CHAPTER 1

Auditing, Assurance, Internal Control

Attest Services
An engagement in which a practitioner is engaged to issue, or
does issue, a written communication that expresses a
conclusion about the reliability of a written assertion that is
the responsibility of another party.
Attest: To affirm to be correct, true, or genuine
Requirements applied to attestation services
Attestation services require written assertions and a
practitioners written report.
Attestation services require the formal establishment of
measurement criteria or their description in the presentation.
The levels of service in attestation engagements are limited to
examination, review, and application of agreed-upon
procedures.
Assurance Services
Broader than attestation (Fig. 1-1)
Professional services designed to improve the quality of
information, both financial and non-financial, used by
decision-makers.
Intended to help people make better decisions by improving
information.
Assurance: A statement or indication that inspires confidence;
a guarantee or pledge
Assurance Services
Evolution of accounting profession is expected to follow the
assurance services model.
All Big Five professional services firms have renamed their
traditional audit functions Assurance Services.
Organizational unit responsible for conducting IT audits is
named either IT Risk Management, Information Systems Risk
Management, or Operational Systems Risk Management
(OSRM)
Financial Audit
An independent attestation performed by an expert, the
auditor, who expresses an opinion regarding the presentation
of financial statements.
Auditors role is similar in concept to a judge who collects and
evaluates evidence and renders an opinion.
Financial Audit
Key concept in this process is independence; Judge must
remain independent in his or her deliberation.
Judge cannot be advocate of either party in the trial, but must
apply law impartially based on evidence presented.
Likewise, independent auditor collects and evaluates evidence
and renders an opinion based on evidence.
Financial Audit
Throughout audit process, auditor must maintain his or her
independence from client organization.
Public confidence in the reliability of the companys internally
produced financial statements rests directly on their being
evaluated by an independent expert audit.
Financial Audit
Systematic audit process involves three conceptual phases:
Familiarization w/ organizations business
Evaluating and testing internal control
Assessing the reliability of financial data
Auditors Report
Product of attestation function is a formal written report that
expresses an opinion about the reliability of the assertions
contained in financial statements
Auditors report expresses an opinion as to whether the
financial statements are in conformity w/ generally accepted
accounting principles
Auditing Standards
Auditors are guided in their professional responsibility by the
ten generally accepted auditing standards (GAAS) Fig. 1-2
GAAS establishes a framework for prescribing auditor
performance, but it is not sufficiently detailed to provide
meaningful guidance in specific circumstances
Auditing Standards
To provide specific guidance, American Institute of Certified
Public Accountants (AICPA) issues Statements on Auditing
Standards (SASs) as authoritative interpretations of GAAS.

SASs are often referred to as auditing standards, or GAAS,

although they are not the ten generally accepted auditing
standards.
SAS
First issued by AICPA in 1972
Since then, many SASs have been issued to provide auditors
w/ guidance on a spectrum of topics, including methods of
investigating new clients, techniques for obtaining
background information on clients industry.
External vs. Internal Auditing
External auditing is often called independent auditing because
it is done by certified public accountants who are independent
of the organization being audited.
External auditors represent the interests of third-party
stakeholders in the organization, such as stockholders,
creditors, and government agencies.
Because the focus of external audit is on financial statements,
this type of audit is called financial audit
External vs. Internal Auditing
Institute of Internal Auditors defines internal auditing as an
independent appraisal function established within an
organization to examine and evaluate its activities
External vs. Internal Auditing
Internal auditors perform a wide range of activities on behalf
of the organization, including conducting financial audits,
examining an operations compliance with organizational
policies, reviewing the organizations compliance with legal
obligations, evaluating operational efficiency, detecting and
pursuing fraud within the firm, and conducting IT audits.
External vs. Internal Auditing
While external auditors represent outsiders, internal auditors
represent the interests of the organization.
Internal auditors often cooperate with and assist external
auditors in performing financial audits.
This is done to achieve audit efficiency and reduce audit fees.
For example, a team of internal auditors can perform tests of
computer controls under the supervision of a single external
auditor.
External vs. Internal Auditing
While external auditors represent outsiders, internal auditors
represent the interests of the organization.
Internal auditors often cooperate with and assist external
auditors in performing financial audits.
This is done to achieve audit efficiency and reduce audit fees.
For example, a team of internal auditors can perform tests of
computer controls under the supervision of a single external
auditor.
Information Technology (IT) Audit
Focus on the computer-based aspects of an organizations
information system
This includes assessing the proper implementation, operation,
and control of computer resources
Definition of Auditing
Auditing is a systematic process of objectively obtaining
and evaluating evidence regarding assertions about
economic actions and events to ascertain the degree of
correspondence between those assertions and established
criteria and communicating the results to interested users
Elements of auditing
A systematic process
Management assertions and audit objectives
Obtaining evidence
Ascertaining the degree of correspondence between
established criteria
Communicating results
See Pages 5~7
5 Categories of Management Assertions (page 6)
Existence or occurrence assertion
Completeness assertion
Rights and obligations assertion
Valuation or allocation assertion
Presentation and disclosure assertion
Auditors develop their audit objectives and design audit
procedures based on preceding assertions. See Table 1-1
Structure of IT Audit
IT audit is divided into three phases: audit planning, tests of
controls, and substantive testing (See Figure 1-3)

