IT Auditing in a Computer Information Systems (CIS) Environment  Techniques for gathering evidence: 4.

r gathering evidence: 4. Ensure compliance with company policies and government

regulations.
I. What is an IT Audit o Conducting questionnaires
A. Modifying Assumptions
 An IT audit focuses on the computer-based aspect of an o Interviewing management
organization’s information system. 1. Management Responsibility – Internal controls are the responsibility
o Reviewing system documentation of management, not auditors.
 It includes the assessment of the proper implementation, operation,
and control of computer resources. o Observing business processes 2. Reasonable Assurance – Internal controls should provide a
reasonable level of security but cannot eliminate all risks.
 Since most modern organizations use information technology, IT 2. Tests of Controls
audits have become a significant component of both external and 3. Methods of Data Collection – Controls should be effective regardless
internal audits.  Evaluates whether internal controls are: of data processing method (paper-based, computer-based, or web-
based).
o Adequate
4. Limitations of Internal Control:
o Properly designed
II. Understanding the IT Environment
o Errors – No system is perfect.
o Functioning effectively
 Compared to manual systems, the IT environment complicates the
design of effective internal controls due to several factors: o Collusion – Employees can bypass controls by working
 Uses both manual testing and computer-assisted techniques.
together.
1. Concentration of Data – Information is stored in  At the end of this phase, auditors assess the quality of internal
centralized systems, making it vulnerable to unauthorized o Management Override – Executives can override security
controls to determine how much reliance can be placed on them.
access, theft, or destruction. measures.
3. Substantive Testing
2. Increased Access Points – Users connect remotely, o Changing Conditions – As systems evolve, controls may
increasing exposure to security risks and cyber threats.  Focuses on financial data to verify the accuracy and integrity of become outdated.
transactions.
3. Rise in Malicious Activities – Attackers target systems,
data, and assets to exploit weaknesses.  Involves a detailed investigation of account balances and supporting
records. V. Components of Internal Control
4. Management Override – It is easy for management to
bypass internal controls, leading to potential financial  Example: 1. Control Environment
fraud.
o Customer confirmations for accounts receivable – The  Establishes the foundation for effective controls.
 As a result, multiple control points are required to secure IT auditor selects sample balances and verifies their
environments. legitimacy by contacting customers.  Key elements:

 In IT environments, Computer-Assisted Audit Tools and Techniques o Management’s integrity and ethical values
(CAATTs) are used to extract and analyze data. o Organizational structure and leadership
III. The Structure of an IT Audit
o Board of Directors and Audit Committee
An IT audit is divided into three main phases: IV. Internal Control
1. Audit Planning o Management’s approach to decision-making and risk
Objectives of Internal Control assessment
 The first phase where the auditor gains a thorough understanding of Internal controls help organizations achieve four key objectives:
the client’s business, policies, and internal controls. o HR policies, delegation of responsibilities, and employee
1. Safeguard assets to prevent loss or misuse. evaluation
 A major component is the analysis of audit risk.
2. Ensure accuracy and reliability of financial records.
 Objective: Obtain sufficient information about the organization to
plan the next phases. 3. Promote efficiency in operations and transaction processing.
2. Risk Assessment 5. Control Activities  Unauthorized access by IT personnel.

 Organizations must identify, analyze, and manage risks related to Control activities are divided into:  Inability to directly observe data processing
financial reporting and IT systems. tasks.
A. Computer Controls
 Risks arise from: 5. Accounting Records
1. General Controls
o Competitive pressures (new market conditions). o In IT environments, audit trails may exist in digital formats
o Apply to the entire IT infrastructure (data centers, system (logs, pointers, indexed databases).
o Implementation of new technology affecting transactions. access, software maintenance).
o Auditors use CAATTs to analyze and verify electronic
o Changes in regulatory requirements impacting financial 2. Application Controls transactions.
processes.
o Ensure data integrity in specific financial applications 6. Access Controls
 Auditors evaluate how risks are prioritized and mitigated. (e.g., payroll, accounts payable).
o Limits access to critical financial data.
3. Information and Communication B. Physical Controls
o Two key threats:
 Effective accounting information systems must: 1. Independent Verification
 Fraud – Insiders with IT knowledge can
o Identify and record transactions properly. o Used to detect errors and fraud. manipulate data.
o Provide timely and accurate financial reports. o Example: A system automatically checking for duplicate  Disaster Risks – Fire or cyberattacks can destroy
transactions or out-of-range values. data.
o Measure transaction values correctly for financial
reporting. 2. Transaction Authorization o Controls include:
 Auditors must understand: o Ensures that only valid transactions are processed.  User access restrictions (login credentials,
encryption).
o The organization’s material transactions and how they are o Example:
processed.  Data backup and disaster recovery plans.
 In automated inventory systems, purchases may
o Accounting records and financial reporting methods. be triggered automatically without human
approval.
4. Monitoring
3. Segregation of Duties
 Management must ensure that internal controls are working as
expected. o Prevents one person from controlling an entire
transaction process.

o Example:

 A system should separate the roles of purchase

authorization, payment processing, and record-
keeping.

4. Supervision

o Managers must compensate for lack of segregation by

closely supervising IT staff.

o Supervisory concerns include:

 High employee turnover in IT roles.

