Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Controls Part I: Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation.

Published byWilliam Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "IT Controls Part I: Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation."— Presentation transcript:

1 IT Controls Part I: Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license

2 IT Controls & Financial Reporting Modern financial reporting is driven by information technology (IT) IT initiates, authorizes, records, and reports the effects of financial transactions. –Financial reporting IC are inextricably integrated to IT. COSO identifies two groups of IT controls: –application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy –general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development

3 IT Controls & Financial Reporting

4 Types of Audit Tests Tests of controls – tests to determine if appropriate IC are in place and functioning effectively Substantive testing – detailed examination of account balances and transactions

5 Organizational Structure IC (Internal Control) Audit objective – verify that individuals in incompatible areas are segregated to minimize risk while promoting operational efficiency IC, especially segregation of duties, affected by which of two organizational structures applies: –Centralized model –Distributed model

6 President VP Marketing VP Computer Services VP Operations VP Finance Systems Development Database Administration Data Processing New Systems Development Systems Maintenance Data Control Data Preparation Computer Operations Data Library President VP Marketing VP Finance VP Operations IPU VP Administration Treasurer Controller Manager Plant X Manager Plant Y CENTRALIZED COMPUTER SERVICES FUNCTION DISTRIBUTED ORGANIZATIONAL STRUCTURE

7 Segregation of Duties Transaction authorization is separate from transaction processing. Asset custody is separate from record- keeping responsibilities. The tasks needed to process the transactions are subdivided so that fraud requires collusion.

8 Segregation of Duties Authorization Processing Custody Recording Task 1Task 2 Task 3Task 4 CustodyRecording Control Objective 1 Control Objective 3 Control Objective 2 TRANSACTION

9 Centralized IT Structure Critical to segregate: –systems development from computer operations –database administrator (DBA) from other computer service functions DBA’s authorizing and systems development’s processing DBA authorizes access –maintenance from new systems development –data library from operations

10 Distributed IT Structure Despite its many advantages, important IC implications are present: –incompatible software among the various work centers –data redundancy may result –consolidation of incompatible tasks –difficulty hiring qualified professionals –lack of standards

11 Organizational Structure IC A corporate IT function alleviates potential problems associated with distributed IT organizations by providing: –central testing of commercial hardware and software –a user services staff –a standard-setting body –reviewing technical credentials of prospective systems professionals

12 Audit Procedures Review the corporate policy on computer security –Verify that the security policy is communicated to employees Review documentation to determine if individuals or groups are performing incompatible functions Review systems documentation and maintenance records –Verify that maintenance programmers are not also design programmers Observe if segregation policies are followed in practice. –E.g., check operations room access logs to determine if programmers enter for reasons other than system failures Review user rights and privileges –Verify that programmers have access privileges consistent with their job descriptions

13 Audit objectives: –physical security IC protects the computer center from physical exposures –insurance coverage compensates the organization for damage to the computer center –operator documentation addresses routine operations as well as system failures Computer Center IC

14 Considerations: man-made threats and natural hazards underground utility and communications lines air conditioning and air filtration systems access limited to operators and computer center workers; others required to sign in and out fire suppressions systems installed fault tolerance –Redundant disks and other system components –backup power supplies

15 Audit Procedures Review insurance coverage on hardware, software, and physical facility Review operator documentation, run manuals, for completeness and accuracy Verify that operational details of a system’s internal logic are not in the operator’s documentation

16 Disaster Recovery Planning Disaster recovery plans (DRP) identify: –actions before, during, and after the disaster –disaster recovery team –priorities for restoring critical applications Audit objective – verify that DRP is adequate and feasible for dealing with disasters

17 Disaster Recovery Planning Major IC concerns: –second-site backups –critical applications and databases including supplies and documentation –back-up and off-site storage procedures –disaster recovery team –testing the DRP regularly

18 Second-Site Backups Empty shell - involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without computer equipment Recovery operations center - a completely equipped site; very costly and typically shared among many companies Internally provided backup - companies with multiple data processing centers may create internal excess capacity

19 Audit Procedures Evaluate adequacy of second-site backup arrangements Review list of critical applications for completeness and currency Verify that procedures are in place for storing off-site copies of applications and data –Check currency back-ups and copies Verify that documentation, supplies, etc., are stored off-site Verify that the disaster recovery team knows its responsibilities –Check frequency of testing the DRP

20 Audit Background Material From Appendix

21 Attestation versus Assurance Attestation: –practitioner is engaged to issue a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. Assurance: –professional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makers –includes, but is not limited to attestation

22 Attest and Assurance Services

23 What is an External Financial Audit? An independent attestation by a professional (CPA) regarding the faithful representation of the financial statements Three phases of a financial audit: –familiarization with client firm –evaluation and testing of internal controls –assessment of reliability of financial data