Internal Control
The establishment and maintenance of a system of internal
control is an important management obligation.
A fundamental aspect of managements stewardship
responsibility is to provide shareholders with reasonable
assurance that the business is adequately controlled.
Additionally, management has a responsibility to furnish
shareholders and potential investors with reliable financial
information on a timely basis. (Sarbanes-Oxley act)
An adequate system of internal control is necessary to
managements discharge of these obligations.
- Securities and Exchange Commission
Internal Control in Concept
Internal control system comprises policies, practices, and
procedures employed by the organization to achieve four
broad objectives:
To safeguard assets of the firm.
To ensure the accuracy and reliability of accounting records
and information.
To promote efficiency in the firms operations.
To measure compliance with managements prescribed
policies and procedures
Exposure and Risk
Internal control shield (Figure 1-4) to protect firms from
numerous undesirable events
Attempts at unauthorized access to firms assets (including
information)
Fraud perpetrated by persons both in and outside the firm
Errors due to employee incompetence, faulty computer
programs, corrupted input data
Exposure and Risk
Internal control shield (Figure 1-4) to protect firms from
numerous undesirable events
Mischievous acts, such as unauthorized access by computer
hackers and threats from computer viruses that destroy
programs and databases
Exposure and Risk
Absence or weakness of a control is called exposure
Exposures increase firms risk to financial loss or injury from
undesirable events.
Exposure and Risk
A weakness in internal control may expose the firm to one or
more of the following types of risks:
Destruction of assets (both physical assets and information)
Theft of assets
Corruption of information or the information system
(containing errors or alterations)
Disruption of information system (to break or burst; rupture )
3 Levels of Control
Preventive controls, detection controls, and corrective controls
(Fig. 1-5)
Preventive Controls
First line of defense in the control structure
Passive techniques designed to reduce the frequency of
occurrence of undesirable events
Preventing errors and fraud is far more cost-effective than
detecting and correcting problems after they occur
In information security: firewall
Preventive Controls
For example, a well-designed data entry screen is an example
of a preventive control
Not all problems can be anticipated and prevented.
Detective Controls
Second line of defense
Devices, techniques, and procedures designed to identify and
expose undesirable events that elude preventive controls
In information security: Intrusion detection
Corrective Controls
Corrective actions taken to reverse the effects of detected
errors
Detective controls identify undesirable events and draw
attention to the problem; corrective controls fix the problem.
Statement on Auditing Standards No. 78 (SAS 78)
Current authoritative document for specifying internal control
objectives and techniques.

