Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license

 Threats to the operating system and internal controls (IC) to minimize them  Threats to database integrity and IC to minimize them  Risks associated with electronic commerce and IC to reduce them  Exposures associated with electronic data interchange (EDI) and IC to reduce them

Operating System Data Management Systems Development Systems Maintenance Organizational Structure Internet & Intranet EDI Trading Partners Personal Computers Computer Center Security Applications Internet & Intranet General Control Framework for CBIS Exposures

 Operating system performs three main tasks: ◦ Translates high-level languages into machine-level language. ◦ Allocates computer resources to user applications. ◦ Manages tasks of job scheduling and multiprogramming. 4 Windows Unix Linux

 It must ◦ protect itself from tampering from users ◦ be able to prevent users from tampering with programs of other users ◦ be able to safeguard users’ applications from accidental corruption ◦ be able to safeguard its own programs from accidental corruption ◦ be able to protect itself from power failures or other disasters 5

 Log-On Procedure ◦ first line of defense--user IDs and passwords  Access Token ◦ contains key information about user  Access Control List ◦ defines access privileges of users  Discretionary Access Control ◦ allows User to grant access to another user 6

 Formalized procedures for software acquisition  Security clearances of prospective employees  Formal acknowledgment by users of their responsibilities to company  Security group to monitor security violations  Formal policy for taking disciplinary action against security violators 7

 Browsing ◦ looking through memory for sensitive information (e.g., in printer queue)  Masquerading ◦ pretend to be authorized user by getting ID and passwords – shoulder surfing  The most common method to get your password is for someone to look over your shoulder! Make sure your password is a combination of upper/lower case letters, numbers, special characters.  Virus & Worms ◦ foreign programs that spread through system ◦ virus must attach to another program, worms are self-contained 8

 Trojan Horse ◦ foreign program that conceals itself with another legitimately imported program  Logic Bomb ◦ foreign programs triggered by specific event  Back Door ◦ alternative entry into system  Intentional (programmers)  Security hole 9

Access Privileges  Audit objectives: verify that access privileges are consistent with separation of incompatible functions and organization policies  Audit procedures: review or verify… ◦ policies for separating incompatible functions ◦ a sample of user privileges, especially access to data and programs ◦ security clearance checks of privileged employees ◦ formally acknowledgements to maintain confidentiality of data ◦ users’ log-on times

Password Control  Audit objectives: ensure adequacy and effectiveness password policies for controlling access to operating system  Audit procedures: review or verify… ◦ passwords required for all users ◦ password instructions for new users ◦ passwords changed regularly ◦ password file for weak passwords ◦ encryption of password file ◦ password standards ◦ account lockout policies

Audit Trail Controls  Audit objectives: whether used to (1) detect unauthorized access, (2) facilitate event reconstruction, and (3) promote accountability  Audit procedures: review or verify… ◦ how long audit trails have been in place ◦ archived log files for key indicators ◦ monitoring and reporting of security violations

Operating System Data Management Systems Developmen t Systems Maintenance Organizational Structure Internet & Intranet EDI Trading Partners Personal Computers Computer Center Security Applications Internet & Intranet General Control Framework for CBIS Exposures

Two crucial database control issues: Access controls  Audit objectives: (1) those authorized to use databases are limited to data needed to perform their duties and (2) unauthorized individuals are denied access to data Backup controls  Audit objectives: backup controls can adequately recovery lost, destroyed, or corrupted data

 User views - based on subschemas  Database authorization table - allows specific authority rules  Data encryption - encoding algorithms  Biometric devices - fingerprints, retina prints, or signature characteristics 15

Resource User EmployeeSharedCash Receipts AR File FilePrinterProgram Read data Change Add Delete No AccessUseNo Access Read only Read code No Access UseModify Delete No Access Read only Use No Access User 1 User 3 User 2 User 1 works in A/R Dept. Can Read, Add, & Delete data.

Audit procedures: verify… ◦ Who has responsibility for authority tables & subschemas (user views)? ◦ Granting appropriate access authority ◦ Are biometric controls used? ◦ Encryption?

