File

Chapter 16
Auditing IT
Controls Part
II: Security
and Access
Accounting Information
Systems 9e
James A. Hall
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in
whole or in part, except for use as permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for classroom use.
Objectives for Chapter 16
• Be able to identify the principal threats to the operating
system and the control techniques used to minimize the
possibility of actual exposures.
• Be familiar with the principal risks associated with
electronic commerce conducted over intranets and the
Internet and understand the control techniques used to
reduce these risks.
• Be familiar with the risks to database integrity and the
controls used to mitigate them.
• Recognize the unique exposures that arise in connection
with electronic data interchange (EDI) and understand
how these exposures can be reduced.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 2
Controlling the Operating Systems
• Computer’s control program that allows users and applications
to share and access common computer resources.
• Performs three main tasks:
– Translates high-level languages into the machine-level language.
– Allocates computer resources to user applications.
– Manages the tasks of job scheduling and multiprogramming.
• Fundamental control objectives – operating system must:

– Protect itself from users.
– Protect users from each other.
– Protect users from themselves.
– Be protected from itself.
– Be protected from its environment.
Controlling the Operating Systems
• Operating system security involves policies, procedures, and
controls that determine who can access the system.
– Log-on procedure is the first line of defense against unauthorized
access – user IDs and passwords.
– Access token contains key information about the user and is used to
approve all actions taken during a user session.
– Access control list controls access to system resources.
– Discretionary access privileges allow user to grant access to others.
• Threats to operating system integrity sources:

– Privileged personnel who abuse their authority.
– Individuals who browse the operating system to identify and exploit
security flaws.
– Individuals who insert computer viruses into the system.
Operating System Controls and Tests of Controls
• Audit objective is to verify access privileges are granted

consistently with separation of incompatible functions and
organization policies. This is accomplished by reviewing:
– Policies for separating incompatible functions.
– Privileges of a sample of user groups and individuals.
– Personnel records to determine if security clearance checks of
privileged employees are adequate.
– Formal acknowledgements of responsibility to maintain
confidentiality of data.
– Users’ permitted log-on times.
• Audit objective is to ensure an adequate password policy
which is accomplished by verifying/reviewing:
– All users are required to have passwords.
– New users instructed in use of passwords and password control.
– Password control procedures.
– Password file to identify weak passwords and ensure encryption.
– Adequacy of password standards.
• Audit objective is to verify effectiveness of procedures that

guard against viruses and other destructive programs. This
is accomplished by:
– Determining that personnel are educated and aware of practices
that can spread viruses and other malicious programs.
– Verifying new software is tested prior to implementation.
– Verifying up-to-date antiviral software.
• Audit objective is to ensure established system audit trail is
adequate to prevent and detect abuse, reconstruct key
events, and plan resource allocation.
– Most operating systems provide some audit manager function to
specify events to be audited.
• Auditor should verify audit trail has been activated according to
organization policy.
– Many operating systems provide an audit log viewer that auditor
can scan for unusual activity.
• Auditor can search for conditions such as: unauthorized or terminated
users, periods of inactivity, activity by user, group or department, log-on
and log-off times, failed log-on attempts and access to specific files.
– Security group has responsibility for monitoring and reporting
security violations.
• Sample of violations should be evaluated by the auditor.
Controlling Database Management Systems
• Access controls designed to prevent unauthorized
individuals from viewing, retrieving, corrupting or destroying
data.
– User view is a subset of the total database that defines and restricts
access to the database accordingly.
– Database authorization table contains rules that limit actions a
user can take.
– User-defined procedures allow user to create a personal security
program or routine to provide identification.
– Data encryption uses an algorithm to scramble data, making it
unreadable.
– Biometric devices measure various personal characteristics such as
fingerprints, voiceprints, retina prints, or signature characteristics
to allow access.
• Audit objective related to database access is to verify that:
– (1) Authorized users are limited to accessing data needed to
perform duties and,
– (2) Unauthorized users are denied access.
• Audit procedures for testing access controls:

– Verify database administration personnel retain sole responsibility
for creating authority tables and designing user views.
• Review company policy, examine programmer authority tables, and interview
programmers and database administrative personnel.
– Select a sample of users and verify appropriateness of access
privileges.
– Evaluate costs and benefits of biometric controls.
– Verify that sensitive data are properly encrypted.
• Backup controls ensure organization can recover files and
databases in the event of data loss.
– Database backup is automatic and should be done at least daily.
– Transaction log provides audit trail of all processed transactions.
– Checkpoint feature suspends all data processing while system
reconciles transaction log and database change log with database.
– Recovery module restarts the system after a failure.
• Audit objective related to database backup is to ensure that

