CHAPTER 10: CONTROL AND ACCOUNTING INFORMATION

SYSTEM

There are a few reasons why treats to accounting information systems are increasing.
The first reason is that information available is to an unprecedented number of workers.
Besides, information on distributed computer networks is hard to control. Information is
often distributed among many systems and thousands of employees. Customers and
suppliers have access to each other’s systems and data.

Any potential adverse occurrence is called a threat or an event. The potentially dollar
loss from a threat is called the exposure or impact. The probability that it will happen is
called the likelihood of the threat.

Internal control is the process implemented to provide reasonable assurance that the
following control objectives are achieved. It is a process because it permeates an
organization’s activities and is an integral part of management activities. Internal
control provides reasonable assurances. Complete assurance is difficult to achieve and
prohibitively expensive.

Internal control perform three important functions:

1. Preventive controls deter problems before they arise.

2. Detective controls discover problems that are not prevented.
3. Corrective controls identify and correct problems as well as correct and
recover from the resulting errors.

Internal controls are often segregated into two categories

1. General controls. This type of control makes sure an organization’s control

environment is stable and well managed.
2. Application controls. This type of control makes sure transactions are
processed correctly.

A Harvard business professor has espoused four levels of control to help management
reconcile the conflict between creativity and controls.

● Belief system. This system describes how the company creates value and
helps the employees understand the management’s vision.
● Boundary system. This system helps employees act ethically by setting
boundaries on employee behavior.
● Diagnostic control system. This type of system measures, monitors, and
compares actual company progress to budgets and performance goals.

1
 ● Interactive control system. This system helps managers to focus on key
strategic issues and to be more involved in decisions.

The Foreign Corrupt Practices Act (FCPA) was passes to prevent companies from bribing
foreign officials to obtain business. In the last 75 years, the SOX is the most important
business-oriented legislation. After the SOX was passed, the SEC mandated that
management must base its evaluation on a recognized control framework. They also
must disclose all material internal control weaknesses and must conclude that a
company does not have effective financial reporting internal controls if there are
material weaknesses.

There are three frameworks used to develop internal control systems.

● COBIT framework. The ISACA developed Control Objectives for Information

and Related Technology (COBIT) framework. This framework addresses
control from three vantage points.
○ Business objectives. This is to satisfy business objectives.
○ IT resources. These includes people, application systems,
technology, facilities and data.
○ IT processes. These are broken in four domains: planning &
organization, acquisition & implementation, delivery & support and
monitoring & evaluation.
● The Committee of Sponsoring Organizations (COSO) consist of a few
organizations. The COSO issued internal control – integrated framework
(IC), which is widely accepted as the authority on internal controls and is
incorporated into policies, rules, and regulations used to control business
activities.
● COSO developed another control framework to improve the risk
management process. It’s called Enterprise Risk Management – Integrated
Framework (ERM). ERM is the process the board of directors and
management use to set strategy, identify events that may affect the entity,
assess management risks, and provide reasonable assurances that the
company achieves its objectives and goals.

The internal environment, or company culture, influences how organizations establish

strategies and objectives and structure business activities. A weak or deficient internal
environment often results in breakdowns in risk management and control. An internal
environment control consists of the following:

● Management’s philosophy, operating style, and risk appetite

● The board of directors
● Commitment to integrity, ethical values, and competence
● Organizational structure

2
 ● Methods of assigning authority and responsibility
● Human resource standards
● External influences

Companies have a risk appetite, which is the amount of risk they are willing to accept
to achieve their goals. To avoid undue risk, the risk appetite must be in alignment with
company strategy. The more responsible management’s philosophy and operating style,
the more clearly they are communicated, the more likely employees will behave
responsibly.

An involved board of directors represents shareholders and provides an independent

review of management that acts as a check and balance on its actions. Public
companies has an audit committee of outside, independent directors. The audit
committee is responsible for financial reporting, regulatory compliance, internal control
and hiring and overseeing internal and external auditors.

The policy and procedures manual explains proper business practices, describes needed
knowledge and experience, explains document procedures, explains how to handle
transactions, and lists the resources provide to carry out specific duties. The manual
includes the chart of accounts and copies of forms and documents. It is a helpful tool
for both current employees and new employees.

Employees should be hired based on educational background, experience,

achievements, honesty and integrity, and meeting written job requirements. Sometimes
there is a background check. A thorough background check includes talking to
references, checking for a criminal record, examining credit records, and verifying
educating and work experience.

One of the greatest control strengths is the honesty of the employees. Policies should
convey the required level of expertise, competence, ethical behavior and integrity
required. The following policies and procedures are important.

● Hiring
● Compensating, evaluating and promoting
● Managing disgruntled employees
● Discharging
● Vacations and rotation of duties
● Confidentiality agreements and fidelity bond insurance
● Prosecute and incarcerate perpetrators

Objective setting is the second ERM component. Management determines what the
company hopes to achieve, often referred to as the corporate vision or mission. The
company determines what must go right to achieve the objectives and establishes
performance measures to determine whether they are met.