24 Generally Accepted Auditing Standards (GAAS)

25 Auditing Management’s Assertions

26 External versus Internal Auditing External auditors – represent the interests of third party stakeholders Internal auditors – serve an independent appraisal function within the organization –Often perform tasks which can reduce external audit fees and help to achieve audit efficiency and reduce audit fees

27 What is an IT Audit? Since most information systems employ IT, the IT audit is a critical component of all external and internal audits. IT audits: –focus on the computer-based aspects of an organization’s information system –assess the proper implementation, operation, and control of computer resources

28 Elements of an IT Audit Systematic procedures are used Evidence is obtained –tests of internal controls –substantive tests Determination of materiality for weaknesses found Prepare audit report & audit opinion

29 Phases of an IT Audit

30 Audit Risk is... the probability the auditor will issue an unqualified (clean) opinion when in fact the financial statements are materially misstated.

31 Three Components of Audit Risk Inherent risk is associated with the unique characteristics of the business or industry of the client. Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. Detection risk is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor.

32 IT Controls Part II: Security and Access Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license

33 Operating Systems Perform three main tasks: –translates high-level languages into the machine-level language –allocates computer resources to user applications –manages the tasks of job scheduling and multiprogramming

34 Requirements for Effective Operating Systems Performance Protect itself from tampering from users Prevent users from tampering with the programs of other users Safeguard users’ applications from accidental corruption Safeguard its own programs from accidental corruption Protect itself from power failures and other disasters

35 Operating Systems Security Log-On Procedure –first line of defense – user IDs and passwords Access Token –contains key information about the user Access Control List –defines access privileges of users Discretionary Access Control –allows user to grant access to another user

36 Operating Systems Controls Access Privileges Audit objectives: verify that access privileges are consistent with separation of incompatible functions and organization policies Audit procedures: review or verify… –policies for separating incompatible functions –a sample of user privileges, especially access to data and programs –security clearance checks of privileged employees –formally acknowledgements to maintain confidentiality of data –users’ log-on times

37 Operating Systems S Controls Password Control Audit objectives: ensure adequacy and effectiveness password policies for controlling access to the operating system Audit procedures: review or verify… –passwords required for all users –password instructions for new users –passwords changed regularly –password file for weak passwords –encryption of password file –password standards –account lockout policies

38 Operating Systems Controls Malicious & Destructive Programs Audit objectives: verify effectiveness of procedures to protect against programs such as viruses, worms, back doors, logic bombs, and Trojan horses Audit procedures: review or verify… –training of operations personnel concerning destructive programs –testing of new software prior to being implemented –currency of antiviral software and frequency of upgrades

39 Operating System Controls Audit Trail Controls Audit objectives: whether used to (1) detect unauthorized access, (2) facilitate event reconstruction, and (3) promote accountability Audit procedures: review or verify… –how long audit trails have been in place –archived log files for key indicators –monitoring and reporting of security violations

40 Database Management Controls Two crucial database control issues: Access controls Audit objectives: (1) those authorized to use databases are limited to data needed to perform their duties and (2) unauthorized individuals are denied access to data Backup controls Audit objectives: backup controls can adequately recovery lost, destroyed, or corrupted data

41 Access Controls User views - based on sub-schemas Database authorization table - allows greater authority to be specified User-defined procedures - user to create a personal security program or routine Data encryption - encoding algorithms Biometric devices - fingerprints, retina prints, or signature characteristics

42 Database Authorization Table Resource User EmployeeLineCash Receipts AR File FilePrinterProgram Read data Change Add Delete No AccessUseNo Access Read only Read code No Access UseModify Delete No Access Read only Use No Access User 1 User 3 User 2

43 Access Controls Audit procedures: verify… –responsibility for authority tables & subschemas –granting appropriate access authority –use or feasibility of biometric controls –use of encryption

44 Subschema Restricting Access

45 Backup Controls Database backup – automatic periodic copy of data Transaction log – list of transactions which provides an audit trail Checkpoint features – suspends data during system reconciliation Recovery module – restarts the system after a failure

46 Audit procedures: verify… –that production databases are copied at regular intervals –backup copies of the database are stored off site to support disaster recovery Backup Controls

47 Internet and Intranet Risks Communications is a unique aspect of the computer networks: –different than processing (applications) or data storage (databases) Network topologies – configurations of: –communications lines (twisted-pair wires, coaxial cable, microwaves, fiber optics) –hardware components (modems, multiplexers, servers, front-end processors) –software (protocols, network control systems)

48 Sources of Internet & Intranet Risks Internal and external subversive activities Audit objectives: 1.prevent and detect illegal internal and Internet network access 2.render useless any data captured by a perpetrator 3.preserve the integrity and physical security of data connected to the network Equipment failure Audit objective: the integrity of the electronic commerce transactions by determining that controls are in place to detect and correct message loss due to equipment failure

