AUDCISE Unit 4 Lecture Notes 2022-2023
AUDCISE Unit 4 Lecture Notes 2022-2023
This chapter looks at IT general controls from an IT By the end of this unit you should be
auditor’s perspective. ITGCs cover broad areas of the able to:
overall IT environment, such as computer operations,
access to programs and data, program development ✓ Prepare the basic IT General
and program changes, network controls, and many Controls audit working papers.
others. In order for specific application controls to be
effective, there must also be strong overriding effective
IT general controls in place.
Ready? Let’s get learning!
Timing
This unit is good for 2 weeks. You can devote three hours per day on the subject. Don’t worry, the
content is abridged, which means it only includes the most salient points you need to know.
For easier monitoring of your progress, you can view the TO DO LISTS in CANVAS. Be sure to make
use of CANVAS to have a more organized and orderly studying. Plus, the CANVAS LMS is a
PROCRASTINATION-beater!
Getting Started!
Although the lines of separation are sometimes difficult, we generally think of IT controls on
two broad levels: application controls that cover a specific process, such as an accounts payable
system to pay invoices from purchases, and what are called IT general controls. IT general controls
cover all aspects of IT operations and are necessary in order for specific application controls to be
effective.
IT general controls review attempts to gain an overall impression of the controls that are
present in the environment surrounding the information systems. These include the organizational
and administrative structure of the Information System (IS) function, the existence of policies and
procedures for the day-to-day operations, availability of staff and their skills and the overall control
environment.
In addition, ITGC would also include the infrastructure and environmental controls. A review
of the data center or information processing facility should cover the adequacy of air conditioning
(temperature, humidity), power supply (uninterruptible power supplies, generators) and smoke
detectors/fire suppression systems, a conducive clean and dust free environment, protection from
floods and water seepage as well as neat and identifiable electrical and network cabling.
1
Why do you think we care about ITGCs?
• They support IT dependent controls and processes
• The provide controls around financial data
As another and perhaps more appropriate way of looking at IT general and application
controls, Figure 4.1 describes an IT controls hierarchy. At the top of this triangle configuration are IT
policies defining the overall enterprise IT organization. Moving down the hierarchy are general
controls for IT standards, organization of the IT function, and physical and environmental controls.
2
The next level down in the hierarchy brings two categories of technical-level general controls:
systems software and systems development general controls, followed by application-based controls
at the base of the controls hierarchy.
“auditable policies and procedures put in place by a business to help ensure the
confidentiality, integrity and availability of its IT systems and data”.
3
I. System/Program Development
To ensure that systems are developed, configured, and implemented to achieve management's
application control objectives.
Which means: Changes to systems and data do not adversely affect their integrity, availability
or confidentiality.
Which means: Systems process data as intended, and where they don’t, this is identified and
corrected.
Which means: Systems and data are protected from unauthorized access and invalid changes.
It is often much more efficient for an IT auditor to review an IT application for its internal
controls while it is being developed and implemented rather than after it has been placed into
production. The role of the IT auditor here is similar to that of a building inspector reviewing a new
construction project:
4
It is difficult to make constructive recommendations regarding the completed building. Even
if some problems were found, the inspector would be under considerable pressure not to identify
ones that would require significant portions of the building to be torn down and rebuilt. Rather, the
building inspector identifies problems during construction and suggests how they can be corrected
before completion.
Similarly, the effective IT auditor should suggest corrective actions to improve system controls
along the way. It is easier to implement changes during an application implementation process
than after it has been completed and the system has been placed into production.
To continue with the analogy, an IT auditor must be careful not to take responsibility for
designing the new application’s controls. The building inspector points out problems but certainly
does not take responsibility for fixing them.
The discussion in Chapters 1 & 2 emphasizes that it is the IT auditor’s task to review and
recommend but not to design or build the controls in any area reviewed. When reviewing new
applications under development, an IT auditor should point out internal control weaknesses to the
application developers but only recommend that they implement those recommendations.
The scope of a systems development audit can include an evaluation of the software
development life cycle or an evaluation of the quality of the deliverables from each system
development and implementation phase (e.g., an evaluation of the controls design and audit trails, systems
test plan and results, user training, and systems and program documentation).
Analysis & a) Analysis - In this phase, the users and systems analysts define the
Design system requirements in terms that can be measured.
5
Auditor Interests in the System Requirements
• You should obtain a list of detailed requirements. The accuracy of
the requirements can be verified by a combination of desktop
review of documentation and interviews with appropriate
personnel.
b) Design - In this phase, the systems analyst defines all system interfaces,
reporting, and screen layouts, and specific program logic. At this time,
controls should also be defined for input points and processing.