CHAPTER 2: AUDITING IT GOVERNANCE CONTROLS

STRUCTURE OF THE INFORMATION TECHNOLOGY FUNCTION SEGREGATION OF INCOMPATIBLE IT FUNCTIONS

INFORMATION TECHNOLOGY GOVERNANCE The organization of the IT function affects internal controls and audits. Two Segregation of duties prevents:
extreme organizational models exist:
 IT governance is a subset of corporate governance that focuses on 1. Unauthorized transaction processing
the management and assessment of strategic IT resources. 1. Centralized Data Processing
2. Fraud
 Key objectives of IT governance: 2. Distributed Data Processing (DDP)
3. Errors in record-keeping
o Reduce risk 1. Centralized Data Processing
Key IT Functions that Require Segregation:
o Ensure IT investments add value to the corporation  All data processing is performed at a central site using large
computers.  Systems Development vs. Computer Operations
 Before the Sarbanes-Oxley Act (SOX), IT decisions were mostly made o Developers should not operate systems.
 End users compete for IT resources based on need.
by corporate IT professionals.
 IT services operate as a cost center, with operating costs charged o Operators should not modify system logic.
 Modern IT governance involves boards of directors, top
back to users.
management, and departmental users (e.g., accounting and  Database Administration vs. Other Functions
finance). Key IT Service Areas in a Centralized Model:
o The DBA manages database security and access control.
 This broad-based involvement reduces risk and ensures IT decisions 1. Database Administration
align with:  New Systems Development vs. Maintenance
o Centrally organizes and secures data resources.
o User needs o Programmers who design a system should not maintain it
o Led by a Database Administrator (DBA) who ensures data (prevents program fraud).
o Corporate policies security and integrity.
DISTRIBUTED DATA PROCESSING (DDP) MODEL
o Strategic initiatives 2. Data Processing
 IT services are decentralized into smaller IT units controlled by end
o SOX internal control requirements o Manages computing resources for daily transaction users.
processing.
IT Governance Controls  Two approaches to DDP:
o Includes:
The SOX Act and the COSO internal control framework address three critical o Alternative A: Terminals distributed, but systems remain
IT governance issues:  Data Conversion: Transcribes hard-copy data centralized.
into computer input.
1. Organizational structure of the IT function o Alternative B: All computer services are distributed,
 Computer Operations: Manages electronic file eliminating a central IT function.
2. Computer center operations
processing on central systems.
Risks Associated with DDP:
3. Disaster recovery planning
 Data Library: Stores off-line backups, original
1. Inefficient Resource Use – Redundant tasks, data duplication.
software, and licenses.
2. Loss of Audit Trails – Digital records can be deleted or corrupted.
3. Systems Development and Maintenance
3. Inadequate Segregation of Duties – Small units lack separation of
o Systems Development: Designs new systems.
key tasks.
o Systems Maintenance: Updates programs to reflect user
4. Hiring Unqualified IT Professionals – Managers lack IT knowledge
needs.
for hiring.
 5. Lack of Standards – Inconsistent software, documentation, and
security policies.

CONTROLLING THE DDP ENVIRONMENT

DISASTER RECOVERY PLANNING (DRP)
Recommended Controls for DDP:
A Disaster Recovery Plan (DRP) is a formalized strategy for responding to IT
1. Corporate IT Function disasters.
o Central IT provides technical expertise, testing, and Key Elements of DRP:
security standards.
1. Identify Critical Applications
2. Central Testing of Software & Hardware
2. Create a Disaster Recovery Team
o Prevents incompatible technology purchases.
3. Provide Second-Site Backup
3. Standard-Setting Body
o Cold Site (Empty Shell) – Backup facility without
o Establishes guidelines for system design, programming, hardware.
and documentation.
o Hot Site (Recovery Operations Center, ROC) – Fully
4. Personnel Review equipped backup facility.
o Central IT should evaluate IT job candidates before hiring. 4. Backup & Off-Site Storage

o Regular data, software, and document backups.

THE COMPUTER CENTER 5. Test the DRP – Simulated disasters ensure preparedness.

Accountants evaluate computer center security risks in annual audits.

Key Risks & Controls: OUTSOURCING THE IT FUNCTION

1. Physical Location – Should be away from hazards (flood zones, crime  IT outsourcing transfers IT responsibilities to third-party vendors.
areas).
 Benefits: Cost savings, efficiency, and access to expertise.
2. Construction – Fireproof, secure building with underground utilities.
 Risks:
3. Access Controls – Limited to authorized staff via ID cards, logs,
cameras. o Vendor failure

4. Air Conditioning – Maintains 70-75°F, 50% humidity to prevent o Security breaches

failures.
o Loss of strategic control
5. Fire Suppression – Includes alarms, fire-resistant construction,
extinguishers. Audit Implications:

6. Fault Tolerance – Uses RAID, Uninterruptible Power Supplies (UPS).  SOX requires companies to evaluate vendor IT controls.

Audit Procedures for the Computer Center:  SAS 70 Report verifies third-party security compliance

 Review fire safety records, access logs, construction standards.

 Ensure RAID and backup power systems are tested.

