K is totally dependent on its IT systems for income generation. Auditors will be concerned about risks to the systems from lack of backups, contingency planning, centralized access controls, and unauthorized access. The systems must be developed to meet customer demands while preventing fraud, and internal audits are important for assurance. Key risks include credit card companies withdrawing support, customer reputation concerns, and refunding payments while still owing royalties. Risk management includes analyzing fraud patterns, using expert systems to monitor fraud, controlling customer access, and using secure third parties for payments.
K is totally dependent on its IT systems for income generation. Auditors will be concerned about risks to the systems from lack of backups, contingency planning, centralized access controls, and unauthorized access. The systems must be developed to meet customer demands while preventing fraud, and internal audits are important for assurance. Key risks include credit card companies withdrawing support, customer reputation concerns, and refunding payments while still owing royalties. Risk management includes analyzing fraud patterns, using expert systems to monitor fraud, controlling customer access, and using secure third parties for payments.
K is totally dependent on its IT systems for income generation. Auditors will be concerned about risks to the systems from lack of backups, contingency planning, centralized access controls, and unauthorized access. The systems must be developed to meet customer demands while preventing fraud, and internal audits are important for assurance. Key risks include credit card companies withdrawing support, customer reputation concerns, and refunding payments while still owing royalties. Risk management includes analyzing fraud patterns, using expert systems to monitor fraud, controlling customer access, and using secure third parties for payments.
(a) Dependence on IT fundamental threat to future, need for prevention of threats, back-up and contingency planning.
3
Centralisation lack of segregation of duties, human resource controls, reviews of transactions.
3
Illicit access why might occur, access and virus controls. 3 Protection of income limits need to be enforced. 3 Systems development need for development to reflect customer demands and prevent fraud. Strength of system development process and internal audit involvement.
3
Other relevant factors up to 3 marks each
3
max 15 (b) Risks up to 2 marks per risk discussed, including threats of withdrawal of credit card companies, reputation with customers, unprofitable transactions. max
6
Risk management up to 2 marks per step taken, including risk analysis, isolating problem customers, use of secure third party mechanism. max
6
max
10
25
(a) Dependence on IT K is totally dependent on its IT systems functioning reliably. Without the systems it has no income. Interruption to the systems for any length of time will threaten the company's future. Auditors will be concerned whether these risks are being managed effectively by controls preventing disruption, for example anti-virus controls. Because of the systems' importance, auditors will want to establish whether the system is completely backed-up, the extent of contingency plans and whether contingency arrangements provide the strong controls required. Centralisation of computer systems The centralisation of the computer systems may also be a source of significant risk. There may be a lack of segregation of duties in recording transactions and payments. It may be possible for the same individual to programme fraudulent charges and make the necessary adjustments to other parts of the system to cover up the fraud. The auditors will therefore consider how much these risks are mitigated by general controls: Human resource controls over the recruitment of individuals Audit of transactions by internal audit Analytical or other overall reviews of transactions or accounts, to identify strange patterns in charges Reviews of computer usage
Illicit access A key risk to the system is access by unauthorised persons. This could be access to obtain tracks without paying, obtain customer details, access customer accounts, or carry out denial of service attacks disrupting operations. Auditors will obviously be very concerned with the strength of controls preventing unauthorised use such as passwords, and controls, such as up-to-date virus protection software, to prevent viruses affecting the system. Protection of income In order to maximise income, K has imposed rules on the number of songs that can be downloaded for free. These limits will only be effective if they are enforced. The auditors will want to ascertain whether the controls over the number of free downloads are effective, covering the complete recording of transactions and the prevention of free downloads when limits are reached. Development of system Technology improvements means that K's system will need to develop, to provide a better service for customers or to counter threats to fraud. Auditors will therefore be concerned with how the system is developed. In particular they will want to know how the need for development is identified, and how K has previously handled development will lessons learnt from post-completion audits be actioned in future. The extent of internal audit involvement will be an important consideration for external auditors, as internal audit work may provide assurance that controls have been adequately tested. However external auditors will also want to obtain assurance that internal audit has sufficient IT expertise to be able to conduct effective testing. (b) Risks Credit card company risk K may suffer from the risk that the credit card company will no longer allow customers to pay via K's site, to protect its own reputation. This represents a threat to revenue, since some customers will find it more difficult to pay. The problem will be enhanced if other credit card companies also withdraw permission. Reputation risk Customers may not wish to use K's website because of fears that they will be charged fraudulently and because they fear that fraudsters have access to their personal data. Refunding of payments K may have to pay refunds to customers, but still be liable to copyright holders for the royalties on the downloads. Alleviation of risks Risk analysis K needs to analyse what's happened to see if there is any pattern in the fraudulent charges being made. If the customers who have suffered problems can be easily classified, for example geographically, it may be best to stop offering the service to customers with that link until the problem is resolved. Expert systems It is possible to purchase expert systems to monitor fraud. Credit card companies use systems that contain information relating to credit card frauds over a long period of time. The system can therefore recognise suspicious buying patterns. Controls over customers allowed to use the service K can reduce the risks of problems by recording customer details. Customers could be asked to register and confirm identity by email. Alternatively if a fraudulent purchase is identified as coming from a specific computer IT address, then that address should not be allowed to purchase in future. Secure payment mechanism The threat to reputation of payment information not being secure can be dealt with by using a third party payment mechanism with a reputation for being secure, for example Paypal.