• The result of the JAD session is a user view of the system for
further development. This is an excellent setting for the
discussion of the advantages and cost effectiveness of controls.
Construction • The main goal of the construct phase is to design and build working
software that is ready to be tested and delivered to its user
community. This phase involves modeling the system, programming the
applications, and application testing.
• The objective of this technique is for the prototype to represent ‘‘a clear-
cut functional specification, serve as a vehicle for organizing and
learning, and evolve ultimately into a fully implemented’’ system.
6
• The auditor may review the new system’s programs to verify compliance
with programming standards.
These standards help ensure that all the code has a similar structure,
tracking dependencies and making maintenance easier.
Testing • During the testing phase, the system is tested to verify that it works as
intended and meets design specifications.
Types of Testing
7
Implementation • The final step to implementing the system includes conversion,
documentation, training, and support.
• A data conversion plan is developed to migrate existing data into the new
system. Great care needs be taken to prevent loading garbage data into
the new system.
Typical Controls:
a) Approval from the project sponsor(s) and stakeholders is
required in order to go live.
8
Roles and Responsibilities in the System Development Life Cycle
The domain objective is: "To ensure the changes to programs and related infrastructure components
are requested, authorized, performed, tested, and implemented to achieve management's application
control objectives."
The entity is to demonstrate, with reasonable assurance, that sufficient program change controls
are applied consistently to all programs, applications or data that are relevant to the audit. In
order to demonstrate this, the typical subcomponents of program change are considered:
9
Monitoring and testing that all relevant program changes have been subjected to the entity's
program change controls can be made easier when the entity's IT systems produce reliable evidence
(i.e., an "audit trail") of the full population of program changes. If a reliable report of all compilation
dates of all programs placed in production is available, management can more readily demonstrate
that every program change went through its controlled process.
However, not all IT systems are designed to produce reliable, automated information about
the population of changes. Some will log only the date of last modification. Others may be able to log
all changes, but perhaps those logs can be circumvented or overwritten by those with direct access to
the program's production environment.
Some factors to consider in evaluating whether there can be reasonable assurance that all such
changes have been dealt with appropriately might include:
• The types of applications used, whether the entity has access to the source code, and the
nature and volume of routine program changes
• Whether changes are rigorously tracked, electronically or manually, by parties who are
independent from those requesting or making the changes, using data that cannot be
altered by those requesting or making the changes
• Whether separate environments are maintained for development, testing and production,
and only the appropriate individuals have access to each of those environments
• Whether responsibilities are segregated appropriately such that the person responsible for
identifying, tracking, and reporting on the status of change requests does not have
accounting or finance responsibilities
1. Change Requests:
a) Documentation to support a modification of a system. (Change Request Form)
• To make systems operations easier, more efficient for database administrator and
network management personnel.
10
• Capacity planning: the system may require additional resources or increased capacity
components e.g. A more powerful CPU to cope with increased processing demand, or
additional disk drives as the existing drives fill up.
• Problem rectification
f) Depending on the type of change, authorization from a business user manager, IT manager,
or both is required before work can begin on the change.
g) There are circumstances that don’t require authorisation, which occur when the change
has little to no financial impact (minor), or when it is an emergency.
11
2. Construction:
a) Changes are made to the application source code in an environment separate from that of
production. Application developers should ensure that only one developer is working on a
piece of code at one.
b) Prior versions of source code should be saved in case the company needs to revert back to
the old code. Source code control software can achieve both the retention of prior versions
and prevent more than one developer from editing code simultaneously.
b) Changes should then be tested in the Test environment by a member of the user community
that owns the application and underlying data (user acceptance testing or UAT). The
user “accepts” the change when the change made meets requirements documented in the
change request.
c) Test plans and results should be retained to evidence performance of the control.
12
4. Program Implementation:
a) A process is needed to move the approved changes into the production environment.
Process is often facilitated by a change control tool. Source code control tools can also
move changes to production.
c) Change control meetings are often used to coordinate changes among various departments
(business users and IT). Because testing can never fully anticipate all possible issues,
backout procedures are critical.
d) “Emergency” changes should not bypass significant controls, even if those controls are
formalized after the change is completed.
An emergency change shall be defined as any action that is necessary for the immediate
and continued operation of essential department functions and required to be
implemented before the business owners/program sponsors are able to review and
approve.
The requestor will submit the Change Control Request (CCR) after the affected system
has been modified, and will be approved post change by the business owners.
In the judgment of the requestor, if the incident is a major incident, there should be
attempts made to contact the business owners to alert them to the incident and its
resolution, either by phone or, failing that, email. Documentation from the business
owners/program sponsors that approved the emergency action is to be included in the
change request system.
Segregation of Duties
13
Lack of segregation of duties
• Monitoring controls must be in place if segregation of duties is not.