3
 ● Strategic objectives
● Operation objectives
● Reporting objectives
● Compliance objectives

The risks of an identified event are assessed in several different ways.

Inherent risks exists before management takes any steps to control the likelihood or
impact of an event.

The residual risk is what remains after management implements internal controls or
some other response to risk. Companies should assess inherent risk, develop a
response, and then assess residual risk.

Management can respond to risk in one of four ways

● Reduce the likelihood and impact of risk by implementing internal controls

● Accept the likelihood and impact of the risk
● Share risk or transfer it to someone else
● Avoid risk by not engaging in the activity that produces the risk

Accountants and systems designers help management design effective control systems
to reduce inherent risk. They also evaluate internal control systems to ensure that they
are operating effectively.

One way to estimate the value of the internal controls involves the expected loss, the
mathematical product of impact and likelihood.

Expected loss = impact x likelihood

The value of a control procedure is the difference between the expected loss with the
control procedure and the expected loss without it.

Control activities are policies and procedures that provide reasonable assurance that
control objectives are met and risk responses are carried out. It is management’s
responsibility to develop a secure and adequately controlled system.

Controls are much more effective when placed in the system as it is built, rather than
as an afterthought. Managers need to involve systems analysts, designers, and end
users when designing computer-based control systems.

Control procedures fall into the following categories

● Proper authorization of transactions and activities

● Segregation of duties
● Project development and acquisition controls

4
 ● Change management controls
● Design and use of documents and records
● Safeguarding assets, records and data
● Independent checks on performance

Because management lacks the time and resources to supervise each company activity
and decision, it establish policies for employees to follow and then empowers them.
This empowerment, called authorization, is an important control procedure.
Authorization are often documented by signing, initializing, or entering an authorization
code on a document.

Computer systems can record a digital signature, a means of signing a document with
data that cannot be forged.

Certain activities or transactions may be of such consequence that management grants

specific authorization for them to occur. In contrast, there is a procedure known as
general authorization. This is without special approval.

Good internal control requires that no single employee be given too much responsibility
over business transactions and processes. An employee should not be in a position to
commit and conceal fraud. Segregation of duties is discussed in two separate sections:
segregation of accounting duties and segregation of system duties.

Effective segregation of accounting duties is achieved when the following functions are
separated (see also figure 7.3 on page 217).

● Authorization: approving transactions and decisions

● Recording: preparing source documents
● Custody: handling cash, tools, inventory, or fixed assets

With Segegration of system duties, authority and responsibility should be divided

clearly among the following functions

● Systems administration: make sure all information system components

operate smoothly and efficiently.
● Network management: ensure that devices are linked to the organization’s
internal and external networks.
● Security management: makes sure that systems are secured and protected
from internal and external threats.
● Change management: is the process of making sure that changes are made
smoothly and efficiently.
● Users: record transactions, authorize data to be processed and use system
output.
● Programming: take the analyst’ design and create a system

5
 ● Computer operations: run the software on the company’s computers.
● Information system library: maintains custody of corporate databases, files
and programs in a separate storage area.
● Data control

Important system development controls are the following

1. A steering committee. This committee guides and oversees systems

development and acquisition.
2. A strategic masterplan. This is a plan developed and updated every year to
align an organization’s information system with its business strategies.
3. A project development plan. This is a plan that shows the tasks to be
performed, who will perform them, project costs, completion dates, and
project milestones.
4. A data processing schedule. This schedule shows when each task should be
performed.
5. System performance measurements. These are established to evaluate the
system. Measurements include throughput, utilization and response time.
6. A post-implementation review. This review is performed after a development
project is completed to determine whether the anticipated benefits were
achieved.

Some companies hire a systems integrator to manage a systems development effort

involving its own personnel, its client, and other vendors. Companies using systems
integrators should use the same project management processes and controls as internal
projects. They should develop clear specifications and monitor the project.

Independent checks on performance, done by someone other than the person who
performs the original operation, help ensure that transactions are processed accurately.
They include the following:

● Top level reviews.

● The management should monitor company results and periodically compare
actual company performance to a planned, prior period or competitor’s
performance.
● Analytical reviews.
● This is an examination of the relationship between different sets of data.
● Reconciliation of independently maintained records.
● Records should be reconciled to documents or records with the same
balance.
● Comparison of actual quantities with recorded amounts.
● Significant assets are periodically counted and reconciled to company
records.

6
 ● Double-entry accounting.
● The maximum that debits equal credits provides numerous opportunities for
independent checks.
● Independent review.
● After a transaction is processes, a second person reviews the work of the
first, checking for proper authorization etc.

Information and communication constitute the seventh component of the ERM and is
also a very important component in the accounting information system. This relates
directly to the primary purpose of an AIS, which is to gather, record, process, store,
summarize, and communicate information about an organization.

An audit trail allows transactions to be traced back and forth between their origination
and de financial statements.

Accounting systems generally consists of seven subsystems, each designed to process a

particular type of transaction using the same sequence of procedures, called accounting
circles.

