Training is critical
- Authentication: process of verifying the identity of the person or device attempting to access the system. Objective is to ensure that only legitimate users can access the system.
- Three types of credentials:
- 1. Password or PIN
- 2. Smart Cards or ID badges
- 3. Bio-metric Identifier: finger prints or
- - Multi-factor authentication: use of two-three methods is more effective
restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform.
- Create an access control matrix:
when an employee attempts to access a particular information system resource, system performs compatibility test:
matches user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action.
Network Access Controls
1. Border Router: connects an organization's information system to the internet
2. Firewall: special-purpose hardware device or software that permits controlled access from the Internet to selected resources.
3. Demilitarized zone: separate network that permits controlled access from the Internet to selected resources such as e-commerce Web server
- Border router & firewall act as filters to control which information is allowed to enter and leave the organization's information system.
Access Control List: determine which packets are allowed in and which are dropped.
Stateful Packet Filtering: screens individual packets based only on the contents of the source and/or destination fields in the packet header.
-Firewall will subject the packet to more detailed testing before allowing it to enter the internal network.
Firewalls employ stateful packet filtering
Deep packet inspection: examines the data in the body of an IP packet to provide more effective access control. Process takes more time, therefore the added cost is loss of speed.
- 1. A submits a bid to B and the browser moves to the web page displaying the lock
- box on the website.
- 2. A obtains the digital certificate of B and opens the certificate to get B’s
- public key. Then B goes to A’s website and obtains the digital certificate and
- A’s public key
- 3. A’s bid goes through a encryption process: Bid is hashed using one of the hashing
- algorithms. The hash is then encrypted with A’s private key to create a digital
- signature. Then the bid is encrypted with the symmetric key; the symmetric key
- is encrypted using B’s public key.
- 4. B decrypts the hash using A’s public key. Then B decrypts the symmetric key using
- its private key. The bid is then decrypted using the symmetric key. The has is
- independently calculated & compared with the has sent by A. If the two
- hashes agree, the encryption process is successful
Data Entry Controls
- Field Check:
- determines where the characters in a field are of the proper type. Ex: contain
- only numerical values but indicate an error of alphabetic characters.
- Sign Check:
- determines whether the data in a field have the appropriate arithmetic sign.
- Ex: quantity-order never negative.
- Limit Check: tests a numerical amount against a fixed value. Ex: 40 hours is regular work week should be equal or less to that
Range Check: tests whether a numerical amount falls between a predetermined lower & upper limits. Ex: marketing promotion directed if incomes between 50,000-99,999.
- Size Check: ensures that the input data will fit into the assigned field. Ex: eight-digit field
- Completeness Check: each input record determines whether all required data items have been entered. Ex: sales transaction shouldn’t be accepted unless they include customers shipping
- Validity Check: compares the ID code or account number in transaction data with similar data in the
- master file to verify that the account exists. Ex: product number is entered on
- sales order, computer must verify that there is indeed a product in the
- inventory database.
- Reasonableness Test: determines
- the correctness of the logical relationship between two data items. Ex:
- overtime hours should be zero if someone hasn’t worked the maximum regular
Additional Batch Processing Data Entry:
- Sequence Check, Error Log
- Batch Totals: summarize important values for a batch of input records
- Financial Total: sums a field that contains monetary values such as total dollar amount of all sales for a batch of sales transactions. Has to make financial sense (Gross,
- deductions, net pay)
- Hash Total: sums a nonfinancial numeric field, such as total of the quantity ordered field in a batch of sales transactions. (Employee #, pay rate, hrs worked)
- Record Count: number of records in a batch
- Additional Online Data Entry:
- Prompting: which the system requests each
- input data item & waits for an acceptable response, ensures that all
- necessary data are entered. Prompting an online completeness checks.
- Closed-loop verification:
- checks the accuracy of input data by using it to retrieve & display other
- related information. Goes with validity check
- transaction logs, error messages
- Data Matching: two or
- more items of data must be matched before an action can take place. Ex: before
- paying a vendor, should verify that information on the vendor invoices matches
- information on both purchase order & receiving report
- File Labels: need to
- be checked to ensure that the correct & most current files are being
- updated. Header record: located at the beginning of each file &
- contains the file name, expiration data, & other identification data. Trailer
- record: located at the end of the file & contains the batch totals
- calculated during the input.
- Recalculation of batch totals:
- batch totals should be recomputed as each transaction record is processed, and
- the total for the batch should then be compared to the values in the trailer
- Cross-footing balance test: compares
- the results produced by each method to verify accuracy. Zero-balance test:
- applies this same logic to control accounts.
- Write-protection mechanisms:
- these protect against overwriting or erasing of data files stored on magnetic
- media. Used to protect master files from accidentally being damaged.
- Concurrent update controls:
- prevent such errors by locking out one user until the system has finished
- processing the transaction entered by the other.
- Checksums: when data are
- transmitted, sending device can calculate a hash of the file
- Parity bits: extra
- digit added to the beginning of every character that can be used to check
- transmission accuracy.
- Parity Checking: entails
- verifying that the proper number of bits are set to the value 1 in each
- character received.
- Full Backup: is an
- exact copy of the data reordered on another physical media
- Two Types of Partial Backups:
- Incremental Backup: involves
- copying only the data items that have changed since the last partial backup.
- Produces a set of incremental backup files, each containing the results of one
- day’s transactions. Ex: fire on Wed. (Restore 1st full backup, Sat.
- Sun. Mon. Tues.)
- Differential Backup: copies
- all changes made since the last full backup are copied. Consequently, except
- for the first day following a full backup, daily differential backups take
- longer than incremental backups. Ex: fire on Wed. (Restore full backup, then
- Tues. files.) Last full backup needs to be supplemented with only the most
- recent differential backup
- Archive: is a copy of a database, master
- file, or software that will be retained indefinitely as an historical record,
- usually to satisfy legal & regulatory requirements.