• If there is unauthorized access to production, changes to production should be monitored on
a periodic basis.
Development Environment
• Programmers have read/ write/ execute
• Programmers make modifications
• End-users do not have any access
• Unit and system testing by developers
Test Environment
• Programmers have read/execute access only
• No modifications made to code
• End-users have read/execute access to data and programs
• Integration and user acceptance testing are performed here
Production Environment
• Programmers have no access (or read only)
• No modifications made to code
• Live use by end-user community
• End user has no access to program code. End users should only modify data via approved
program functions appropriate to their job functions.
Self-Check
14
ITGC 4.3 Audit of Information System Operations - “Computer Operations”
Activities in computer operations often present operational risk, not a risk of material
misstatement, depending on the entity's specific circumstances. Some elements of computer
operations may be relevant to the audit, particularly when they serve not only as ITGCs, but also as
application controls that directly support relevant financial statement assertions.
For example, job scheduling is an IT activity that could directly impact the completeness and
accuracy of financial data if it were to break down. Similarly, backup and recovery procedures may
be important to the risk of financial misstatement if data recoveries are frequent, such as when
systems are unstable.
The manager or auditor should regard operating standards and procedures manuals as
highly important controls. Accordingly, these controls should be tested periodically. This can be
done through observation to determine if the standards and procedures described in the manuals
actually are being followed in the day-to-day operation of the computer center.
An important element of any set of standards or manuals should be the requirement that
operators maintain logs on which any unusual events or failures are recorded, according to time and
in detail. If such logs do not exist or are not kept faithfully, a major control weakness is indicated.
a) Interface Processing
Controls
• Authorize changes to interfaces and management review of changes to interfaces
• Restrict access to the functionality used to modify interfaces
• Monitoring of interface processing
15
Risks to financial data
• Unauthorised or inappropriate changes to the scheduler are implemented resulting
in production processing errors
Controls
• Restrict access to the functionality used to modify the batch schedule
• Periodic review of who is able to access the batch schedule
• Changes to the schedule are authorised
• Management review of changes to the schedule
Controls
• Control access to processing functionality
• Formalized procedures for processing failure identification & resolution
a) Service Continuity Management & Backups - is the set of activities that is concerned
with the ability of the organization to continue providing services, primarily in the event
that a natural or manmade disaster has occurred.
During the 1980s, the term disaster recovery became popular as a definition for rebuilding
and recovery following a natural disaster. The entire focus of disaster recovery could be
summed up with a one-word definition: rebuilding.
The approach to any risk should be to try to remove the threat by considering business
locations, building materials and duplication of key functions at remote sites. However
modern business is, it cannot avoid all forms of corporate risk or potential damage. A
realistic objective is to ensure the survival of an organization by establishing a culture that
will identify and manage those risks that could cause it to suffer.
16
Examples of these corporate risks include:
• Inability to maintain critical customer services
• Damage to market share, image, reputation or brand
• Failure to protect the company assets, including intellectual properties and
personnel
• Business control failure
• Failure to meet legal or regulatory requirements
Once the risk exposures have been identified, a disaster recovery plan can be assembled
that details a plan for hardware, software, data, and personnel. The plan should identify
various levels of recovery, from an isolated event to a widespread disaster. The timeliness
of recovery will depend on the loss exposure for the particular application.
When the plan is completed, it should be tested to identify problems in the plan.
Testing should be conducted on a periodic basis to validate assumptions and update the
plan based on the changing environment. It also provides the opportunity to practice the
recovery procedures and identify missing elements that need to be added.
• The Empty Shell “cold site” - involves two or more user organizations that buy
or lease a building and remodel it into a computer site, but without computer
equipment. It must be carefully negotiated and enforced. Otherwise, longer
recovery time and possible lower access than promised.
• The Recovery Operations Center “hot site” - a completely equipped site; very
costly and typically shared among many companies. It must be up within a few
hours. Same “actual versus promised” access risks as cold site.
Types of Backup:
• Full backup - A full backup is the most basic of all backup types. And as its name
suggests, it’s also the most comprehensive. In a full data or system backup, all
data is copied to another location.
• Incremental backup - This type only backs up the information that has changed
since the last backup occurred.
17
Business Continuity Planning (BCP)
The auditor should ensure that there are adequate plans to resume processing in the event
of failure of computer operations. The degree of continuity planning will depend on the
size of the IT department and the involvement on computer processing. A significant and
prolonged loss of IT capability in a mission critical system may increase the risk of the
financial statements being unavailable or materially misstated.
Unlike DR, business continuity (BC) focuses on revenue. As long as the organization has
time and money at its disposal, the organization can continue to function. Money can take
the form of capital, credit lines, investors, and payments from customers. Business
continuity focuses on putting more money in the bank, even if the business is not
delivering a product.