ERM processes must be continuously monitored and modified as needed, and

deficiencies must be reported to management. Key methods of monitoring performance
include the following:

● Perform ERM evaluations.

● The effectiveness is measured using a formal or a self-assessment ERM
evaluation.
● Implement effective supervision.

This involves training and assisting employees, monitoring their performance, correcting
errors, and overseeing employees who have access to assets.

● Use responsibility accounting systems.

● This systems include budgets, quotas, schedules, standard costs, and quality
standards.
● Monitor system activities.
● For example risk analysis and management software packages review
computer and network security measures, detect illegal access, test for
weaknesses and vulnerabilities, report weaknesses found and suggests also
improvements. The software also monitors and combats viruses, spyware,
adware, spam etc.
● Track purchased software and mobile devices

7
The business software alliance (BSA) tracks down and fines companies that violate
software license agreements. The increasing number of mobile devices should be
tracked and monitored, because their loss could represent a substantial exposure.

● Conduct periodic audits.

● External, internal and network securities audits can assets and monitor risk
as well as detect fraud and errors. Informing employees of audits helps
resolve privacy issues, deters fraud, and reduces erros. Auditors should
regularly test susyem controls and periodically browse system usage files
looking voor suspicious activities.
● Employee a computer security officer and a chief compliance officer.
● A computer security officer (CSO) is in charge of system security,
independent of the information system function and reports to the chief
operating officer (COO) of the CEO.
● Engage forensic specialists

Forensic investigators who specialize in fraud are a fast-growing group in the

accounting profession. Computer forensics specialists discover, extract, safeguard and
document computer evidence such that its authenticity, accuracy, and integrity will not
succumb to legal challenges.

● Install fraud detection software

● Neural networks are programs with learning capabilities. These networks can
accurately identify fraud.
● Implement a fraud hotline.
● A fraud hotline is an effective way to comply with the law and resolve
whistle-blower conflict.

8
CHAPTER 11: CONTROLS FOR INFORMATION SECURITY

Every organization relies on information technology. Management wants assurance that

the information produced by its accounting system is reliable. It also wants to know
that its investment in information technology is cost effective.

See figure 8.1 on page 240 for the COBIT framework. It shows the business and
governance objectives. The information for the management has several requirements:

● Effectiveness: the information must be relevant and timely

● Efficiency: the information must be produced in a cost-effective manner
● Confidentially: sensitive information must be protected from unauthorized
disclosure.
● Integrity: the information must be accurate, complete and valid
● Availability: the information must be available whenever needed
● Compliance: controls must ensure compliance with internal policies with
external legal and regulatory requirements.
● Reliability: management must have access to appropriate information
needed to conduct daily activities and to exercise its fiduciary and
governance responsibilities.

Information must satisfy the seven criteria listed above. The processes to achieve this
are grouped into four basic management activities, also called domains.

1. Plan and Organize

2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate

COBIT specifies 210 detailed control objectives for these 34 processes to enable
effective management of an organization’s information resources. It also describes
specific audit procedures for assessing the effectiveness of those controls and suggest
metrics that management can use to evaluate performance.

The ‘Trust Service Framework’ is not a substitute for COBIT, because it addresses only a
subset of the issues covered by the COBIT.

The ‘Trust Service Framework’ classifies information systems controls into five
categories that most directly pertain to systems reliability:

● Security
● Confidentiality
● Privacy

9
 ● Processing integrity
● Availability

Two fundamental information security concepts

1. Security is a management issue, not a technology issue.

2. The accuracy of an organization’s financial statements depends upon the
reliability of its information systems. Information security is the foundation
for systems reliability and the responsibility of the management.
3. Defense-in-depth and time-based model of information security
4. The idea of defense-in-depth is to employ multiple layers of control in order
to avoid having a single point of failure. It typically involves the use of a
combination of preventive, detective, and corrective controls. The goal of a
time-based model of security is to employ a combination of detective and
corrective controls that identify an information security incident early
enough to prevent the loss or compromise of information.

The objective of time-based model of security can be expressed in a formula that uses
the following three variables.

P = the time it takes an attacker to break through the organization’s preventive controls

D = the time it takes to detect that an attack is in progress

C = the time it takes to respond on the attack

If P > D + C, then the organization’s security procedures are effective. If its otherwise,
then the procedures are not effective. The time-based model of security provides a
means for management to identify the most cost-effective approach to improving
security by comparing the effects of additional investment in preventive, detective, or
corrective controls.

It is useful to understand the basic steps criminal use to attack an organization’s

information system.

1. Conduct reconnaissance.
2. The goal is to learn as much as possible about the target and to identify
potential vulnerabilities.
3. Attempt social engineering
4. Social engineering takes place when attackers try to use the information
obtained during their initial reconnaissance to ‘trick’ an unsuspecting
employee into granting them access. Social engineering attacks often take
place over the telephone.
5. Scan and map the target.

