Professional Documents
Culture Documents
Auditing IT
Controls Part
II: Security
and Access
Accounting Information
Systems 9e
James A. Hall
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in
whole or in part, except for use as permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for classroom use.
Objectives for Chapter 16
• Be able to identify the principal threats to the operating
system and the control techniques used to minimize the
possibility of actual exposures.
• Be familiar with the principal risks associated with
electronic commerce conducted over intranets and the
Internet and understand the control techniques used to
reduce these risks.
• Be familiar with the risks to database integrity and the
controls used to mitigate them.
• Recognize the unique exposures that arise in connection
with electronic data interchange (EDI) and understand
how these exposures can be reduced.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 2
Controlling the Operating Systems
• Computer’s control program that allows users and applications
to share and access common computer resources.
• Performs three main tasks:
– Translates high-level languages into the machine-level language.
– Allocates computer resources to user applications.
– Manages the tasks of job scheduling and multiprogramming.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 3
Controlling the Operating Systems
• Operating system security involves policies, procedures, and
controls that determine who can access the system.
– Log-on procedure is the first line of defense against unauthorized
access – user IDs and passwords.
– Access token contains key information about the user and is used to
approve all actions taken during a user session.
– Access control list controls access to system resources.
– Discretionary access privileges allow user to grant access to others.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 5
Operating System Controls and Tests of Controls
• Audit objective is to ensure an adequate password policy
which is accomplished by verifying/reviewing:
– All users are required to have passwords.
– New users instructed in use of passwords and password control.
– Password control procedures.
– Password file to identify weak passwords and ensure encryption.
– Adequacy of password standards.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 6
Operating System Controls and Tests of Controls
• Audit objective is to ensure established system audit trail is
adequate to prevent and detect abuse, reconstruct key
events, and plan resource allocation.
– Most operating systems provide some audit manager function to
specify events to be audited.
• Auditor should verify audit trail has been activated according to
organization policy.
– Many operating systems provide an audit log viewer that auditor
can scan for unusual activity.
• Auditor can search for conditions such as: unauthorized or terminated
users, periods of inactivity, activity by user, group or department, log-on
and log-off times, failed log-on attempts and access to specific files.
– Security group has responsibility for monitoring and reporting
security violations.
• Sample of violations should be evaluated by the auditor.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 7
Controlling Database Management Systems
• Access controls designed to prevent unauthorized
individuals from viewing, retrieving, corrupting or destroying
data.
– User view is a subset of the total database that defines and restricts
access to the database accordingly.
– Database authorization table contains rules that limit actions a
user can take.
– User-defined procedures allow user to create a personal security
program or routine to provide identification.
– Data encryption uses an algorithm to scramble data, making it
unreadable.
– Biometric devices measure various personal characteristics such as
fingerprints, voiceprints, retina prints, or signature characteristics
to allow access.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 8
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 9
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 10
Controlling Database Management Systems
• Audit objective related to database access is to verify that:
– (1) Authorized users are limited to accessing data needed to
perform duties and,
– (2) Unauthorized users are denied access.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 11
Controlling Database Management Systems
• Backup controls ensure organization can recover files and
databases in the event of data loss.
– Database backup is automatic and should be done at least daily.
– Transaction log provides audit trail of all processed transactions.
– Checkpoint feature suspends all data processing while system
reconciles transaction log and database change log with database.
– Recovery module restarts the system after a failure.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 12
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 13
Controlling Networks – Risks from Subversive Threats
• Network-level firewalls provide efficient but low security
access control.
– Consists of a screening router that accepts or denies access
requests based on filtering rules that have been programmed into
it.
– Insecure because they are designed to facilitate, not restrict, the
free flow of information.
– Outside users are not explicitly authenticated.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 16
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 17
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 18
Controlling Networks – Risks from Subversive Threats
• Digital signature is an electronic authentication that ensures:
– Transmitted message originated with the authorized sender.
– Message was not tampered with after the signature was applied.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 21
Controlling Risks From Equipment Failure
• Most common problem in data communications is data loss
due to line errors from communications noise.
• Two techniques to detect and correct such data errors are:
– Echo check where the receiver returns the message to the sender
– Parity check where an extra bit is added onto each byte of data.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 24
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
25
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
26
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Audit Objectives & Procedures for EDI
• Audit objectives are to determine:
– (1) all transactions are authorized, valid and in compliance with
agreements; (2) no unauthorized data access and (3) controls
are in place to ensure a complete audit trail of transactions.
• Tests of authorization and validation controls:
– Review procedures for verifying trading partner ID codes.
– Review agreements with VAN and trading partner files.
• Tests of access controls:
– Verify and test that access is limited appropriately.
• Tests of audit trail controls appropriately:
– Verify existence of transaction logs and review a sample of
transactions.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 27
Appendix: Malicious and Destructive Programs
• A virus is a program that attaches itself to a legitimate
program to penetrate the operating system and destroy
application programs, data files and the operating system
itself.
• Worm is used interchangeably with virus.
– Software program that burrows into computer’s memory and
replicates itself into areas of idle memory.
• Logic bomb is a destructive program that some predetermined
event – such as a date – triggers.
• Back door (or trap door) allows unauthorized access to a
system without normal log-on procedures.
• Trojan horse captures IDs and passwords from unsuspecting
users.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 28