Conforms to the recommendations of the Committee of

Sponsoring Organizations of the Treadway Commission
(COSO)
Consists of five components: control environment, risk
assessment, information and communication, monitoring, and
control activities
Control Environment
Foundation for the other control components
Important elements:
Integrity and ethical values of management
Structure of organization
Participation of organizations board of directors and audit
committee
Managements philosophy and operating style
see page 13
Control Environment
SAS 78 requires that auditors obtain sufficient knowledge to
assess the attitude and awareness of organizations
management, board of directors, and owners regarding
internal control.
See page 13 for examples of techniques that may be used to
obtain an understanding of control environment
Risk Assessment
Identify, analyze, and manage risks relevant to financial
reporting
See page 14 for risks that can rise out of changes in
circumstances
SAS 78 requires that auditors obtain sufficient knowledge of
organizations risk assessment procedures to understand how
management identifies, prioritizes, and manages risks related
to financial reporting.
Information and Communication
Accounting information system consists of records and
methods used to initiate, identify, analyze, classify, and record
organizations transactions and to account for related assets
and liabilities.
Quality of information generated by AIS impacts
managements ability to take actions and make decisions in
connection with organizations operations and to prepare
reliable financial statements.
Effective AIS
Identify and record all valid financial transactions
Provide timely information about transactions in sufficient
detail to permit proper classification and financial reporting
Accurately measure financial value of transactions so their
effects can be recorded in financial statements
Accurately record transactions in time period in which they
occur
Effective AIS
SAS 78 requires that auditors obtain sufficient knowledge of
organizations information systems to understand
Classes of transactions that are material to financial
statements and how those transactions are initiated
Accounting records and accounts that are used in processing
of material transactions
Effective AIS
SAS 78 requires that auditors obtain sufficient knowledge of
organizations information systems to understand
Transaction processing steps involved from initiation of
economic event to its inclusion in financial statements
Financial reporting process used to prepare financial
statements, disclosures, and accounting estimates
Monitoring
Process by which quality of internal control design and
operation can be assessed
May be accomplished by separate procedures or by ongoing
activities
Internal auditors may monitor entitys activities in separate
procedures. They gather evidence of control adequacy by
testing controls, then communicate control strengths and
weaknesses to management
Monitoring
Ongoing monitoring may be achieved by integrating special
computer modules into information system that capture key
data and/or permit tests of control to be conducted as part of
routine operations

Such embedded audit modules (EAMs) allow management

and auditors to maintain constant surveillance over
functioning of internal controls
Control Activities
Policies and procedures used to ensure appropriate actions
are taken to deal w/ organizations identified risks
Control Activities
Can be grouped into two categories:
Computer controls
General control
Application control
Physical controls
transaction authorization
segregation of duties
supervision
accounting records
access control
independent verification
Computer Controls/General Controls
Fall into two broad groups: general controls and application
controls
General controls pertain to entity-wide concerns such as
controls over data center, organization databases, systems
development, and program maintenance
Application Controls
Application controls ensure the integrity of specific systems
such as sales order processing, accounts payable, and payroll
applications
Control Activities
Can be grouped into two categories:
Computer controls
General control
Application control
Physical controls
transaction authorization
segregation of duties
supervision
accounting records
access control
independent verification
Physical Controls
Relates primarily to traditional accounting systems that
employ manual procedures
Six traditional categories of physical control activities:
transaction authorization, segregation of duties, supervision,
accounting records, access control, and independent
verification
Transaction Authorization
Ensure that all material transactions processed by information
systems are valid and in accordance w/ managements
objectives
Authorizations may be general or specific
General Authorization
Granted to operations personnel to perform day-to-day
operations
Example is procedure to authorize purchase of inventories
from designated vendor only when inventory levels fall to
their predetermined reorder points. This is called programmed
procedure
Specific Authorization
Deal with case-by-case decisions associated w/ non-routine
transactions.
Example is the decision to extend a particular customers
credit limit beyond the normal amount
In an IT environment, the responsibility for achieving control
objectives of transaction authorization rests directly on
accuracy and consistency of computer programs that perform
these tasks.
Segregation of Duties
To minimize incompatible functions
3 objectives provide general guidelines applicable to most
organizations
Authorization for a transaction is separate from processing of
the transaction. For example, purchases should not be
initiated by purchasing department until authorized by
inventory control department
Segregation of Duties