10
 6. Research
7. Execute the attack
8. Cover tracks

Preventive controls
● Training. People play a critical role in information security and that is why
employees must understand and follow the organization’s security policies.
Thus, training is a critical preventive control. All employees should be taught
why security measures are important and need to be trained to follow safe
computing practices. Training is especially needed to educate employees
about social engineering attacks. Employees also needed to be trained not to
allow other people to follow them through restricted access entrances. We
call this social engineering attack piggybacking. It can take place both at the
main entrance to the building but also at any internal looked doors.
● User access controls
● Physical access controls
● Network access controls
● Device and software hardening controls

User access controls

There are two related but distinct type of user access controls that accomplish that
objective. It consists of authentication and authorization.

Authentication controls restrict who can access the organization’s information system.
Authentication is the process of verifying the identity of the person or device attempting
to access the system. The objective is to ensure that only legitimate users can access
the system. There are three methods of verifying a person’s identity:

1. Something they know, such as passwords or personal identification numbers

2. Something they have, such as smart cards or ID badges
3. Some physical characteristics, such as fingerprints of voice

None of the three basis authentication credentials, by itself, is fool proof. The use of two
or all types in conjunction is called the multifactor authentication process. It is quite
effective. Using multiple credentials of the same type, a process is referred to as
multiple authentication. It can improve security.

11
Authorization controls limit what those individuals can do once they have been granted
access. Authorization is the process of restricting access of authenticated users to
specific portions of the system and limiting what actions they are permitted to perform.
Authorization controls are often implemented by creating an access control matrix.
When an employee attempts to access a particular information systems resource, the
system performs a compatibility test that matches the user’s authentication credentials
against the access control matrix to determine whether that employee should be
allowed to access the resource and perform the requested action.

Physical access controls

Physical access controls are very essential to information resources, because a skilled
attacker needs only a few minutes of unsupervised direct physical access in order to
bypass existing information security controls.

Network access controls

A device, called a border router, connects an organization’s information system to the
internet. Behind the border router is the main firewall. The firewall is either a
special-purposed hardware device or software running on a general-purpose computer.

The demilitarized zone (DMZ) is a separate network that permits controlled access from
the internet to selected resources. The border router and the firewall acts as filters to
control which information is allowed to enter and leave the organization’s information
system.

The transmission control protocol (TCP) specifies the procedures for diving files and
documents into packets to be sent over the internet and the methods for reassembly of
the original document or file at the destination.

The internet protocol (IP) specifies the structure of those packets and how to route
them to the proper destination.

Special-purpose devices called routers are designed to read the destination address
fields in IP packet headers to decide where to send (route) the packet next.

A set of rules, called an access control list (ACL), determine which packets are allowed
entry and which are dropped. Border routers typically perform static packet filtering,
which screens individual IP packets, based solely on the contents of the source and/or
destination fields in the packet header.

Deep packet inspection is a process of examining the data contents of a packet. The
added control comes at the cost of speed. It takes more time to examine the body of an
IP packet. Deep packet inspection is the heart of a new type of security technology
called intrusion prevention systems (IPS) that monitors patterns in the traffic flow,

12
rather than only inspecting individual packers, to identify and automatically block
attacks. An IPS consists of a set of sensors and a central monitor unit that analyses the
data collected. Sensors must be installed in several places to effectively monitor
network traffic. IPSs use several different techniques to identify undesirable traffic
patterns.

The Remote Authentication Dial-In User Service (RADIUS) is a standard method to

verify the identity of users attempting to obtain dial-in access. Dial-in users connect to
a remote access server and submit their log-in credentials. The remote access server
passes those credentials to the RADIUS server, which perform compatibility tests to
authenticate the identity of that user. Only after the user has been authenticated is
access to the internal corporate network granted. The problem is that modems are
cheap and easy to install, so employees are often tempted to install them on their
desktop workstations without seeking permission or notifying anyone that they have
done so. The most efficient and effective way to periodically check for the existence of
rogue modems is to use war dialing software. This software calls every telephone
number assigned to the organization to identify those which are connected to modems.

Device and software hardening

controls
Endpoints is the collective term for workstations, servers, printers, and other devices
that contains the network of the organization. There are three devices that are very
important:

1. Endpoint configuration. Endpoints can be made more secure by modifying

their configurations. Every program that is running represents a potential
point of attack because it probably contains flaws, called vulnerabilities.
These vulnerabilities can be exploited to either crash the system or take
control of it. Tools called vulnerability scanners can be used to identify
unused and therefore unnecessary programs that represent potential
security threats. This process of modifying the default configuration of
endpoints to eliminate unnecessary settings and services is called hardening.
2. User account management. This is the management of all the user accounts.
Administrative rights are needed in order to install software and alter most
configuration settings. These powerful capabilities make accounts with
administrative rights prime targets for attackers. Many vulnerabilities affect
only accounts with administrative rights. Therefore, employees also have
another account.
3. Software design. As organizations have increased the effectiveness of their
perimeter security controls, attackers have increasingly targeted
vulnerabilities in application programs. The common theme in all of the
attacks is the failure to ‘scrub’ users input to remove potentially malicious

13
 code. Therefore, programmers must be trained to treat all input from
external users as untrustworthy and to carefully check it before performing
further actions.