The first step of preparing a new Business Continuity Plan is to identify the business
processes of strategic importance, which are those key processes that are responsible
for both the permanent growth of the business and for the fulfilment of the business goals.
Ideally, the BCP should be supported by a formal executive policy that states the
organization's overall target for recovery and empowers those involved in developing,
testing and maintaining the plans
BCP is primarily the responsibility of senior management, as they are entrusted with
safeguarding the assets and the viability of the organization, as defined in the BCP policy.
b) Media Management - includes the control of disks and tapes, CD ROMs, etc. Technology
assets should be inventoried and tracked. Proper ownership labels or property tags
should be in use. Tagging and labeling are preventative controls. The audit of inventory
tags is a detective control. Media containing software and data should be managed under
a data library a.
Each computer installation should have a data library and procedures that control
access to programs, data files, and documentation. Library procedures should assure that
only authorized persons receive files, programs, or documents, and that these persons
acknowledge their responsibility at the time of each issuance.
Control is enhanced by the practice of maintaining an inventory of file media within the
data library. That is, an inventory record should exist for each tape cartridge or disk pack.
The record should note any utilization or activity. After a given number of users, the file
medium or device is cleaned and recertified. Further, if any troubles are encountered in
reading or writing to the device, maintenance steps are taken and noted.
c) Environment Controls - All network equipment operates under daily office conditions
(e.g., humidity, temperature, smoke, and electrical flow). However, a specific office
environment may not be suited to a microcomputer because of geographical location,
industrial facilities, or employee habits. A primary problem is the sensitivity of
microcomputer equipment to dust, water, food, and other contaminants. Water and other
substances cannot only damage the keyboard, CPU, disk drive, and diskettes but also may
cause electrocution or a fire. To prevent such occurrences, the network manager should
adhere to a policy of prohibiting food, liquids, and the like at or near the microcomputer.
18
Although most offices are air-conditioned and temperatures and humidity are usually
controlled, these conditions must nonetheless be evaluated by the network manager. If for
any reason the environment is not controlled, the network manager should take
periodic readings of the temperature and humidity. If the temperature or humidity is
excessively high or low, the microcomputer equipment and the network should be shut
down to prevent loss of equipment, software, and data.
Airborne contaminants can enter the equipment and damage the circuitry. Hard disks
are susceptible to damage by dust, pollen, air sprays, and gas fumes. Excessive dust
between the read/write head and the disk platter can damage the platter or head or cause
damage to the data or programs.
Static electricity is another air contaminant. Using antistatic carpeting can reduce static
electricity as well as pads placed around the microcomputer area, antistatic chair and
keyboard pads, and special sprays that can be applied to the bottoms of shoes. Machines
can also be used to control static electricity in an entire room or building.
Major causes of damage to network equipment are power surges, blackouts, and
brownouts. Power surges, or spikes, are sudden fluctuations in voltage or frequency in
the electrical supply that originates in the public utility. They are more frequent when the
data center is located near an electrical generating plant or power substation. The sudden
surge or drop in power supply can damage the electronic boards and chips as well as cause
a loss of data or software.
If power supply problems occur frequently, special electrical cords and devices can be
attached to prevent damage. These devices are commonly referred to as power surge
protectors.
Blackouts are caused by a total loss of electrical power and can last seconds, hours, or days.
Brownouts occur when the electrical supply is diminished to below-normal levels for
several hours or days. Although brownouts and blackouts occur infrequently, they are
disruptive to continuing operations.
If microcomputer use is essential and the organization’s normal backup power is limited
to necessary functions, special uninterruptible power supply (UPS) equipment can be
purchased specifically for the microcomputer equipment.
UPS equipment can be either battery packs or gas-powered generators. Battery packs
are typically used for short-term tasks only (e.g., completing a job in progress or
supporting operations during a transition to generator power).
19
ii. To reduce the risk of services being disrupted by loss of power or deterioration of
ambient conditions, critical computer equipment and facilities have to be protected
from transient surges and outages in power supplies and extended power failure by:
• Installing devices that stabilize power supplies
• Providing backup generators
• Protecting power cables
d) Capacity Planning - ensuring that the computer systems will continue to provide a
satisfactory level of performance in the longer term. This will involve IT operation staff
having to make estimates of future CPU requirements, disk storage capacity and network
loads capacity.
e) Performance & Network Monitoring - monitoring the day to day performance of the
system in terms of measures such as response time. The IT operations function is also
given the responsibility for ensuring that communication links are maintained.