3 objectives provide general guidelines applicable to most

organizations
Responsibility for custody of assets should be separate from
recordkeeping responsibility. For example, the department
that has physical custody of finished goods inventory should
not keep official inventory records. Accounting for finished
goods inventory is performed by inventory control, an
accounting function.
Segregation of Duties
3 objectives provide general guidelines applicable to most
organizations
Organization should be structured so that a successful fraud
requires collusion between two or more individuals with
incompatible responsibilities. In other words, no single
individual should have sufficient access to assets and
supporting records to perpetrate a fraud.
Segregation of Duties in IT
Computer errors are programming errors that are, in fact,
human errors; no computer has ever perpetrated a fraud
unless programmed to do so by a human
Separating computer processing functions, therefore, serves
no purpose
Segregation of Duties in IT
Segregation of duties still plays a role in IT environment
Once proper functioning of a program is established at system
implementation, its integrity must be preserved throughout
the applications life cycle.
The activities of program development, program operations,
and program maintenance are critical IT functions that must
be adequately separated.
Supervision
Achieving adequate segregation of duties often presents
difficulties for small organization.
In small organizations or in functional areas that lack sufficient
personnel, management must compensate for absence of
segregation controls with close supervision.
For this reason, supervision is also called compensating
control.
Accounting Records
Source documents, journals, and ledgers capture economic
essence of transactions and provide an audit trail of economic
events
Audit trail enables auditor to trace any transaction through all
phases of its processing from initiation of event to financial
statements
Access Controls
Ensure that only authorized personnel have access to firms
assets
Access control in IT environment includes provisions for
physical security of computer facilities.
Database security and authorization is important access
control mechanism in modern organizations.
Access Control in IT Environment
Limit personnel access authority
Restrict access to computer programs
Provide physical security for data processing center
Ensure adequate backup for data files
Provide disaster recovery capability
Audit Risk
Probability that auditor will render an unqualified opinion on
financial statements that are, in fact, materially misstated
Auditors objective is to minimize audit risk by performing
tests of controls and substantive tests.
3 components of audit risk are inherent risk, control risk, and
detection risk
Inherent Risk
Associated with unique characteristics of the business or
industry of the client
Firms in declining industries have greater inherent risk than
firms in stable or thriving industries.
Auditors can not reduce level of inherent risk.
Detection Risk
is the risk that auditors are willing to take that errors not
detected or prevented by control structure will also not be
detected by the auditor
Lower planned detection risk requires more substantive
testing

Control Risk
is the likelihood that control structure is flawed because
controls are either absent or inadequate to prevent or detect
errors in the accounts
Auditors reduce level of control risk by performing tests of
internal controls, e.g., running test transactions and seeing if
erroneous transactions can be detected
CHAPTER 2Auditing IT Governance Controls
Information technology (IT) governance is a relatively
new subset of corporate governance that focuses on the
management and assessment of strategic IT resources. Key
objectives of IT governance are to reduce risk and ensure that
investments in IT resources add value to the corporation.
IT Governance Controls
This controls focus on:
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
STRUCTURE OF THE INFORMATION TECHNOLOGY FUNCTION
The organization of the IT function has implications for the
nature and effectiveness of internal controls, which, in turn,
has implications for the audit.
Centralized Data Processing
Under the centralized data processing model, all data
processing is performed by one or more large computers
housed at a central site that serves users throughout the
organization.
Centralized Data Processing Approach
Org Chart of a Centralized IT Function
Related Terms
Database Administration
Centrally organized companies maintain their data resources
in a central location that is shared by all end users. In this
shared data arrangement, an independent group headed by
the database administrator (DBA) is responsible for the
security and integrity of the database.
Data Processing
The data processing group manages the computer resources
used to perform the day-to-day processing of transactions. It
consists of the following organizational functions: data
conversion, computer operations, and the data library.
Data Conversion. The data conversion function transcribes
transaction data from hard-copy source documents into
computer input. For example, data conversion could involve
keystroking sales orders into a sale order application in
modern systems, or transcribing data into magnetic media
(tape or disk) suitable for computer processing in legacy type
systems.
Computer Operations. The electronic files produced in data
conversion are later processed by the central computer, which
is managed by the computer operations groups. Accounting
applications are usually executed according to a strict
schedule that is controlled by the central computers
operating system.
Data Library. The data library is a room adjacent to the
computer center that provides safe storage for the off-line
data files. Those files could be backups or current data files.
For instance, the data library could be used to store backup
data on DVDs, CD-ROMs, tapes, or other storage devices.
Systems Development
The information systems needs of users are met by two
related functions: system development and systems
maintenance.
Systems Development is responsible for analyzing user needs
and for designing new systems to satisfy those needs. The
participants in system development activities include systems
professionals, end users, and stakeholders.
Systems professionals include systems analysts, database
designers, and programmers who design and build the
system. Systems professionals gather facts about the users
problem, analyze the facts, and formulate a solution. The
product of their efforts is a new information system.
End users are those for whom the system is built. They are
the managers who receive reports from the system and the