Detective controls

Preventive controls are never 100% effective in blocking all attacks. The COBIT control
objective stresses that organizations need to implement detective controls. Detective
controls enhance security by monitoring the effectiveness of preventive controls and
detecting incidents in which preventive controls have been successfully circumvented.
There are four types of detective controls.

Log Analysis
most systems come with extensive capabilities for logging who accesses the system
and what specific actions each user performed. A log analysis is the process of
examining logs to identify evidence of possible attacks. These logs form an adit trail of
system access. It is important to analyse logs of failed attempts to log on a system and
failed attempts to obtain access specific information resources. It’s also important to
analyse changes to the logs themselves and logs need to be analysed regularly to
detect problems in a timely manner.

Intrusion Detection Systems

Intrusion detection systems (IDSs) consist of a set of sensors and a central monitoring
unit that create logs of network traffic that was permitted to pass the firewall and then
analyse those logs for signs of attempted or successful intrusions. An IDS can be
installed on a specific device to monitor unauthorized attempts to change that device’s
configuration. The main difference between a IDS and an IPS is that the former only
produces a warning alert when it detects a suspicious pattern of network traffic,
whereas the latter not only issues an alert but also automatically takes steps to stop a
suspected attack.

Managerial Reports
It is really important that the management monitors and evaluates both system
performance and controls. The COBIT framework provides management guidelines that
identify critical success factors associated with each control objective and suggest key
performance indicators.

Security Testing

14
A penetration test is an authorized attempt by either an internal audit team or an
external security consulting firm to break into the organization’s information system.
This test provide a more rigorous way to test the effectiveness of an organization’s
information security.

Corrective controls
Organizations also need procedures to undertake timely corrective actions. Many
corrective actions rely on human judgment. Their effectiveness depends on a great
extent on proper planning and preparation.

Computer Incident Response Team

A computer incident response team (CIRT) is a team that is responsible for dealing with
major incidents. The CIRT should not only include technical specialist but also senior
operations management, because some potential responses to security incidents have
significant economic consequences. The CIRT should lead the organization’s incident
response process through the following four steps.

● Recognition that a problem exist.

● Containment of the problem.
● Recovery. Damaged caused by the attack must be repaired.
● Follow-up. Once recovery is in process, the CIRT should lead the analysis of
how the incident occurred.

Chief Information Security Officer (CISO)

The CISO is responsible for information security. This person should be independent of
other information systems functions and should report to either the chief operating
officer (COO) or the (CEO).

Patch Management
once a vulnerability has been identified, the next step is to explore and document how
to take advantage of it to compromise a system. The set of instructions for taking
advantage of a vulnerability is called an exploit. Once an exploit is published on the
internet it can be easily used by anyone who runts that code.

A patch is code released by software developers that fixes a particular vulnerability.

Patch management is the process for regularly applying patches and updates to all
software used by the organization.

Virtualization takes advantage of the power and speed of modern computers to run
multiple systems simultaneously on one physical computer.

15
Cloud computing takes advantage of the high bandwidth of the modern global
telecommunication network to enable employees to use a browser to remotely access
software, data storage devices, hardware and entire application environments.

Virtualization and cloud computing alter risk of some information security threats, but
they also offer the opportunity to significantly improve overall security.

16
CHAPTER 12: CONFIDENTIALITY & PRIVACY CONTROLS

This chapter covers two other important principles of reliable systems in the thrust
services framework: preserving the confidentiality of an organization’s intellectual
property and protecting the privacy of personal information it collects from customers.
We also discuss the topic of encryption in detail because it is a critical tool to protecting
both confidentiality and privacy.

Organizations possess a myriad of sensitive information, including strategic plans, trade

secrets, cost information, legal documents and process improvements. This intellectual
property often is crucial to the organization’s long-run competitive advantages and
success. Consequently, preserving the confidentiality of the organization’s intellectual
property, and similar information shared by its business partners, has long been
recognized as a basic objective of information security. This section discusses the
actions that must be taken to preserve confidentiality.

1. Identification and classification of the information to be protected

2. Encryption of sensitive information
3. Controlling access to sensitive information
4. Training

The first action is the identification and classification of information to be protected. The
first step is to identify where such information resides and who has access to it. This
sounds easy, but it’s harder than you think. It is time-consuming and costly, because it
involves examining more than just the contents of the organization’s financial system.
The next step is to classify the information in terms of its value to the organization.

Encryption is an important and effective tool to protect confidentiality. It is the only way
to protect information in transit over the internet. Encryption is not a panacea. Some
sensitive information may not be stored digitally and therefore cannot be protected by
being encrypted. Strong authentication is needed, so that no one else can prove access
to the computer. Physical access controls are also needed. Sensitive information is
exposed in plain view whenever it is being processed by a program, displayed on a
monitor of included in printed reports. Protecting confidentially requires application of
the principle of defense-in-depth: supplementing encryption with access controls and
training.