Helpdesk/Service Desk
Helpdesks are the day-to-day link between users with IT problems and the IT department. They
are the ones users call when they have a printer problem or they forget their password. Problems
may be encountered with individual programs (applications and system), hardware, or
telecommunications.
People may call in for help with a variety of computing problems. It is the help desk’s responsibility
to escalate trouble tickets in a timely manner. Some trouble tickets might be escalated to the
system administrator or application support programmer.
The help desk tracks call metrics so that trends can be analyzed. As an IT auditor, you should
understand the help desk function. It would be beneficial to conduct a review of the staff on the
help desk to determine their level of competency. An audit trail should exist, documenting the
process for logging and tracking service requests. You should evaluate the level of documentation
for help desk activities and troubleshooting procedures.
Problem Management
When several incidents have occurred that appear to have the same or a similar root cause, a
problem is occurring. The overall objective of problem management is the reduction in the
number and severity of incidents.
Self-Check
20
ITGC 4.4 Audit of Information System Operations - “Access to Programs and Data”
Information and information systems are critical assets in most organizations today. Without
reliable and properly secured information and information systems, organizations would quickly go
out of business. Likewise, the preservation and enhancement of an organization’s reputation is
directly linked to the way in which both information and information systems are managed.
Maintaining an adequate level of security is one of the several important aspects of both information
management and information systems management.
These and other processes should be periodically audited to confirm their effectiveness.
Control failures and exceptions should be documented, and actions plans developed to improve
processes and systems.
The purpose of information security is to help ensure that the organization’s strategic
business objectives are met. The three fundamental objectives for information are confidentiality,
availability, and integrity. Each of these has associated risks that would prevent achieving these
objectives.
21
Identifying the Perpetrators
There is one fundamental difference between a victim and a perpetrator. The victim did not
act with malice. The perpetrators of crime may be casual or sophisticated. Their motive may be
financial, political, thrill seeking, or a biased grudge against the organization. The damage impact is
usually the same regardless of the perpetrator’s background or motive.
A common trait is that a perpetrator will have time, access, or skills necessary to execute the
offense. A person with mal-intent needs little more than access to launch their attack. For this reason,
strong access controls are mandatory. So, who is the attacker?
Hackers
The term hacker contains a double meaning. The honorable interpretation of hacker refers to
a computer programmer who is able to create usable computer programs where none previously
existed. The criminal hacker focuses on a desire to break in, take over, and damage or discredit
legitimate computer processing.
The first goal of hacking is to exceed the authorized level of system privileges. This is why it is
necessary to monitor systems and take swift action against any individual who attempts to gain a
higher level of access. Hackers may be internal or external to the organization. Attempts to gain
unauthorized access within the organization should be dealt with by using the highest level of
severity, including immediate termination of employment.
Crackers
The term cracker is a variation of hacker with the analogy equal to a safe cracker. Some
individuals use the term cracker in an attempt to differentiate from the honorable computer
programmer definition of hacker. The criminal cracker and criminal hacker terms are used
interchangeably. Crackers attempt to illegally or unethically break into a system without
authorization.
Script Kiddies
A script kiddie is an individual who executes computer scripts and programs written by others.
Their motive is to hack a computer by using someone else’s software.
Examples include password decryption programs and automated access utilities. Internal
controls must be put in place to restrict the possession or use of administration utilities. Violations
should be considered severe and dealt with in the same manner as hacker violations.
Employee Betrayal
A person within the organization has more access and opportunity than anyone else. Few
persons would have a better understanding of the security posture and weaknesses. In fact, an
employee may be in a position of influence to socially engineer co-workers into ignoring safeguards
and alert conditions. This is why it is important to monitor internal employee satisfaction. The great
medieval fortresses fell by the betrayal of trusted allies.
Third Parties
External persons are referred to as third parties. Third parties include visitors, vendors,
consultants, maintenance personnel, and the cleaning crew. These individuals may gain access and
knowledge of the internal organization.
Ignorance
The term ignorance is simply defined as the lack of knowledge. An ignorant person may be a
party to a crime and not even know it. Even worse, the individual may be committing an offense
without realizing the impact of their actions.
Fortunately, ignorance can be cured by training. This is the objective of user training for
internal controls. By teaching the purpose of internal security controls, the organization can reduce
their overall risk.
22
Active Attacks
The active attack is designed to execute an act of theft or to cause a disruption in normal
computer processing. Following is a list of active attacks:
1. Social engineering - Criminals can trick an individual into cooperating by using a technique
known as social engineering. The social engineer will fraudulently present themselves as a
person of authority or someone in need of assistance. The social engineer’s story will be woven
with tiny bits of truth. All social engineers are opportunists who gain access by asking for it.
For example, the social engineer may pretend to be a contractor or employee sent to work on
a problem. The social engineer will play upon the victim’s natural desire to help.