1. AUDITING OPERATING SYSTEMS  Returns a generic failure message (without
specifying whether the ID or password was
1.1 Operating System Objectives Five Fundamental Control Objectives of an Operating System: incorrect).
The operating system (OS) is the computer’s control program responsible for 1. Protecting the Operating System from Users: o After five failed attempts, the system should lock the user
managing the hardware and software resources of a system. account.
o Prevent unauthorized applications from gaining control,
 It allows multiple users and applications to share and access modifying system configurations, or damaging system files. 2. Access Token
computer resources, such as:
2. Protecting Users from Each Other: o If authentication is successful, the system generates an
o Processors
o Restrict users from accessing, modifying, or corrupting access token containing:
o Main memory each other’s data or applications.  User ID
o Databases 3. Protecting Users from Themselves:  Password
o Printers o Prevent a user’s application from damaging its own  User group
system files.
Main Tasks of an Operating System:  Privileges granted
4. Protecting the Operating System from Itself:
1. Translation of High-Level Languages: o The access token remains active throughout the session
o Ensure system modules do not interfere with each other and is used to validate all system interactions.
o Converts COBOL, C++, BASIC, SQL into machine-level or cause self-destruction.
instructions. 3. Access Control List (ACL)
5. Protecting the Operating System from the Environment:
o Uses compilers and interpreters to translate source code o Each IT resource (directories, files, programs) has an ACL
into executable programs. o Provide controlled shutdown procedures in case of power that defines user privileges.
failures or disasters.
2. Resource Allocation: o When a user attempts access, the system:
o Assigns memory workspace (partitions) to applications.  Compares the access token with the ACL.
1.2 Operating System Security
o Manages hardware resources, such as disk storage,  Grants or denies access based on the
network connections, and processing power. Operating system security involves policies, procedures, and controls that: permissions set.

o Authorizes access to terminals, databases, printers, and  Determine who can access the OS. 4. Discretionary Access Privileges
communication links.
 Control which system resources (files, databases, devices) users can o System administrator usually controls access, but in some
3. Job Scheduling and Multiprogramming: access. cases, users can grant access.

o Prioritizes user jobs to efficiently allocate processing  Restrict unauthorized activities. o Example:
power.
Components of a Secure Operating System:  The controller (general ledger owner) grants
o Supports concurrent execution of multiple processes. read-only privileges to a budgeting manager.
1. Log-On Procedure
o Jobs can enter the system in three ways:  The accounts payable manager has read and
o The first line of defense against unauthorized access. write privileges.
 Direct submission by system operator
o Requires user ID and password authentication.  The budgeting manager cannot modify ledger
 Batch-job queues entries.
o If login credentials do not match, the system:
 Telecommunications links from remote
workstations  Denies access.
1.3 Threats to Operating System Integrity o Child’s name

Accidental Threats: PASSWORD CONTROL o Pet’s name

 Hardware failures that cause unexpected system crashes.  A password is a secret code that the user enters to gain access to: o Birth date
 Application program errors leading to system failures. o Systems o Hair color
 Memory dumps may expose confidential data if stored improperly. o Applications  Passwords derived from non-personal data can also be weak, such
as:
Intentional Threats:
o Data files
o Simple keystroke patterns (e.g., ASDF)
1. Privileged Personnel Abusing Authority:
o Network servers
o System administrators and programmers have full access o The same letter used multiple times
 If the user cannot provide the correct password, the operating
and may misuse their privileges. Strong Passwords:
system should deny access.
2. Internal and External Attackers:  Passwords that contain random letters and digits are more difficult
Common Security Issues with Passwords:
o Hackers exploit OS vulnerabilities to access or modify to crack but harder for users to remember.
Although passwords provide a degree of security, they can lead to security
system files. Management Controls to Improve Access Control:
risks if users do not follow proper security procedures.
3. Malicious Software:  Require passwords to be changed regularly.
The most common contra-security behaviors include:
o Viruses, worms, logic bombs, backdoors, and Trojan horses  Disallow weak passwords using software that automatically scans
 Forgetting passwords and being locked out of the system.
damage the operating system. password files.
 Failing to change passwords on a frequent basis.
Audit Procedures Relating to Access Privileges:  Notify users when passwords have expired and need to be changed.
 The Post-it Syndrome:
To achieve their objectives, auditors may perform the following tests of  Use extensive databases of known weak passwords to validate new
controls: o Passwords are written down and displayed for others to passwords and disallow weak ones.
see.
 Review the organization’s policies for separating incompatible
functions and ensure that they promote reasonable security.  Using simplistic passwords that a computer criminal can easily
anticipate. One-Time Passwords
 Review the privileges of a selection of user groups and individuals
to determine if their access rights are appropriate for their job  Designed to overcome security issues related to reusable passwords.
descriptions and positions.
TYPES OF PASSWORD CONTROLS  Under this approach, the user’s password changes continuously.
o The auditor should verify that individuals are granted
access to data and programs based on their need to Reusable Passwords  Uses a credit card-sized smart card that contains a microprocessor
know. programmed with an algorithm that generates:
 The most common method of password control.
 Review personnel records to determine whether privileged o A new and unique password every 60 seconds.
employees undergo an adequately intensive security clearance  The user defines a password once and then reuses it for future
check in compliance with company policy. access. How One-Time Passwords Work:

 Review employee records to verify that users have formally  The security strength of a reusable password depends on its  The smart card works in conjunction with special authentication
acknowledged their responsibility to maintain the confidentiality of quality. software located on a mainframe or network server.
company data.
Weak Passwords:  Each user’s card is synchronized to the authentication software.
 Review the users’ permitted log-on times to ensure that permission
 At any point in time, both the smart card and the network software
is commensurate with the tasks being performed.  Passwords based on personal information, such as:
generate the same password for the same user.
  To access the network:  Verify that all users are required to have passwords. o Administrative procedures

1. The user enters a PIN.  Verify that new users are instructed in the use of passwords and Preventive Controls for Malicious and Destructive Programs
their importance.
2. The user enters the current password displayed on the  Purchase software only from reputable vendors and accept only
smart card.  Review password control procedures to ensure passwords are those products that are in their original, factory-sealed packages.
changed regularly.
Security Advantages of One-Time Passwords:  Issue an entity-wide policy prohibiting the use of unauthorized
 Review the password file to ensure weak passwords are identified software or illegal (bootleg) copies of copyrighted software.
 The password can be used only once. and disallowed.
 Examine all upgrades to vendor software for viruses before
 If a hacker intercepts the password and PIN during transmission and  Verify that the password file is encrypted and that the encryption implementation.
attempts to use them within the 1-minute time frame, access is key is properly secured.
denied.  Inspect all public-domain software for virus infection before using.
 Assess the adequacy of password standards such as length and
 If the smart card falls into the hands of a computer criminal, access expiration interval.  Establish entity-wide procedures for making changes to production
cannot be achieved without the PIN. programs.
 Review the account lockout policy and determine how many failed
log-on attempts are allowed before the account is locked.  Develop an educational program to raise user awareness regarding
threats from viruses and malicious programs.
Challenge/Response One-Time Passwords CONTROLLING AGAINST MALICIOUS AND DESTRUCTIVE PROGRAMS
 Install all new applications on a stand-alone computer and
 Another technique to generate one-time passwords.  Malicious and destructive programs are responsible for millions of thoroughly test them with antiviral software before implementing
dollars in corporate losses annually. them on:
 Uses a challenge/response approach.
 These losses are measured in terms of: o The mainframe
How It Works:
o Data corruption and destruction o Local area network (LAN) server
1. When the user attempts to log on, the network authentication
software issues a six-character code (the challenge). o Degraded computer performance  Routinely make backup copies of key files stored on:
2. The card can scan the challenge optically or the user enters it into o Hardware destruction o Mainframes
the card via its built-in keypad.
o Violations of privacy o Servers
3. The card’s internal algorithm then generates a one-time password
(the response). o Personnel time devoted to repairing the damage o Workstations

4. The user enters the response password through the remote  This class of programs includes:  Wherever possible, limit users to read and execute rights only.
terminal keyboard.
o Viruses o This allows users to:
5. If the firewall recognizes the current password, access is permitted.
o Worms  Extract data

o Logic bombs  Run authorized applications

Audit Objectives Relating to Passwords:
o Back doors o It denies them the ability to write directly to mainframe
The auditor’s objective is to ensure that: and server directories.
o Trojan horses
 The organization has an adequate and effective password policy.  Require protocols that explicitly invoke the operating system’s log-
 Threats from destructive programs can be substantially reduced on procedures to bypass Trojan horses.
Audit Procedures Relating to Passwords: through a combination of:
o Example: A user sits at a terminal displaying a log-on
To achieve this objective, the auditor may perform the following tests: o Technology controls screen and enters their ID and password.
 o This screen may be a Trojan horse rather than a legitimate AUDIT PROCEDURES RELATING TO VIRUSES AND OTHER DESTRUCTIVE o Keystroke monitoring is the computer equivalent of a
log-on procedure. PROGRAMS telephone wiretap.

o Some operating systems allow users to directly invoke the  Through interviews, determine that operations personnel have o Before implementing this control, management and
OS log-on procedure by entering a key sequence such as been educated about computer viruses and are aware of the risky auditors must consider:
CTRL + ALT + DEL. computing practices that can introduce and spread viruses and
other malicious programs.  Legal implications
o This ensures that the log-on screen is legitimate.
 Verify that new software is tested on standalone workstations  Ethical implications
 Use antiviral software (also called vaccines) to: before being implemented on the host or network server.
 Behavioral implications
o Examine application and operating system programs for  Verify that the current version of antiviral software is installed on
2. Event Monitoring
the presence of a virus. the server and that upgrades are regularly downloaded to
workstations. o Summarizes key activities related to system resources.
o Remove the virus from the affected program.
o Records the following data:
o Protect mainframes, network servers, and personal
computers. SYSTEM AUDIT TRAIL CONTROLS  IDs of all users accessing the system
o Automatically test all files uploaded to the host.  System audit trails are logs that record activity at the:  Time and duration of user sessions
 Antiviral software works only on known viruses. o System level  Programs executed during a session
o If a virus has been modified slightly (mutated), the o Application level  Files, databases, printers, and other resources
vaccine may not work. accessed
o User level
o Maintaining a current version of the vaccine is critical.
 Operating systems allow management to select the level of auditing
to be recorded in the log. SETTING AUDIT TRAIL OBJECTIVES
AUDIT OBJECTIVE RELATING TO VIRUSES AND OTHER DESTRUCTIVE  Management must determine the threshold between useful Audit trails support security objectives in three ways:
PROGRAMS information and irrelevant facts.
1. Detecting Unauthorized Access
 The key to computer virus control is prevention through strict  An effective audit policy should:
adherence to organizational policies and procedures that guard o Detection can occur:
o Capture all significant events
against virus infection.
 In real time – To protect the system from outside
 The auditor’s objective is to verify that: o Avoid cluttering the log with trivial activity intrusion.