operations personnel who work directly with the system as

part of their daily responsibilities.
Stakeholders are individuals inside or outside the firm who
have an interest in the system, but are not end users. They
include accountants, internal auditors, external auditors, and
others who oversee systems development.
Systems Maintenance
Once a new system has been designed and implemented, the
systems maintenance group assumes responsibility for
keeping it current with user needs. The term maintenance
refers to making changes to program logic to accommodate
shifts in user needs over time.
Segregation of Incompatible Functions
Operational tasks should be segregated to:
1. Separate transaction authorization from transaction
processing.
2. Separate record keeping from asset custody.
3. Divide transaction-processing tasks among individuals such
that short of collusion
between two or more individuals fraud would not be possible.
The Distributed Data Processing
An alternative to the centralized model is the concept of
distributed data processing (DDP). The topic of DDP is
quite broad, touching upon such related topics as end-user
computing, commercial software, networking, and office
automation.
Simply stated, DDP involves reorganizing the central IT
function into small IT units that are placed under the control of
end users.
Risks Associated with DDP
Inefficient use of Resources
risk of mismanagement of organization-wide IT resources by
end users
risk of operational inefficiencies because of redundant tasks
being performed within the end-user committee
risk of incompatible hardware and software among end-user
functions
2. Destruction of Audit Trails
3. Inadequate Segregation of Duties
4. Difficulty in Hiring Qualified Personnel
5. Lack of Standards
Advantages of DDP
Cost Control
Improved Cost Control Responsibility
Improved User Satisfaction
Backup Flexibility
Controlling the DDP Environment
Implement a Corporate IT Function
Central Testing of Commercial Hardware and Software
User Services
Standard-setting body
Personnel Review
Audit Objective
The auditors objective is to verify that the structure of the IT
function is such that individuals in incompatible areas are
segregated in accordance with the level of potential risk and
in a manner that promotes a working environment. This is an
environment in which formal, rather than casual, relationships
need to exist between incompatible tasks.
Audit Procedures
If a company uses Centralized IT Function
Review relevant documentation, including the current
organizational chart, mission statement, and job descriptions
for key functions, to determine if individuals or groups are
performing incompatible functions.
Review systems documentation and maintenance records
for a sample of applications. Verify that maintenance
programmers assigned to specific projects are not also the
original design programmers.
Verify that computer operators do not have access to the
operational details of a systems internal logic. Systems
documentation, such as systems flowcharts, logic flowcharts,
and program code listings, should not be part of the
operations documentation set.
Through observation, determine that segregation policy is
being followed in practice. Review operations room access

logs to determine whether programmers enter the facility for

reasons other than system failures.
If DDP is used:
Review the current organizational chart, mission statement,
and job descriptions for key functions to determine if
individuals or groups are performing incompatible duties.
Verify that corporate policies and standards for systems
design, documentation, and hardware and software
acquisition are published and provided to distributed IT units.
Verify that compensating controls, such as supervision and
management monitoring, are employed when segregation of
incompatible duties is economically infeasible.
Review systems documentation to verify that applications,
procedures, and databases are designed and functioning in
accordance with corporate standards.
THE COMPUTER CENTER
Accountants routinely examine the physical environment of
the computer center as part of their annual audit. The
objective of this section is to present computer center risks
and the controls that help to mitigate risk and create a secure
environment.
Physical Location
The physical location of the computer center directly affects
the risk of destruction to a natural or man-made disaster. To
the extent possible, the computer center should be away from
human-made and natural hazards, such as processing plants,
gas and water mains, airports, high-crime areas, flood plains,
and geological faults. The center should be away from normal
traffic, such as the top floor of a building or in a separate, selfcontained building. Locating a computer in the basement
building increases its risk to floods.
Construction
Ideally, a computer center should be located in a single-story
building of solid construction with controlled access
(discussed next). Utility (power and telephone) lines should be
underground. The building windows should not open and an
air filtration system should be in place that is capable of
extracting pollens, dust, and dust mites.
Access
Access to the computer center should be limited to the
operators and other employees who work there. Physical
controls, such as locked doors, should be employed to limit
access to the center. Access should be controlled by a keypad
or swipe card, though fire exits with alarms are necessary. To
achieve a higher level of security, access should be monitored
by closed-circuit cameras and video recording systems.
Air Conditioning
Computers function best in an air-conditioned environment,
and providing adequate air conditioning is often a requirement
of the vendors warranty. Computers operate best in a
temperature range of 70 to 75 degrees Fahrenheit and a
relative humidity of 50 percent. Logic errors can occur in
computer hardware when temperatures depart significantly
from this optimal range.
Fire Suppression
Fire is the most serious threat to a firms computer
equipment. Many companies that suffer computer center fires
go out of business because of the loss of critical records, such
as accounts receivable. The implementation of an effective
fire suppression system requires consultation with specialists.
Fault Tolerance
Fault tolerance is the ability of the system to continue
operation when part of the system fails because of hardware
failure, application program error, or operator error.
1. Redundant arrays of independent disks (RAID). Raid
involves using parallel disks that contain redundant elements
of data and applications. If one disk fails, the lost data are
automatically reconstructed from the redundant components
stored on the other disks.
2. Uninterruptible power supplies. Commercially provided
electrical power presents several problems that can disrupt
the computer center operations, including total power failures,
brownouts, power fluctuations, and frequency variations. The
equipment used to control these problems includes voltage
regulators, surge protectors, generators, and backup
batteries.
Audit Objectives

