operating system and destroy
application programs, data files and the operating system
itself.
• Worm is used interchangeably with virus.
• Software program that burrows into computer’s memory and
replicates itself into areas of idle memory.
• Logic bomb is a destructive program that some
predetermined event – such as a date – triggers.
• Back door (or trap door) allows unauthorized access to a
system without normal log-on procedures.
• Trojan horse captures IDs and passwords from
unsuspecting users.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 47