The third actions is to use Information rights management (IRM) software. This
software provides an additional layer of protection to specific information resources
offering the capability not only to limit access to specific files or documents, but also to
specify the actions that individuals can perform (read, copy, print, download to USB
devices etc.).

17
Today, organizations constantly exchange information with their business partners and
customers. Therefore, protecting confidentiality also requires controls over outbound
communications. One tool for accomplish that is data loss prevention (DLP) software.
This software works like antivirus programs in reverse, blocking outgoing messages that
contain key words or phrases associated with the intellectual property or other sensitive
data the organization wants to protect.

A digital watermark is a detective control that enables organizations to identify

confidential information that has been disclosed. When an organization discovers
documents containing its digital watermark on the internet, it has evidence that the
preventive controls designed to protect its sensitive information have failed. It should
then investigate how compromise occurred and take appropriate corrective action.

The last action is training, which is arguably the most important control for protecting
confidentiality. Employees need to know what information they can share with outsides
and what information needs to be protected. They also need to be taught how to
protect these confidentiality data. For example, know how to use encryption software.
They also should be aware of the fact they always need to log out before leaving a
laptop or workstation unattended.

Privacy
The ‘Trust Services Framework’ privacy is closely related to the confidentiality principle.
They only differ in that it focus on protecting personal information about customers
rather than organizational data. the controls that need to be implemented to protect
privacy are the same ones used to protect confidentiality.

The first step is to protect the privacy of personal information collected from customers
to identify what information is collected, where it is stored, and who has access to it.
Furthermore, it is important to implement controls to protect that information because
incidents involving the unauthorized disclosure of customers’ personal information,
whether intentional or accidental, can be costly.

Encryption is a fundamental control for protecting privacy of personal information from

customers. That information needs to be encrypted both while it is in transit over the
internet and while it is in storage. Encrypting information also can save money for the
company.

To protect privacy, organizations should run data masking programs. This kind of
programs replace customers’ personal information with fake values before sending that
data to the program development and testing system.

Organizations also need to train employees on how to manage and protect personal
information from customers. This is especially important for medical and financial
personal information.

18
Two major privacy related concerns are spam and identity theft.

Spam is unsolicited e-mail that contains either advertising or offensive content. Spam is
a privacy related issue, because recipients are often targeted as a result of
unauthorized access to e-mail address lists and databases containing personal
information. Spam is also a source of many viruses, worms, spyware programs, and
other types of malware. There are a few key provisions. The sender’s identity must be
clearly displayed in the head of the message. The subject in the field in the header
must be clearly identify the message. The body of the message must provide recipients
with a working link that can be used to opt out of future e-mail. The body of the
message must also include the sender’s valid postal address. At last, organizations
should not send commercial e-mail to randomly generated addresses.

Identity theft on the other hand is the unauthorized use of someone’s personal
information for the perpetrator’s benefit. Identity theft is often a financial crime.
Perpetrators obtain loans or opens new credit cards in the victim’s name and sometimes
loots the victim’s bank accounts. A growing portion of identity theft cases involve
fraudulently obtaining medical care and services, which can have life threatening
consequences.The Generally Accepted Privacy Principles (GAPP) identifies and defines
the following ten internationally recognized best practices for protecting the privacy of
customer’s personal information.

1. Management. Organizations need to establish a set of procedures and

policies for protecting the privacy of customers. They should assign
responsibility and accountability for implementing those policies to a specific
person or group.
2. Notice. An organization should provide notice about its privacy policies and
practices. The notice should clearly explain what information is being
collected, the reasons why, and how it will be used.
3. Choice and consent. Organizations should explain the choices available to
individuals and obtain their consent prior to the collection and use of their
personal information. The nature of the choices offered differs across
countries.
4. Collection. An organization should collect only the information needed to
fulfil the purposes stated in its privacy policy. Some use cookies on websites.
A cookie is a text file created by a website and stored on a visitor’s hard
disk. They store information about what the user has done on the site.
5. Use and retention. Organization should use customers’ personal information
only in the manner described in their stated privacy policies and retain that
information only as long as needed to fulfil a legitimate business purpose.
6. Access. An organizations should provide individuals with the ability to
access, review, correct, and delete personal information stored about them.
7. Disclosure to third parties. Organizations should disclose their customers’
personal information to third parties only in the situation and manners

19
 described in the organizations privacy policies and only to third parties who
provide the same level of privacy protection.
8. Security. An organization must take reasonable steps to protect its
customers’ personal information from loss or unauthorized disclosure. The
organization must use the preventive, detective and corrective controls to
restrict access to this personal information.
9. Quality. Organizations should maintain the integrity of their customers’
personal information and employ procedures to ensure that it is reasonably
accurate.
10.Monitoring and enforcement. An organization should assign one or more
employees to be responsible for ensuring compliance with its stated privacy
policies. They must periodically verify that their employees are complying
with stated privacy policies.