 Database backup – automatic periodic copy of data  Transaction log – list of transactions which provides an audit trail  Checkpoint features – suspends data during system reconciliation  Recovery module – restarts system after a failure

 Grandparent-parent-child backup –the number of generations to backup is up to company policy  Direct access file backup - back-up master- file at pre-determined intervals  Off-site storage - guard against disasters and/or physical destruction 20

 Audit procedures: verify… ◦ that production databases are copied at regular intervals ◦ backup copies of the database are stored off site to support disaster recovery

 Communications is a unique aspect of the computer networks: ◦ different than processing (applications) or data storage (databases)  Network topologies – configurations of: ◦ communications lines (twisted-pair wires, coaxial cable, microwaves, fiber optics) ◦ hardware components (modems, multiplexers, servers, front-end processors) ◦ software (protocols, network control systems)

Internal and external subversive activities Audit objectives: 1.prevent and detect illegal internal and Internet network access 2.render useless any data captured by a perpetrator (usually encryption) 3.preserve the integrity and physical security of data connected to the network Equipment failure Audit objective: determine integrity of e-commerce transactions: are controls in place to detect and correct message loss due to equipment failure

 Include: ◦ unauthorized interception of a message ◦ gaining unauthorized access to an organization’s network ◦ denial-of-service (DOS) attack from remote location

Firewalls provide security by channeling all network connections through a control gateway.  Network level firewalls ◦ Low cost and low security access control ◦ Do not explicitly authenticate outside users ◦ Filter junk or improperly routed messages ◦ Experienced hackers can easily penetrate system  Application level firewalls ◦ Customizable network security, but expensive ◦ Sophisticated functions such as logging or user authentication

 Denial-of-service (DOS) attacks ◦ Security software searches for connections which have been half-open for period of time.  Encryption ◦ Computer program transforms a clear message into a coded (cipher) text form using an algorithm.

Sender Receiver Step 1: SYN messages Step 2: SYN/ACK Step 3: ACK packet code In a DOS Attack, the sender sends hundreds of messages, receives the SYN/ACK packet, but does not response with an ACK packet. This leaves the receiver with clogged transmission ports, and legitimate messages cannot be received.

Encryption Program Encryption Program Communication System Communication System Key Cleartext Message Cleartext Message Ciphertext

 Digital signature – electronic authentication technique to ensure that… ◦ transmitted message originated with authorized sender ◦ message was not tampered with after signature was applied  Digital certificate – like an electronic identification card used with a public key encryption system ◦ Verifies authenticity of message sender

 Message sequence numbering – sequence number used to detect missing messages  Message transaction log – listing of all incoming and outgoing messages to detect efforts of hackers  Request-response technique – random control messages are sent from sender to ensure messages are received  Call-back devices – receiver calls sender back at a pre-authorized phone number before transmission is completed

 Review firewall effectiveness in terms of flexibility, proxy services, filtering, segregation of systems, audit tools, and probing for weaknesses.  Review data encryption security procedures  Verify encryption by testing  Review message transaction logs  Test procedures for preventing unauthorized calls

Line errors are data errors from communications noise (static).  Two techniques to detect and correct such data errors: ◦ echo check - receiver returns message to sender ◦ parity checks - an extra bit is added onto each byte of data, similar to check digits

 Using sample of messages from transaction log: ◦ examine them for garbled contents caused by line noise (static) ◦ verify that all corrupted messages were successfully retransmitted

 Electronic data interchange (EDI) uses computer-to-computer communications technologies to automate B2B purchases.  Audit objectives: 1.Transactions are authorized, validated, in compliance with trading partner agreement. 2.No unauthorized organizations can gain access to database 3.Authorized trading partners have access only to approved data. 4.Adequate controls are in place to ensure complete audit trail.

 Authorization ◦ automated and absence of human intervention  Access ◦ need to access EDI partner’s files  Audit trail ◦ paperless and transparent (automatic) transactions

 Authorization ◦ use of passwords and value added networks (VAN) to ensure valid partner  Access ◦ software to specify what can be accessed and at what level  Audit trail ◦ control log records transaction’s flow through each phase of transaction processing

EDI System without Controls Purchases System EDI Translation Software EDI Translation Software Communications Software Communications Software Sales Order System Application Software Application Software Direct Connection Company A Company B (Vendor)

Purchases System EDI Translation Software EDI Translation Software Communications Software Communications Software Other Mailbox Other Mailbox Company A’s mailbox Company B’s mailbox Sales Order System Application Software Application Software VAN Company A Company B (Vendor) Audit trail of transactions between trading partners EDI System with Controls Use of VAN to enforce use of passwords and valid partners Software limits vendor’s (Company B) access to company A’s database Transaction Log Transaction Log

 Tests of Authorization and Validation Controls ◦ Review procedures for verifying trading partner identification codes ◦ Review agreements with VAN ◦ Review trading partner files  Tests of Access Controls ◦ Verify limited access to vendor and customer files ◦ Verify limited access of vendors to database ◦ Test EDI controls by simulation  Tests of Audit Trail Controls ◦ Verify exists of transaction logs are key points ◦ Review a sample of transactions

41