o Effective management policies and procedures are in TYPES OF AUDIT LOGS  After the fact – To review logs for security
place to prevent the introduction and spread of breaches.
1. Keystroke Monitoring
destructive programs, including:
o Real-time audit trails can also detect:
o Involves recording both the user’s keystrokes and the
 Viruses
system’s responses.  System performance changes that may indicate
 Worms virus or worm infestations.
o Used for:
 Back doors o After-the-fact detection logs can be stored electronically
 Reconstructing events after a security breach.
for periodic review.
 Logic bombs
 Real-time control to prevent unauthorized
2. Reconstructing Events
 Trojan horses intrusion.
o Audit trail analysis can reconstruct the steps leading to:
  System failures o Log-on and log-off times

 Security violations o Failed log-on attempts 2.1 INTRANET RISKS

o Understanding system conditions before a failure helps: o Access to specific files or applications  Intranets consist of:
 Assign responsibility  Select a sample of security violation cases and evaluate their o Small LANs
disposition to assess the effectiveness of the security group.
 Prevent similar issues in the future o Large Wide Area Networks (WANs)
AUDITING NETWORKS
3. Promoting Personal Accountability o May contain thousands of individual nodes
 Reliance on networks for business communications poses concerns
o Audit trails monitor user activity at the lowest level of about unauthorized access to confidential information.  Used for internal communication, including:
detail.
 As Local Area Networks (LANs) become platforms for mission- o E-mail routing
o Serves as a preventive control – Users are less likely to critical applications and data, proprietary information, customer
violate security policy if they know their actions are data, and financial records are at risk. o Transaction processing between business units
logged.
 Organizations connected to their customers and business partners o Linking to the external Internet
o Serves as a detective control – Helps assign accountability via the Internet are particularly exposed.
for security violations. Unauthorized and Illegal Employee Activities
 Without adequate protection, firms are vulnerable to:
o Example:  Employees may engage in unauthorized activities due to:
o Computer hackers
 An accounts receivable clerk accesses customer o Vengeance against the company.
records excessively. o Vandals
o The challenge of breaking into unauthorized files.
 The audit log may indicate the clerk is selling o Thieves
customer information, violating company o Profiting from selling trade secrets or embezzling assets.
privacy policy. o Industrial spies (both internally and globally)
 Current and former employees are a significant threat due to:
AUDIT OBJECTIVES RELATING TO SYSTEM AUDIT TRAILS The Paradox of Networking
o Their intimate knowledge of system controls.
 Ensure that the established system audit trail is adequate for:  Networks exist to provide user access to shared resources, yet the
most important objective of any network is to control such access. o Lack of controls within the organization.
o Preventing and detecting abuses
 For every productivity argument in favor of remote access, there is  Discharged employees or those who leave under contentious
o Reconstructing key events before system failures a security argument against it. circumstances are particularly concerning.

o Planning resource allocation  Organization management constantly seeks a balance between:  Trade secrets, operational data, accounting data, and confidential
information to which the employee had access are at the greatest
AUDIT PROCEDURES RELATING TO SYSTEM AUDIT TRAILS o Increased access risk.

 Verify that the audit trail has been activated according to o Associated business risks
organization policy.
 The following section presents various network threats, including:
 Use audit log viewers to scan logs for unusual activity, including:
o Intranet risks from dishonest employees.
o Unauthorized or terminated users
o Internet risks threatening both consumers and business Interception of Network Messages
o Periods of inactivity entities.
 Most intranets use a shared communication channel where the
o Activity by user, workgroup, or department  Basic network technologies are covered in the chapter appendix for following data is transmitted:
readers unfamiliar with network terms and acronyms.
 o User IDs o Total insider trade secret theft losses: Over $24 billion per o Equipment Failure
year.
o Passwords

o Confidential e-mails IP Spoofing

Privileged Employees
o Financial data files  IP spoofing is a form of masquerading to:
 Internal controls typically target lower-level employees, but the
 Unauthorized interception of this information is known as sniffing. biggest threats come from: o Gain unauthorized access to a Web server.
 Exposure risk increases when an intranet is connected to the o Middle managers, who override controls and commit o Commit unlawful acts without revealing the perpetrator’s
Internet. identity.
insider crimes.
 Sniffer software is used by:  A criminal modifies the IP address of the originating computer to:
o Information systems employees, who have override
o Network administrators to analyze network traffic and privileges and can access mission-critical data.
o Disguise their identity.
detect bottlenecks.
Reluctance to Prosecute
o Bypass security controls.
o Hackers, who download sniffer software from the
 Many organizations avoid prosecuting computer criminals due to
Internet to intercept and read data sent across a shared fear of negative publicity.  Potential uses of IP spoofing:
intranet channel.
o Hacking corporate networks.
 However, reporting rates are improving:

o 1996: Only 17% of firms reported illegal intrusions. o Committing fraud.