2. Phishing - A new social engineering technique called phishing (pronounced fishing) is now in
use. The scheme utilizes fake emails sent to unsuspecting victims, which contain a link to the
criminal’s counterfeit website. Anyone can copy the images and format of a legitimate website
by using their Internet browser.
Phishing criminal copies legitimate web pages into a fake email or to a fake website. The
message tells the unsuspecting victim that it is necessary to enter personal details such as US
social security number, credit card number, bank account information, or online user ID and
password. Phishing attacks can also be used to implement spyware on unprotected computers.
Many phishing attacks can be avoided through user education.
3. Dumpster diving - Attackers will frequently resort to rummaging through the trash for
discarded information. The practice is also known as dumpster diving. Dumpster diving is
perfectly legal under the condition that the individuals are not trespassing. This is the primary
reason why proper destruction is mandatory. Most paper records and optical disks are
destroyed by shredding.
4. Virus – Computer viruses are a type of malicious program designed to self-replicate and spread
across multiple computers. The purpose of the computer virus is to disrupt normal processing.
A computer virus may commence damage immediately or lie dormant, awaiting a particular
circumstance, such as the date of April Fools’ Day. Viruses will automatically attach themselves
to the out-going files.
The first malicious computer virus came about in the 1980s during prototype testing for self-
replicating software. Antivirus software will stop known attacks by detecting the behavior
demonstrated by the virus program (signature detection) or by appending an antivirus flag to
the end of a file (inoculation, aka immunization).
New virus attacks can be detected if any program tries to append data to the antivirus flag. Not
all antivirus works by signature scanning, it can also be by heuristic scanning, integrity
checking, or activity blocking. These are all valid virus detection methods.
5. Worm – Computer worms are very destructive and able to travel freely across the computer
network by exploiting known system vulnerabilities. Worms are independent and will actively
seek new systems on their own.
6. Logic bomb - The concept of the logic bomb is designed around dormant program code that is
waiting for a trigger event to cause detonation. Unlike a virus or worm, logic bombs do not
travel. The logic bomb remains in one location, awaiting detonation.
Logic bombs are difficult to detect. Some logic bombs are intentional, and others are the
unintentional result of poor programming. Intentional logic bombs can be set to detonate after
the perpetrator is gone.
8. Brute force attack - Brute force is the use of extreme effort to overcome an obstacle. For
example, an amateur could discover the combination to a safe by dialing all of the 63,000
possible combinations. There is a mathematical likelihood that the actual combination will be
determined after trying less than one-third of the possible combinations.
Brute force attacks are frequently used against user logon IDs and passwords. In one particular
attack, all of the encrypted computer passwords are compared against a list of all the words
encrypted from a language dictionary. After the match is identified, the attacker will use the
unencrypted word that created the password match. This is why it is important to use
passwords that do not appear in any language dictionary.
9. Denial of service (DoS) - Attackers can disable the computer by rendering legitimate use
impossible. The objective is to remotely shut down service by overloading the system and
thereby prevent the normal user from processing anything on the computer.
10. IP fragmentation attack - One of the common Internet attack techniques is to send a series
of fragmented service requests to a computer through a firewall. The technique is successful if
the firewall fails to examine each packet. For this reason, firewalls are configured to discard IP
fragments.
12. Maintenance accounts - Most computer systems are configured with special maintenance
accounts. These maintenance accounts may be part of the default settings or created for
system support.
An example is the user account named DBA for database administrator, or tape for a tape
backup device. All maintenance accounts should be carefully controlled. It is advisable to
disable the default maintenance accounts on a system.
13. Salami technique - The salami technique is used for the commission of financial crimes. The
key here is to make the alteration so insignificant that in a single case it would go completely
unnoticed, e.g., a bank employee inserts a program into the bank’s servers that deducts a small
amount of money from the account of every customer. No single account holder will probably
notice this unauthorized debit, but the bank employee will make a sizable amount of money
every month.
14. Email spamming and spoofing - You are probably aware of email spamming. Spamming
refers to sending a mass mailing of identical messages to a large number of users. The current
laws governing email allow a business to send mass emails as long as the recipient is informed
of the sender’s legitimate address and the recipient is provided a mechanism to stop the
receipt of any future emails. Email spamming is a common mechanism used in phishing
attacks.
The term spoofing refers to fraudulently altering the information concerning the sender of
email. An example of email spoofing is when an attacker sends a fake notice concerning your
eBay auction account. The spoofed email address appears as if it were sent by eBay.
24
Other Computer Attacks
1. File alteration - occurs when the defrauder revises specific data or manipulates data files. For
example: Fraudulently changing the rate of pay of an employee in the payroll master file via a
program instruction Transferring balances among dormant accounts to conceal improper
withdrawals of funds.