Nature of Auditing
- Audit Planning: determine why, how, when, & by whom the audit will be performed.
- Establish the audit’s scope & objectives. Evaluate the internal controls.
- Inherent, control, & detection of risk.
- -Preliminary audit program is prepared to show the nature, extent, & timing of the
- procedures necessary to achieve audit objectives & minimize audit risk
- Collecting Evidence: most audit effort is spent collecting evidence.
- - Observations, review of documentation, discussions, physical examination, confirmation,
- re-performance, vouching: looking for supporting documents, analytical review.
Strong Control: physical examination & observation
- Weak Control: Discussion
- Evaluating Evidence: evaluate evidence gathered & decides whether it supports a
- favorable or unfavorable conclusion.
- Materiality: what is & is not important in an audit
- Reasonable Assurance: that no material error exists in the information or process audited.
- Communicating Audit Results: auditor prepares a written & sometimes oral report
- summarizing audit findings & recommendations, with references to supporting evidence in the working papers.
- Report is presented: Management, audit committee, board of directors, other
- appropriate parties.
- Risk-Based Audit
- 1.Determine the threats (fraud & errors): accidental or intentional abuse & damage
- to which the system is exposed
- 2. Identify the control procedures that prevent, detect, or correct the threats: these are all the controls that management has put into place & that auditors should
- review & test, to minimize the threats
3. Evaluate control procedures: evaluated in two ways
a. A system review: determines whether control procedures are actually in place.
- b. Tests of controls: are conducted to determine whether existing controls work as
- 4. Evaluate control weaknesses to determine their effect on the nature, timing, or extent
- of auditing procedures: optional step
- Security: Inspecting computer sites,
- interviewing personal, reviewing policies & procedures, examining access
- logs, insurance policies, & the disaster recovery plan
- Program Development: system reviews. Auditors role is to maintain necessary objectivity for performing an independent evaluation. Auditor should gain an understanding of development procedures by discussing them with management, users, & IS personnel.
- Test Controls: interview, examine development approvals, review team minutes, review documentation relating to the testing process, examine the test specifications, review test data, & evaluate test results.
- Program Modification: Gain an understanding of the change process by discussing with management. Auditors observe how changes are implemented to verify that separate
- development & production programs are maintained & changes are
- implemented by someone independent of the user & programming functions
- Test unauthorized programs: investigation. Source Code comparison: compare
- current version of the program with the source code.
- Reprocessing: surprise basis auditor
- verified copy of source code to reprocess data & compare that output with
- company’s data. Parallel Simulation: auditor writes own program instead
- of using verified source code & can be used to test a program during
- implementation process.
- Source Data & Data Entry: review
- documentation about responsibilities. Input controls matrix: used to
- document the review of source data controls.
- Data: review documentation:
- use file labels & write-protection, virus protection software. Review
- system to examine prescribed procedures for control of file conversions,
- reconciling master files.
- Processing: review administrative documentation for processing control standards, data editing, observe computer operations & data control functions, reconcile a sample of batch totals, verify
- processing accuracy for a sample of sensitive transactions, & discuss processing control procedures
- Security: Partial compensation by sound personnel policies, effective segregation of incompatible duties, effective user controls, so that users can recognize unusual system
- output. Security weakness needs to be corrected.
- Programming Development: Strong
- processing controls & independent processing of test data by auditors.
- Program Modification:
- source code comparisons, reprocessing, & parallel simulation
- Source Data: Users & source data controls may be strong enough
- Source Data & Data Entry:
- strong user controls, strong processing controls, & effective computer
- security controls.
Concurrent Audit Techniques
- - This is part of the computer processing controls:
- Several specialized techniques allow the auditor to use the computer to test processing controls:
- Processing Test Data:
- Involves testing a program by processing a hypothetical series of valid & invalid
- transactions. Process should: process all valid transactions correctly &
- identify & reject the invalid ones
- All logic paths should be checked for proper functioning by one or more test
- transactions, use a matrix table. Including: records missing data, fields containing unreasonably large amounts, records out of sequence
- Concurrent Audit Techniques:
- Continually monitor the system & collect audit evidence while live data are processed
- during regular operating hours. Uses embedded audit modules: which are
- segments of programs that perform audit functions, report test results to the
- auditor, & store collected evidence for auditor review.
- Five concurrent audit techniques:
- Integrated test facility (ITF): places a small set of fictitious records in the master files. Auditors must take care not to combine dummy & actual records during the reporting
- process. Since real & fictitious transactions are processed together, employees don’t know the testing is taking place.
- Snapshot Technique: examines the way transactions are processed. Selected transactions are marked with a special code to trigger snapshot. Data is recorded in a special file & reviewed by the auditors to verify that all processing steps were
- properly executed.
- System control audit review file (SCARF):
- uses embedded audit modules to continuously monitor transaction activity &
- collect data on transaction with special audit signatures. Identify high risk
- events. Store in SCARF file transactions exceeding high dollar limit, involving
- inactive accounts, deviating from company policy.
- Audit Hook: audit routines that flag suspicious transactions. This does every SCARF does plus real time notifications.
- Continuous & Intermittent Simulation (CIS): embeds an audit module in a database management system that examines all transactions that update the database using criteria similar to those of SCARF. If there are discrepancies, details are written to an audit log for subsequent investigation.
- Analysis of Program Logic:
- Auditor suspects that a particular program contains unauthorized code or serious
- errors, detailed analysis of the program logic may be necessary. Done at last
- resort because time-consuming, requires programming language proficiency.
- Program flow-charts, program documentation, & program source code.