49 Risks from Subversive Threats Include: –unauthorized interception of a message –gaining unauthorized access to an organization’s network –a denial-of-service attack from a remote location

50 IC for Subversive Threats Firewalls provide security by channeling all network connections through a control gateway. Network level firewalls –Low cost and low security access control –Do not explicitly authenticate outside users –Filter junk or improperly routed messages –Experienced hackers can easily penetrate the system Application level firewalls –Customizable network security, but expensive –Sophisticated functions such as logging or user authentication

51 Dual-Homed Firewall

52 Denial-of-service (DOS) attacks –Security software searches for connections which have been half- open for a period of time. Encryption –Computer program transforms a clear message into a coded (cipher) text form using an algorithm. IC for Subversive Threats

53 DOS Attack Sender Receiver Step 1: SYN messages Step 2: SYN/ACK Step 3: ACK packet code In a DOS Attack, the sender sends hundreds of messages, receives the SYN/ACK packet, but does not response with an ACK packet. This leaves the receiver with clogged transmission ports, and legitimate messages cannot be received.

54 Standard Data Encryption Technique Encryption Program Encryption Program Ciphertext Communication System Communication System Key Cleartext Message Cleartext Message

55 Public – Private Key Encryption Public Key used for encoding messages Message A Message BMessage CMessage D Ciphertext Multiple people may have the public key Private Key used for decoding messages Typically one person or a small number of people have the private key Message AMessage DMessage CMessage B

56 Advanced Data Encryption Technique

57 Digital signature – electronic authentication technique to ensure that… –transmitted message originated with the authorized sender –message was not tampered with after the signature was applied Digital certificate – like an electronic identification card used with a public key encryption system –Verifies the authenticity of the message sender IC for Subversive Threats

58 Digital Signature

59 Message sequence numbering – sequence number used to detect missing messages Message transaction log – listing of all incoming and outgoing messages to detect the efforts of hackers Request-response technique – random control messages are sent from the sender to ensure messages are received Call-back devices – receiver calls the sender back at a pre-authorized phone number before transmission is completed IC for Subversive Threats

60 Review firewall effectiveness in terms of flexibility, proxy services, filtering, segregation of systems, audit tools, and probing for weaknesses. Review data encryption security procedures Verify encryption by testing Review message transaction logs Test procedures for preventing unauthorized calls Auditing Procedures for Subversive Threats

61 IC for Equipment Failure Line errors are data errors from communications noise. Two techniques to detect and correct such data errors are: –echo check - the receiver returns the message to the sender –parity checks - an extra bit is added onto each byte of data similar to check digits

62 Vertical and Horizontal Parity

63 Using a sample of a sample of messages from the transaction log: –examine them for garbled contents caused by line noise –verify that all corrupted messages were successfully retransmitted Auditing Procedures for Equipment Failure

64 Electronic Data Interchange Electronic data interchange (EDI) uses computer-to-computer communications technologies to automate B2B purchases. Audit objectives: 1.Transactions are authorized, validated, and in compliance with the trading partner agreement. 2.No unauthorized organizations can gain access to database 3.Authorized trading partners have access only to approved data. 4.Adequate controls are in place to ensure a complete audit trail.

65 EDI Risks Authorization –automated and absence of human intervention Access –need to access EDI partner’s files Audit trail –paperless and transparent (automatic) transactions

66 Authorization –use of passwords and value added networks (VAN) to ensure valid partner Access –software to specify what can be accessed and at what level Audit trail –control log records the transaction’s flow through each phase of the transaction processing EDI Controls

67 EDI System without Controls Purchases System EDI Translation Software EDI Translation Software Communications Software Communications Software Sales Order System Application Software Application Software Direct Connection Company A Company B (Vendor)

68 Purchases System EDI Translation Software EDI Translation Software Communications Software Communications Software Other Mailbox Other Mailbox Company A’s mailbox Company B’s mailbox Sales Order System Application Software Application Software VAN Company A Company B (Vendor) Transaction Log Transaction Log Audit trail of transactions between trading partners EDI System with Controls Use of VAN to enforce use of passwords and valid partners Software limits vendor’s (Company B) access to company A’s database

69 Auditing Procedures for EDI Tests of Authorization and Validation Controls –Review procedures for verifying trading partner identification codes –Review agreements with VAN –Review trading partner files Tests of Access Controls –Verify limited access to vendor and customer files –Verify limited access of vendors to database –Test EDI controls by simulation Tests of Audit Trail Controls –Verify exists of transaction logs are key points –Review a sample of transactions

Download ppt "IT Controls Part I: Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation."

Similar presentations

IT Controls Part I: Sarbanes-Oxley & IT Governance

IT Controls Part I: Sarbanes-Oxley & IT Governance
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.

Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Similar presentations

Ads by Google