2. Data theft - Data theft can be accomplished by data interception or smuggling out computer
data files or hard copies of reports/files. Data transmitted by data communication lines can be
tapped or intercepted. Magnetic devices can be smuggled out in briefcases, employees'
pockets, etc.
Information Assets
Sometimes overlooked because it is intangible, the information that is stored in systems
should be treated as an asset. In almost all cases, information such as software and databases have
tangible value and should be included in the list of IS assets.
25
In most organizations, various types and sets of information will have varying degrees of
sensitivity. These levels of sensitivity will implicitly dictate that information in different levels should
be handled somewhat differently.
For instance, the most sensitive information should be encrypted whenever stored or
transmitted and should be accessible to only those individuals who have a justified need to use it.
Information classification program can be defined in detail in less than a dozen pages, and the
practical portions of it could almost fit on a single page. For many organizations, a simple four-level
classification program is a good place to start. The four levels could be: secret, restricted,
confidential, and public. Any information in the organization would be classified into one of these
four levels.
Handling procedures for each of these levels is found in Table 4-1 below.
Access Controls
Access controls are the technology-based methods of controlling access to an information-
based resource. Access controls must be actively managed by staff members who are authorized to
perform this function and trained to perform it properly.
26
Access Control Management
The management of access controls requires that processes and business rules be established
that govern how access controls are managed. These processes and rules are used to decide which
persons will be permitted to access which data and functions in the organization. The processes to
manage access controls are:
• Access control request - Any new request for access must be formally made via an
established request procedure. The request should be approved by the subject’s manager, as
well as by the owner of the resource to which access is being requested.
• Access control review - A periodic review of all users’ access to systems must be performed
to verify that everyone who has access is still entitled to that access and to verify that all access
for terminated employees has been removed.
• Segregation of duties review - A periodic review of each user’s access rights in all systems
must be performed to verify that each employee does not have a combination of access
privileges that would constitute a violation of segregation of duties.
• Employee transfer - When an employee is transferred from one position to another, the
access rights associated with the departed position must be removed and any new access
rights for the new position established.
All of these processes must have a robust recordkeeping plan so that all requests, reviews,
transfers, and terminations are well documented. These records must themselves be restricted so
that only authorized persons may view them. These records also must be protected against
tampering.
In addition to these processes, there are several audit and monitoring procedures to verify
correct operation of these procedures.
Privacy
Privacy is the protection of personal information from unauthorized disclosure, use, and
distribution. Personal information refers to a variety of elements about a private citizen, some of
which are not well known, including their name in combination with one or more of the following:
More recently, the worry about privacy has concerned the rise in identity theft, which is made
possible from the proliferation of private information and the failure to adequately secure that
information. Cybercriminals have had an easy time discovering and stealing this information in order
to conduct wide-scale identity theft.
27
• Mandatory Access Control (MAC) - This access model is used to control access to objects
(files, directories, databases, systems, networks, and so on) by subjects (persons, programs,
etc.). When a subject attempts to access an object, the operating system examines the access
properties of the subject and object to determine if the access should be allowed. The operating
system then permits or denies the requested access. Access is administered centrally, and
users cannot override it.
• Discretionary Access Control (DAC) - In this access model, the owner of an object is able to
determine how and by whom the object may be accessed. The discretion of the owner
determines which subjects will be permitted access.
Internal Controls
• Reusable Passwords: entered once and then the system accepts it each time the user
comes back to log in. (make them complex, with frequent changes, don’t write them
down and store the notes in obvious places, and use lock-out procedures)
a) Data Owner - The data owner refers to executives or managers responsible for the data
content. The role of the data owner is to do the following:
• Assume responsibility for the data content.
• Specify the information classification level.
• Specify appropriate controls.
• Specify acceptable use of the data.
• Identify users.
• Appoint the data custodian.
b) Data User - The data user is the business person who benefits from the computerized data.
Data users may be internal or external to the organization. For example, some data is delivered
for use across the Internet. The role of the data user includes the following tasks:
• Follow standards of acceptable use.
• Comply with the owner’s controls.
• Maintain confidentiality of the data.
• Report unauthorized activity.
c) Data Custodian - The data custodian is responsible for implementing data storage safeguards
and ensuring availability of the data. The custodian’s role is to support the business user. If
something goes wrong, it is the responsibility of the custodian to deal with this promptly. The
duties of the data custodian include the following:
• Implement controls matching information classification.
• Monitor data security for violations.
• Administer user access controls.
• Ensure data integrity through processing controls.
• Back up data to protect from loss.
• Be available to resolve any problems.