Encryption is a preventive control that can be used to protect both confidentially and
privacy. Encryption protects data that is being sent over the internet and it provides one
last barrier that must be overcome by an intruder who has obtained unauthorized
access to stored information. Accountants, auditors and system professionals should
understand encryption.

So encryption is the process of transforming normal content, called plain text, into
unreadable gibberish, called cipher text. See figure 9.1 on page 278 for the steps in the
encryption and decryption process.

Decryption reverses this process, transforming cipher text into plaintext. Both involve
use of a key and an algorithm. Computers represent both as a series of binary digits
(0s and 1s).

The key is also a string of binary digits of a fixed length.

The algorithm is a formula for combining the key and the text.

Most documents are longer than the key, so the encryption process begins by dividing
the plaintext into blocks, each block being of equal length to the key. Then the
algorithm is applied to the key and the block of plaintext.

Three important factors determine the strength of any encryption system.

● Key length: longer keys provide stronger encryption by reducing the number
of repeating blocks in the cipher text. This makes it harder to spot patterns
in the cipher text that reflect patterns in the original plaintext.
● Encryption algorithm: the nature of the algorithm used to combine the key
and the plaintext is important. A strong algorithm is difficult to break by
using brute force guessing techniques.
● Policies for managing cryptographic keys. No matter how long the keys are,
or how strong an encryption algorithm is, if the keys have been

20
 compromised, the encryption can be easily broken. There is also a process
called key escrow. This process involves making copies of all encryption keys
used by employees and storing those copies securely.

There are two basic types of encryption systems. The first one is symmetric encryption
systems. This type use the same key both to the encrypt and decrypt. The other type is
the asymmetric encryption system, which uses two keys. One is called the public key.
This key is widely distributed and available to everyone. The other one is called the
private key and is kept secret and known only to the owner of that pair of keys.

Symmetric encryption is much faster than asymmetric encryption, but it has two major
problems. First, both parties need to know the shared secret key. This means that the
two parties need to have some method for securely exchanging the key that will be
used to both encrypt and decrypt.

The second problem is that a separate key needs to be created for use by each party
with whom the use of encryption is desired.

Asymmetric encryption systems solve these problems. It does not matter who knows
the public key, because any text encrypted with it can be decrypted only by using the
corresponding private key.

The main drawback to asymmetric encryption systems is speed. Asymmetric encryption

is thousands of times slower than symmetric encryption, making it impractical for use
to exchange large amounts of data over the internet. Symmetric encryption is used to
encode most of the data being exchanged, add asymmetric encryption is used to safely
send the symmetric key to the recipient for use in decrypting the cipher text.

Hashing is a process that takes plaintext of any length and transforms it into a shirt
code, called a hash. Hashing differs from encryption in two important aspects. The first
one is that encryption always produces cipher text similar in length to the original
plaintext, but hashing always produces a hash that is of a fixed short length, regardless
of the length of the original plaintext.

The second difference is that encryption is reversible, but hashing is not. Given the
decryption key and the algorithm, cipher text can be decrypted back into the original
plaintext. By hashing, it is not possible to transform a hash back into the original
plaintext, because hashing throws away information.

Comparison of hashing and encryption

Hashing Encryption

21
 One-way function (cannot reverse or unhash) Reversible (can decrypt back to plaintext)

Output size approximately the same as the input

Any size input yields same fixed-size output
size

An important issue for business transactions has always been nonrepudiation, or how to
create legally binding agreements that cannot be unilaterally repudiated by either party.
The answer is to use both hashing and asymmetric encryption to create a digital
signature. A digital signature is a hash if a document or a file that is encrypted using
the document creator’s key.

A digital certificate is an electronic document that contains an entity’s public key and
certifies the identity of the owner of that particular public key. Digital certificates
functions like the digital equivalent of a driver’s licence or passport.

A certificate authority is a trusted independent party, like the government, that issue
the passports and driving licences and contain the certificate authority’s digital
signature to prove that they are genuine.

The system for issuing pairs of public and private keys and corresponding digital
certificates is called a public key infrastructure (PKI). The entire PKI system hinges on
trusting the certificate authorities that issue the keys and the certificates.

Encrypting information while it traverses the internet creates a virtual private network
(VPN), so named because it provides the functionality of a privately owned secure
network without the associated costs of leased telephones, satellites, and other
communication equipment.

See figure 9.4 on page 284 for the virtual private networks.

22
CHAPTER 13: PROCESSING INTEGRITY & AVAILABILITY
CONTROLS

This chapter addresses the remaining two principles of the reliable system: processing
integrity and availability.

The processing integrity principle of the Trust Services Framework states that a reliable
system is one that produces information that is accurate, complete, timely, and valid.
See table 10.1 for the application controls discussed in the COBIT framework to ensure
processing integrity. It requires controls over the input, processing, and output of data.

Input Controls
Forms designs, cancellation and storage of source documents, and automated data
entry controls are needed to verify the validity of input data.