Access to Corporate Databases
o 2002: 75% of firms reported such crimes. o Industrial espionage.
 Intranet connections to central corporate databases increase the
Negligent Hiring Liability o Destroying data.
risk that an employee may:

o View, corrupt, change, or copy data.  Courts are holding employers responsible for criminal acts by  Example:
employees that could have been prevented through background
o A hacker spoofs a manufacturing firm by sending a fake
o Download and sell confidential information, such as: checks.
sales order appearing to come from a legitimate
 Social Security numbers  Many states have passed laws protecting former employers who customer.
provide work-related performance information when:
 Customer listings o If undetected, the manufacturer incurs costs for producing
1. The inquiry comes from a prospective employer. and delivering a product that was never ordered.
 Credit card information
2. The information is based on credible facts.
 Recipes, formulas, and design specifications
3. The information is given without malice. Denial of Service (DoS) Attacks
 Bribery of employees with access privileges has led to:
 A DoS attack targets a Web server to prevent it from servicing
o Accounts receivable write-offs.
legitimate users.
o Erasure of outstanding tax bills. 2.2 INTERNET RISKS
 Particularly devastating to business entities that rely on Web
 Significant business risks associated with Internet commerce services for:
 Financial fraud losses from insider crimes:
include:
o Average loss: $500,000 per incident. o Customer transactions
o IP Spoofing
o Corporate espionage losses: Over $1 million per incident. o E-commerce operations
o Denial of Service (DoS) Attacks
Three Common DoS Attacks:
 1. SYN Flood Attack o Firewalls  Firewalls can be grouped into two general types:

o Perpetrator sends multiple SYN packets but never o Deep Packet Inspection (DPI) 1. Network-Level Firewalls
completes the connection.
o Encryption 2. Application-Level Firewalls
o Server’s ports become clogged, blocking legitimate users.
o Message Control Techniques
o Uses IP spoofing to disguise the attacker’s identity.
 The section then presents: Network-Level Firewalls
2. Smurf Attack
o Audit objectives and procedures related to subversive  Efficient but low-security access control.
o Exploits the ping function to flood the victim with threats.
responses from a compromised network.  Uses a screening router that examines:
o Controls, audit objectives, and audit procedures related
o Uses IP spoofing to send pings from the victim’s forged IP to threats from equipment failure. o Source addresses
address.
o Destination addresses
o Overloads the victim’s network.
2.4 CONTROLLING RISKS FROM SUBVERSIVE THREATS  Firewall Filtering Rules:
3. Distributed Denial of Service (DDoS) Attack
Firewalls o Based on pre-programmed criteria, access requests are
o Uses a botnet (zombie computers) to launch an attack. either accepted or denied.
 Organizations connected to the Internet or other public networks
o Attacks financial institutions for extortion purposes. often implement a firewall to insulate their intranet from outside o The firewall directs incoming calls to the correct internal
intruders. receiving node.
o Hackers demand ransom payments to stop attacks.
 A firewall is a system that enforces access control between two  Security Weakness:
networks.
o Designed to facilitate free flow of information rather than
Risks from Equipment Failure  To accomplish this, a firewall must: restrict access.

 Network topologies consist of: o Ensure all traffic between the outside network and the o Does not explicitly authenticate outside users.
organization’s intranet passes through the firewall.
o Communication lines (twisted-pair wires, coaxial cables,
microwaves, fiber optics). o Allow only authorized traffic, as defined by formal security
policy, to pass through. Application-Level Firewalls
o Hardware components (modems, multiplexers, servers,
front-end processors). o Be immune to penetration from both outside and inside  Higher security than network-level firewalls, but adds overhead to
the organization. connectivity.
o Software (protocols and network control systems).
 Functions of Firewalls:  Runs security applications called proxies, which:
 Equipment failures can:
o Authenticate outside users of the network. o Permit routine services such as e-mail to pass through.
o Disrupt, destroy, or corrupt transmissions.
o Verify access authority levels of users. o Perform sophisticated functions such as user
o Result in database and program losses on network authentication for specific tasks.
servers. o Direct users to requested programs, data, or services.
o Provide comprehensive transmission logging and auditing
2.3 CONTROLLING NETWORKS o Insulate portions of the organization’s intranet from tools for reporting unauthorized activity.
internal access.
 This section examines various control techniques used to mitigate
network risks.  Example: A LAN controlling access to financial
data can be insulated from other internal LANs.  Dual-Homed System (High-Level Security Firewalls):
 It begins with subversive threat controls, including:
 o Uses two firewall interfaces: 1. Internet hosts should block outbound messages with Public Key Encryption
invalid IP addresses.
 One for incoming Internet requests.  Uses two keys:
2. Security software scans for half-open connections and
 One for organization intranet access. 1. Public key (for encoding messages)
restores clogged ports.
o Direct communication with the Internet is disabled, and 2. Private key (for decoding messages)
DDoS Attack
the two networks are fully isolated.
 RSA (Rivest-Shamir-Adleman) encryption is a widely used public key
 Most difficult DoS attack to counter because it uses:
o Proxy applications enforce separate log-on procedures. system.
o Thousands of zombie computers distributed across the
Internet.