Database systems involve much more integration and sharing across users, leading to risks
of data corruption, theft, misuse, and destruction, from unauthorized users and abusive authorized
users. Database features that reduce these risks include:
a) User Views restrict the actions a user can take through authority table privileges.
b) Database Authorization Table contains the authorizations for read and write privileges.
c) User-Defined Procedures to add more specific security (mother’s maiden name).
d) Data Encryption is coded data for storage and transmission security.
e) Biometric Devices includes finger, voice and retina prints, and signature characteristics.
29
User Security and Administration
• Process of granting access to systems and data
• Often standard process that is common to all applications
Risk: Access is not adjusted for changes in employee status (i.e. terminations, transfers) in a timely
fashion
3. Application Security
• Unique to each application
• Often controlled with user id and password
• Responsibility of business and IT
Risk: Users are given access rights that allow them to perform tasks outside their normal duties
Consequence: Segregation of duties is not enforced; unauthorised transactions could be initiated and
processed
Note: As auditors, we need to assess whether the design of the internal network gives rise to risks
over the applications and data in it. For example, the security and integrity of financially significant
spreadsheets reliant on internal network security.
5. Network Perimeter Security - Management can implement and configure the following to enable
perimeter network security:
✓ Firewalls (e.g. Checkpoint, Cisco PIX, Symantec)
✓ DMZ
✓ Intrusion Detection Systems (e.g. Cisco, ISS, Axent)
✓ VPN (for remote user access)
30
b) Application level firewalls
✓ a high level of customizable network security, but can be extremely expensive
✓ performs sophisticated functions such as logging or user authentication
• Digital signature: electronic authentication technique that ensures that the transmitted
message originated with the authorized sender and that it was not tampered with after the
signature was applied
• Digital certificate: like an electronic identification card that is used in conjunction with a
public key encryption system to verify the authenticity of the message sender
6. Privilege Accounts
• All applications, operating systems and databases (and other IT components such as firewalls)
will have “administrator” or privileged accounts e.g.:
✓ Windows = Domain Administrator
✓ UNIX = Root
✓ OS/400 = QSECOFR
✓ SQL Server database = DBA
• Requires additional security measures and limited distribution as they can circumvent normal
security restrictions.
Risk: Depending on what the privileged account is for, there’s a potential for data to be accessed
directly or for unauthorised transactions to be initiated, recorded, processed and reported
Risk: Unauthorised access to data and applications by unauthorised internal and external sources.
Control: Clients have configuration policies in place across all their applications and operating
systems to restrict unauthorised access
8. Physical Security
• Securing building and data centre, this could be through key code, keycard or biometric control
system (or a combination)
• Important to establish where hardware running audit significant OS, applications and
databases are located.
Access Logging
Operating systems and database management systems should be configured so that all access
to files and directories is logged. This practice promotes accountability and provides a trail of
evidence in the event that a forensic investigation should be conducted in the future.
Access logs themselves must be highly protected - ideally, they should be stored in a different
storage system than the data whose access they are logging.
31
Access logs should not be alterable, even by database administrators and system
administrators, so that no one will be able to “erase their tracks” should they decide to
tamper with sensitive information and then attempt to hide the evidence afterward.
Access logging is only effective if someone actually examines the logs. Because this can be a
time-consuming activity, many organizations utilize alert-generating tools that send e-mail or
pager alerts to key personnel when certain audit log entries (such as unauthorized access
attempts) appear. These alerts permit personnel to act upon anomalous events when they occur.
Audit trails can record activity at the system, application and user levels. Operating system
options let management choose the level of auditing to be recorded into the log:
a) Keystroke Monitoring records both the user’s keystrokes and the system’s response.
Consider possible legal, ethical, and behavioral implications of this surveillance.
b) Event Monitoring records who logged on when, for how long, and with which files and
programs.
a) How much should you log? All transactions or only significant transactions?
Self-Check
Unit Summary
• IT General Controls (ITGC) are a critical component of business operations and financial
information controls. They provide the foundation for reliance on data, reports, automated
controls, and other system functionality underlying business processes. The security, integrity,
and reliability of financial information relies on proper access controls, change management,
and operational controls.
• ITGCs affect almost all financial audits by virtue of their reach and significance. Due to their
nature, the ultimate risk of material misstatement is often affected when a potential control
deficiency around financial data or processing changes the inherent risk of multiple areas.
• As auditors, we tend to think of inherent and control risks related to expertise, outside forces,
reconciliations, board oversight and many mitigating controls. Often auditors fail to notice this
information is controlled, processed and reported through various applications and databases.
What becomes difficult is knowing what controls should apply to an audit. As a result, ITGCs
require some type of review in all financial audits. (https://www.moore-na.com/news/april-
2019/how-it-relates-to-the-audit)
32