The auditor must verify that:

Physical security controls are adequate to reasonably
protect the organization from physical exposures
Insurance coverage on equipment is adequate to
compensate the organization for the destruction of, or
damage to, its computer center
Audit Procedures
Test of Physical Construction
Test of Fire Detection System
Test of Access Control
Rest of RAID
Test of Uninterruptible Power Supply
Test of Insurance Coverage
DISASTER RECOVERY PLANNING
Disasters such as earthquakes, floods, sabotage, and even
power failures can be catastrophic to an organizations
computer center and information systems. Disasters may be
natural, human-made or system failure.
Features of a DRP
1. Identify critical applications
2. Create a disaster recovery team
3. Provide site backup
4. Specify backup and off-site storage procedures
Identify Critical Applications
The first essential element of a DRP is to identify the firms
critical applications and associated data files. Recovery efforts
must concentrate on restoring those applications that are
critical to the short-term survival of the organization.
Create a Disaster Recovery Team
Recovering from a disaster depends on timely corrective
action. Delays in performing essential tasks prolongs the
recovery period and diminishes the prospects for a successful
recovery. To avoid serious omissions or duplication of effort
during implementation of the contingency plan, task
responsibility must be clearly defined and communicated to
the personnel involved.
Provide Site Backup
A necessary ingredient in a DRP is that it provides for
duplicate data processing facilities following a disaster.
Among the options available the most common are mutual
aid pact; empty shell or cold site; recovery operations
center or hot site; and internally provided backup.
Mutual Aid Pact. A mutual aid pact is an agreement
between two or more organizations (with compatible
computer facilities) to aid each other with their data
processing needs in the event of a disaster.
Empty Shell. The empty shell or cold site plan is an
arrangement wherein the company buys or leases a building
that will serve as a data center. In the event of a disaster, the
shell is available and ready to receive whatever hardware the
temporary user needs to run essential systems.
Recovery Operations Center. A recovery operations center
(ROC) or hot site is a fully equipped backup data center that
many companies share. In addition to hardware and backup
facilities, ROC service providers offer a range of technical
services to their clients, who pay an annual fee for access
rights.
Internally Provided Backup. Larger organizations with
multiple data processing centers often prefer the self-reliance
that creating internal excess capacity provides. This permits
firms to develop standardized hardware and software
configurations, which ensure functional compatibility among
their data processing centers and minimize cutover problems
in the event of a disaster.
Backup and Off-Site Storage Procedures
Operating System Backup
Application Backup
Backup Data Files
Backup Documentation
Backup Supplies and Source Documents
Test the DRP
Audit Objective
The auditor should verify that managements disaster
recovery plan is adequate and feasible for dealing with a
catastrophe that could deprive the organization of its
computing resources.
Audit Procedures

The auditor may perform the following tests:

Site Backup. The auditor should evaluate the adequacy of
the backup site arrangement. System incompatibility and
human nature both greatly reduce the effectiveness of the
mutual aid pact.
Critical Application List. The auditor should review the list
of critical applications to ensure that it is complete. Missing
applications can result in failure to recover. The same is true,
however, for restoring unnecessary applications.
Software Backup. The auditor should verify that copies of
critical applications and operating systems are stored off-site.
Data Backup. The auditor should verify that critical data files
are backed up in accordance with the DRP.
Backup Supplies, Documents, and Documentation. The
system documentation, supplies, and source documents
needed to process critical transactions should be backed up
and stored off-site.
Disaster Recovery Team. The DRP should clearly list the
names, addresses, and emergency telephone numbers of the
disaster recovery team members. The auditor should verify
that members of the team are current employees and are
aware of their assigned responsibilities.
IT SOURCING
The costs, risks, and responsibilities associated with
maintaining an effective corporate IT function are significant.
Many executives have therefore opted to outsource their IT
functions to third-party vendors who take over responsibility
for the management of IT assets and staff and for delivery of
IT services, such as data entry, data center operations,
applications development, applications maintenance, and
network management.
Risk Inherent to IT Sourcing
Failure to perform
Vendor Exploitation
Outsourcing costs exceed benefits
Reduced Security
Loss of Strategic Advantage
Audit Implications of Sourcing IT Functions
An auditor should consider PSA 402, AUDIT CONSIDERATIONS
RELATING TO ENTITIES USING SERVICE ORGANIZATIONS, in
conducting the audit of a client that outsourced its IT
functions
CHAPTER 3 OPERATING SYSTEM
Allows users and their applications to share and access
common computer resources
Examples: Unix, Linux, Windows
Operating System Tasks
Translates high-level languages into the machine language
that the computer can execute
Allocates computer resources to users, workgroups, and
applications
Manages the tasks of job scheduling and programming
Five Fundamental Control Objectives of Operating Systems
Itself from users
Users from each other
Users from themselves
From itself
From its environment
Operating System Security Components:
Log-on procedure
2) Access Token
3) Access Control List
3) Discretionary Access Privileges
Threats to Operating System Integrity
Privileged personnel who abuse their authority
Individuals, both internal and external to the organization,
who browse the operating system to identify and exploit
security flaws
Individuals who intentionally insert computer viruses or other
forms of destructive programs
Password Control
Password secret code the user enters to gain access to
systems, applications, data and network server
Password Control
Reusable Passwords
One-Time Passwords
Malicious and Destructive Programs

Viruses replicates by inserting copies of itself (possibly

modified) into other computer programs, data files, or
the boot sector of the hard drive
Worm standalone malware computer program that replicates
itself in order to spread to other computers; it does not attach
itself to an existing program
Logic Bomb - a piece of code intentionally inserted into
a software system that will set off a malicious function when
specified conditions are met
Backdoors - (sometimes called a trap door) is a means of
access to a computer system that bypasses security
mechanisms
Trojan horse - a non-self-replicating type of malware program
containing malicious code that, when executed, carries out
actions determined by the nature of the Trojan, typically
causing loss or theft of data, and possible system harm.
System Audit Trail Controls
System Audit Trails logs that record activity at the system,
application, and user level
System Audit Trail Controls
Key stroke monitoring recording both the users keystrokes
and the systems responses
Event Monitoring summarizes key activities related to
system resources
NETWORKS
Intranet consist of small LANs and large WANs that may
contain thousands of individual nodes.
Individual nodes on most intranets are connected to a shared
channel across which travel user IDs, passwords, confidential
emails, and financial data files.
Intranets connected to a central corporate database increase
the risk that an employee will view, corrupt, change, or copy
data.
Internet Risks
IP spoofing form of masquerading to gain unauthorized
access to a Web server and / or to perpetrate an unlawful act
without revealing ones identity.
Denial of Service Attacks (Dos) an assault to a web server to
prevent it from servicing its legitimate users.
Internet Risks
SYN Flood Attack
Three way handshake
Internet Risks
Smurf Attack perpetrator, intermediary, and victim
- Uses Internet Maintenance tool called ping
Internet Risks
Distributed Denial of service
- May take the form of SYN flood or smurf attack
Uses virtual army of so-called zombie or bot(robot)
Involves IRC (Internet Relay Chat)
Controlling Risks from Subversive Network Threats
Firewalls - enforces access control between two networks
Controlling Risks from Subversive Network Threats
Network Level Firewall
Controlling Risks from Subversive Network Threats
Application Level Firewall
Controlling Denial of Service Attacks
Intrusion Prevention Systems (IPS) employs deep packet
inspection (DPS) to determine when an attack is in progress.
Encryption conversion of data into a secret code
Digital Signature electronic authentication that cannot be
forged
Digital Certificate proves that the message received was not
tampered
Controlling Denial of Service Attacks
5) Message Sequence Numbering a sequence number is
inserted in each message
6) Message Transaction Log all incoming and outgoing
messages are recorded
7) Request-Response Technique
8) Call-back device requires the dial in user to enter a
password and be identified
Controlling Risks from Equipment Failure
Line Error bit structure of message is corrupted
Echo Check
Parity Check
OPERATING SYSTEM