Choosing a Firewall: Balancing Security and Convenience  Countermeasure: Digital Signatures and Digital Certificates

 Organization management must decide on acceptable risk levels in o Intrusion Prevention Systems (IPS) with Deep Packet Digital Signatures
collaboration with: Inspection (DPI):
 Electronic authentication that cannot be forged.
o Internal audit  Scans message packets for malicious patterns.
 Ensures message integrity.
o Network professionals  Blocks and redirects suspicious packets before
Digital Certificates
they reach the destination.
 More secure firewalls = Less convenient access for authorized users.  Verifies the sender’s identity.

 Issued by a trusted Certification Authority (CA).

Encryption
Controlling Denial of Service (DoS) Attacks Public Key Infrastructure (PKI)
 Encryption converts data into a secret code for:
 DoS attacks disrupt an organization’s Internet connectivity by  PKI includes:
clogging server ports with fraudulent messages. o Database storage.
1. Certification Authority (CA): Issues and revokes
 Types of DoS attacks: o Transmission over networks. certificates.

o SYN Flood Attacks  The sender uses an encryption algorithm to convert the original 2. Registration Authority: Verifies applicant identity.
message (cleartext) into a coded equivalent (ciphertext).
o Smurf Attacks 3. Certification Repository: Public database of valid and
 The receiver decodes (decrypts) the ciphertext back into cleartext. revoked certificates.
o Distributed Denial of Service (DDoS) Attacks
Encryption Techniques Message Control Techniques
Countermeasures for DoS Attacks
Private Key Encryption Message Sequence Numbering
Smurf Attack
 Advanced Encryption Standard (AES) is a 128-bit encryption  Inserts a sequence number into each message.
 Firewall can be programmed to block all communication from the technique.
attacking site once the attacker’s IP address is determined.  Prevents:
 Triple-DES Encryption:
SYN Flood Attack (IP Spoofing) o Message deletion.
o EEE3: Encrypts three times using three different keys.
 More serious problem because: o Order manipulation.
o EDE3: Encrypts, decrypts with a second key, then encrypts
o The attack appears to come from multiple sites across the again. o Message duplication.
Internet.
o Used by major banks for transaction security. Message Transaction Log
 Two countermeasures:
  Records: 1. Echo Check o Prevents the corruption of bit structures during
transmission.
o All incoming and outgoing messages. 2. Parity Check
o Detects errors that change a 1 bit to a 0 bit (or vice versa).
o Failed access attempts.
 Limitations:
o User IDs, time of access, terminal location.
Echo Check
o If two bits are altered simultaneously, the parity check
Request-Response Technique  The receiver of the message returns the message to the sender. may not detect an error.
 Sender and receiver exchange synchronized control messages at  The sender compares the returned message with a stored copy of Horizontal (Longitudinal) Parity Check
random intervals. the original.
 Adds an additional parity bit at the end of each block of characters.
 Prevents message interception and delay.  If there is a discrepancy, indicating a transmission error, the
message is retransmitted.  Used together with vertical parity to provide a higher degree of
Call-Back Devices protection against line errors.
 User enters a password to log in.  Downside: This technique reduces throughput by 50% over
communication channels.
 System disconnects and re-establishes connection by dialing a pre-
registered number.  Solution: Using full-duplex channels (allowing simultaneous Audit Objectives Relating to Equipment Failure
transmission and reception) can increase throughput.
 Ensures that only authorized terminals can access the network. The auditor’s objective is to verify the integrity of electronic commerce
transactions by determining that controls are in place to detect and correct
2.5 CONTROLLING RISKS FROM EQUIPMENT FAILURE message loss due to equipment failure.
Parity Check
Line Errors Audit Procedures Relating to Equipment Failure
 A parity bit is added to the structure of a bit string when it is created
 The most common problem in data communications is data loss or transmitted.  Select a sample of messages from the transaction log and examine
due to line error. them for garbled content caused by line noise.
 Types of parity:
 Line errors occur when the bit structure of a message is corrupted  Verify that all corrupted messages were successfully retransmitted.
due to noise on the communications lines. 1. Vertical Parity

 Sources of noise: 2. Horizontal (Longitudinal) Parity

o Electric motors Vertical Parity Check

o Atmospheric conditions  Adds a parity bit to each character in the message when it is
originally coded and stored in magnetic form.
o Faulty wiring
 Process:
o Defective equipment components
o The system counts the number of 1 bits in the bit structure
o Interference from adjacent communication channels of each character.

 If undetected, these errors can be catastrophic for a firm. o If the number of 1 bits is even, the system assigns a parity
bit value of 1.
o Example: In a database update program, line errors can
result in incorrect transaction values being posted to o If the number of 1 bits is odd, a 0 parity bit is added to the
accounts. structure.