controls are adequate in the event of a loss:
– Verify that databases are copied at regular intervals and that the
backup copies are stored off-site to support disaster recovery
procedures.
Controlling Networks – Risks from Subversive Threats
• Network-level firewalls provide efficient but low security
access control.
– Consists of a screening router that accepts or denies access
requests based on filtering rules that have been programmed into
it.
– Insecure because they are designed to facilitate, not restrict, the
free flow of information.
– Outside users are not explicitly authenticated.
• Application-level firewalls provide higher level

customizable network security but add overhead to
connectivity.
– Trade-off between convenience and security. The more security
the firewall provides, the less convenient it is for authorized users
to pass through it and conduct business.
• Denial of service attacks prevention depends on type.
– Firewalls can be programmed to protect against smurf attacks.
– Security software is available that scan for half-open connections.
– Intrusion Prevention Systems (IPS) that employ deep packet
inspection can determine when a distributed denial of service attack
is in progress.
• Encryption is the conversion of data into a secret code for
storage in databased and transmission over networks.
– Advanced encryption standard (AES) is a US government standard.
– Triple-DES encryption provides improved security. EEE3 uses three
different keys to encode messages three times, EDE3 uses one to
encrypt and another to decode.
– Public key encryption uses one key for encoding messages and
another for decoding them.
• Digital signature is an electronic authentication that ensures:
– Transmitted message originated with the authorized sender.
– Message was not tampered with after the signature was applied.
• Digital certificate is used in conjunction with a public key

encryption to authenticate the sender of a message.
• Message sequence numbering identifies attempts to delete,
change or duplicate messages.
• Message transaction logs record all messages so that any
intruder activity will be identified.
• Request-response technique makes it more difficult for an
intruder to prevent of delay the receipt of a message.
• Call-back device requires dial-in user to be identified.
Audit Objectives & Procedures for Subversive Threats
• Audit objective is to verify the security and integrity of financial
transactions by determining network controls can:
– (1) Prevent and detect illegal internal and Internet network access.
– (2) Render any data captured by a perpetrator useless.
– (3) Preserve integrity and physical security of data connected to the
network.
• Audit tests of controls:
– Review firewall adequacy in achieving balance between control and
convenience based on the following criteria:
• Flexibility, proxy services, filtering, segregation of systems, audit tools, and
probing for weaknesses.
– Verify data encryption security procedures and encryption process.
– Review message transaction logs.
– Test operation of the call-back feature.
Controlling Risks From Equipment Failure
• Most common problem in data communications is data loss
due to line errors from communications noise.
• Two techniques to detect and correct such data errors are:
– Echo check where the receiver returns the message to the sender
– Parity check where an extra bit is added onto each byte of data.
• Audit objective is to verify the integrity of the electronic

commerce transactions by determining that controls are in
place to detect and correct message loss due to equipment
failure.
• Objective can be achieved by selecting a sample of messages,
examining them for garbled content and verifying that all
corrupted messages were successfully retransmitted.
Electronic Data Interchange (EDI) Controls
• Electronic data interchange (EDI) uses computer-to-
computer technologies to automate B2B purchases.
• Absence of human intervention presents a unique twist to
traditional control problems including:
– Ensuring transactions are authorized and valid.
– Preventing unauthorized access to data files.
– Maintaining an audit trail of transactions.
• Techniques to deal with these issues:

– Transaction authorization and validation including the use of
passwords, IDs, customer and vendor files.
– Access controls, including establishing vendor and customer files.
– EDI audit trail including a control log which records transactions.
25
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
26
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Audit Objectives & Procedures for EDI
• Audit objectives are to determine:
– (1) all transactions are authorized, valid and in compliance with
agreements; (2) no unauthorized data access and (3) controls
are in place to ensure a complete audit trail of transactions.
• Tests of authorization and validation controls:
– Review procedures for verifying trading partner ID codes.
– Review agreements with VAN and trading partner files.
• Tests of access controls:
– Verify and test that access is limited appropriately.
• Tests of audit trail controls appropriately:
– Verify existence of transaction logs and review a sample of
transactions.
Appendix: Malicious and Destructive Programs
• A virus is a program that attaches itself to a legitimate
program to penetrate the operating system and destroy
application programs, data files and the operating system
itself.
• Worm is used interchangeably with virus.
– Software program that burrows into computer’s memory and
replicates itself into areas of idle memory.
• Logic bomb is a destructive program that some predetermined
event – such as a date – triggers.
• Back door (or trap door) allows unauthorized access to a
system without normal log-on procedures.
• Trojan horse captures IDs and passwords from unsuspecting
users.

File

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

File

Uploaded by

Copyright:

Available Formats

Chapter 16

• Fundamental control objectives – operating system must:

• Threats to operating system integrity sources:

• Audit objective is to verify access privileges are granted

• Audit objective is to verify effectiveness of procedures that

• Audit procedures for testing access controls:

• Audit objective related to database backup is to ensure that

• Application-level firewalls provide higher level

• Digital certificate is used in conjunction with a public key

• Audit objective is to verify the integrity of the electronic

• Techniques to deal with these issues:

You might also like