Allows users and their applications to share and access

common computer resources
Examples: Unix, Linux, Windows
Operating System Tasks
Translates high-level languages into the machine language
that the computer can execute
Allocates computer resources to users, workgroups, and
applications
Manages the tasks of job scheduling and programming
Five Fundamental Control Objectives of Operating Systems
Itself from users
Users from each other
Users from themselves
From itself
From its environment
Operating System Security Components:
Log-on procedure
2) Access Token
3) Access Control List
3) Discretionary Access Privileges
Threats to Operating System Integrity
Privileged personnel who abuse their authority
Individuals, both internal and external to the organization,
who browse the operating system to identify and exploit
security flaws
Individuals who intentionally insert computer viruses or other
forms of destructive programs
Password Control
Password secret code the user enters to gain access to
systems, applications, data and network server
Password Control
Reusable Passwords
One-Time Passwords
Malicious and Destructive Programs
Viruses replicates by inserting copies of itself (possibly
modified) into other computer programs, data files, or
the boot sector of the hard drive
Worm standalone malware computer program that replicates
itself in order to spread to other computers; it does not attach
itself to an existing program
Logic Bomb - a piece of code intentionally inserted into
a software system that will set off a malicious function when
specified conditions are met
Backdoors - (sometimes called a trap door) is a means of
access to a computer system that bypasses security
mechanisms
Trojan horse - a non-self-replicating type of malware program
containing malicious code that, when executed, carries out
actions determined by the nature of the Trojan, typically
causing loss or theft of data, and possible system harm.
System Audit Trail Controls
System Audit Trails logs that record activity at the system,
application, and user level
System Audit Trail Controls
Key stroke monitoring recording both the users keystrokes
and the systems responses

Event Monitoring summarizes key activities related to

system resources
NETWORKS
Intranet consist of small LANs and large WANs that may
contain thousands of individual nodes.
Individual nodes on most intranets are connected to a shared
channel across which travel user IDs, passwords, confidential
emails, and financial data files.
Intranets connected to a central corporate database increase
the risk that an employee will view, corrupt, change, or copy
data.
Internet Risks
IP spoofing form of masquerading to gain unauthorized
access to a Web server and / or to perpetrate an unlawful act
without revealing ones identity.
Denial of Service Attacks (Dos) an assault to a web server to
prevent it from servicing its legitimate users.
Internet Risks
SYN Flood Attack
Three way handshake
Internet Risks
Smurf Attack perpetrator, intermediary, and victim
- Uses Internet Maintenance tool called ping
Internet Risks
Distributed Denial of service
- May take the form of SYN flood or smurf attack
Uses virtual army of so-called zombie or bot(robot)
Involves IRC (Internet Relay Chat)
Controlling Risks from Subversive Network Threats
Firewalls - enforces access control between two networks
Controlling Risks from Subversive Network Threats
Network Level Firewall
Controlling Risks from Subversive Network Threats
Application Level Firewall
Controlling Denial of Service Attacks
Intrusion Prevention Systems (IPS) employs deep packet
inspection (DPS) to determine when an attack is in progress.
Encryption conversion of data into a secret code
Digital Signature electronic authentication that cannot be
forged
Digital Certificate proves that the message received was not
tampered
Controlling Denial of Service Attacks
5) Message Sequence Numbering a sequence number is
inserted in each message
6) Message Transaction Log all incoming and outgoing
messages are recorded
7) Request-Response Technique
8) Call-back device requires the dial in user to enter a
password and be identified
Controlling Risks from Equipment Failure
Line Error bit structure of message is corrupted
Echo Check
Parity Check