 Two common techniques are used to detect and correct data errors  Purpose: 3. AUDITING ELECTRONIC DATA INTERCHANGE (EDI)
before they are processed:
  Many organizations use Electronic Data Interchange (EDI) to  Directs each EDI transmission to its destination.  The flat-file approach is most often associated with legacy systems.
coordinate sales and production operations and maintain an
uninterrupted flow of raw materials.  Deposits the message in the appropriate  Legacy systems are large mainframe systems implemented in the
electronic mailbox. 1970s and 1980s, which some organizations still use.
 Organizations enter into a trading partner agreement with their
suppliers and customers. o The receiving company’s system retrieves the message  In a flat-file environment, users own their data files rather than
from the mailbox. sharing them with other users.
Definition of Electronic Data Interchange (EDI):
 VANs provide additional control over EDI transactions, which is  Data files are structured, formatted, and arranged to suit the specific
“The intercompany exchange of computer-processible business information examined later in this section. needs of the owner or primary user.
in standard format.”
Auditing in a CIS Environment  Data redundancy is a major issue, leading to:
Key Features of EDI
Security Part II: Auditing Database Systems o Data storage problems
1. Interorganization Process
Course Learning Outcomes o Data updating problems
o EDI requires multiple trading partners.
After studying this module, you should: o Currency of information issues
o A firm does not engage in EDI alone.
 Understand the operational problems inherent in the flat-file o Task-data dependency problems
2. Automated Processing approach to data management that gave rise to the database
approach. Problems in the Flat-File Approach
o Transactions are processed automatically by the trading
partner’s information systems.  Understand the relationships among the fundamental components 1. Data Storage Problem
of the database concept.
o No human intermediaries approve or authorize o Efficient data management should store data only once
transactions.  Recognize the defining characteristics of three database models: and make it available to all users.
hierarchical, network, and relational.
o All authorizations, obligations, and business practices are o In a flat-file environment, data is duplicated multiple
specified in advance under the trading partner  Understand the operational features and associated risks of times, increasing storage costs.
agreement. deploying centralized, partitioned, and replicated database models
in the DDP environment. 2. Data Updating Problem
3. Standardized Transaction Format
 Be familiar with the audit objectives and procedures used to test o Changes to customer information (e.g., name, address)
o EDI transactions are transmitted in a standardized format. data management controls. must be updated separately in each file.

o Allows different internal systems to exchange information o Redundant updating adds to data management costs.
and conduct business.
DATA MANAGEMENT APPROACHES 3. Currency of Information Problem

Business organizations follow either or both of two general approaches to o Failure to update all files means some users work with
data management: outdated information.
Value-Added Network (VAN) and EDI Control Issues
1. Flat-File Model 4. Task-Data Dependency Problem
 Many companies use a third-party Value-Added Network (VAN) to
connect to their trading partners. o Users cannot obtain additional information outside their
2. Database Model
 How VAN works: own data files.
The differences between these two approaches are both technical and
o The originating company transmits EDI messages to the philosophical. o This limits decision-making ability and increases the need
network instead of directly to the trading partner. for new data files.
The Flat-File Approach
o The network: The Database Approach
 Flat files are data files that contain records with no structured
relationships to other files.
  The database approach replaces flat files by centralizing data into a o Represents the entire database logically.  Database is split into multiple locations, each storing only a part of
common database. the data.
o Independent of physical storage.
 Access to data is controlled by a Database Management System 3. Replicated Database
(DBMS). 3. External View (User View or Subschema)
 Copies of the same database are maintained at multiple locations.
 Key advantages over flat files: o Defines which data a particular user is authorized to
access.
o Elimination of data storage problems (data is stored only
once). o Each user has a different view of the database. AUDITING DATABASE SYSTEMS

o Elimination of data update problems (single update Audit Objectives

applies to all users).
DATABASE MODELS  Verify that data integrity, security, and access controls are properly
o Elimination of currency problems (changes are reflected maintained.
for all users). 1. Hierarchical Model
 Ensure that backups and recovery procedures are adequate.
o Elimination of task-data dependency problems (users can  Data is structured in a tree format with parent-child relationships.
 Verify that user access privileges comply with security policies.
access shared data).
 Example: IBM’s IMS (Information Management System).
Audit Procedures
 Limitations:
 Review database access logs to detect unauthorized access
KEY ELEMENTS OF THE DATABASE ENVIRONMENT o A child record can only have one parent. attempts.
Database Management System (DBMS) o Does not fully reflect complex business relationships.  Examine backup policies to ensure compliance with disaster
recovery plans.
 Central element of the database approach. 2. Network Model
 Test user authentication controls (e.g., password policies, multi-
 Provides controlled access to the database.  Overcomes limitations of the hierarchical model. factor authentication).
 Typical features of a DBMS include:  A child record can have multiple parents.
1. Program development – Allows users to create  Example: IDMS (Integrated Database Management System).
applications to access the database.
3. Relational Model
2. Backup and recovery – Periodically backs up data to
prevent total loss in case of system failure.  Data is stored in two-dimensional tables.

3. Database usage reporting – Tracks who uses data, when,  Uses primary keys and foreign keys for relationships instead of
and how. explicit pointers.

4. Database access control – Restricts unauthorized access.  Example: Structured Query Language (SQL).

Database Views

1. Internal View (Physical View) DATABASES IN A DISTRIBUTED ENVIRONMENT

o Defines how data is physically arranged on storage 1. Centralized Database
devices.
 All data is stored in one location.
o Lowest level of representation.
 Remote sites send requests to the central server.
2. Conceptual View (Schema)
2. Partitioned Database