Source documents and other forms should be designed to minimize the chances for
errors and omissions. Two particularly important forms are:

● Sequentially prenumbering source documents. Prenumbering improves

control by making it possible to verify that no documents are missing.
● Turnaround documents. This is a record of company data sent to an external
party and the returned by the external party to the system as input.
Turnaround documents are prepared in machine-readable form to facilitate
their subsequent processing as input records.

Source documents that have been entered into the system should be cancelled so they
cannot be inadvertently of fraudulently re-entered into the system. Electronic
documents can be similarly ‘cancelled’ by setting a flag field to indicate that the
document has already been processed. Cancellation does not mean disposal.

Source documents should be scanned for reasonableness and propriety before being
entered into the system.

● Field check determines whether the characters in a field are of the proper
type.
● Sign check determines whether the data in a field have the appropriate
arithmetic sign.
● Limit check tests a numerical amount against a fixed value.
● Range check tests whether a numerical amount falls between predetermined
lower and upper limits.
● Size check ensures that the input data will fit into the assigned field.

23
 ● Completeness check on each input record determines whether all required
data items have been entered.
● Validity check compares the ID code or account number in transaction data
with similar data in the master file to verify that the account exists.
● Reasonableness test determines the correctness of the logical relationship
between two data items.
● Check digit is computed from other digits. The system could assign each
new employee a nine-digit number then calculate a tenth digit from the
original nine and append that calculated number to the original nine to form
a ten-digit ID number.

Additional batch processing data

entry controls
● Batch processing works more efficiently if the transactions are sorted so that
the accounts affected are in the same sequence as records in the master
file. A sequence check tests whether a batch of input data is in the proper
numerical or alphabetical sequence.
● An error log that identifies data input errors facilitates timely review and
resubmission of transactions that cannot be processed.
● Batch totals summarize important values for a batch of input records. The
following are three commonly used batch totals:
○ Financial batch sums a field that contains monetary values
○ Hash total sums a nonfinancial numeric field
○ Record count is the number of records in a batch

Additional online data entry controls

● Prompting, in which the system requests each input data item and waits for
an acceptable response, ensures that all necessary data are entered.
● Closed-loop verification checks the accuracy of input data by using it to
retrieve and display other related information.
● A transaction log includes a detailed record of all transactions, including a
unique transaction identifier, the date and time of entry, and who entered
the transaction.

Processing controls
24
Controls are also needed to ensure that data is processed correctly. There are a few
processing controls.

● Data matching. Two or more items of data must be matched before an

action can take place.
● File labels. They need to be checked to ensure that the correct and most
current files are being updated. Both internal and external files should be
used. A header record (internal label) is located at the beginning of each file
and contains the name of the file, the expiration date, and other data. the
trailer record, also an internal label, is located at the end of the file and
contains batch totals calculated during input.
● Recalculation of batch totals. Batch totals should be recomputed as each
transaction record is processed, and the total for the batch should then be
compared to the values in the trailer record. A transposition error is an error
in which two adjacent digits were inadvertently reversed. They may appear
to be trivial but can have enormous financial consequences.
● Cross-footing and zero-balances tests. Often totals can be calculated in
multiple ways. A cross-footing test compares the results produced by each
method to verify accuracy. The zero-balance test applies this same logic to
control accounts.
● Write-protection mechanisms. These protect against overwriting or erasing
of data files stored on magnetic media. These mechanisms have long been
used to protect master files from accidentally being damaged.
● Concurrent update controls. This controls prevent errors by locking out one
user until the system has finished processing the transaction entered by the
other. The error is that two or more users attempt to update the same
record.

Output controls
● User review of output. Users should carefully examine system output to
verify that it is reasonable, that it is complete, and that they are intended
recipients.
● Reconciliation procedures. Periodically, all transactions and other system
updates should be reconciled to control reports, file status/update reports,
or other control mechanisms.
● External data reconciliation. Database totals should periodically be
reconciled with data maintained outside the system.
● Data transmission controls. Organizations also need to implement controls
designed to minimize the risk of data transmission errors. There are two
common data transmission controls.

25
 ○ Checksums. When data are transmitted, the sending device can
calculate a hash of the file. We call this a checksum. The receiving
device performs the same calculation and sends the result to the
sending device.
○ Parity bits. Computers represent characters as a set of binary digits,
called bits. A parity bit is an extra digit added to the beginning of
every character that can be used to check transmission accuracy.
Two basic schemes are referred to as even parity and odd parity.
The receiving device performs parity checking.

Availability
Interruptions to business processes due to the unavailability of systems or information
can cause significant financial losses. The primary objective is to minimize the risk of
system downtime. Another objective is quick and complete recovery and resumption of
normal operations.

The first objective can be arranged by

● Preventive maintenance. An example is cleaning disk drives and properly

storing magnetic and optical media, to reduce the risk of hardware and
software failure.
● Fault tolerance. This is the ability of a system to continue functioning in the
event that a particular component fails. For example, many organizations
use redundant arrays of independent drives (RAID) instead of just one disk
drive. With RAID data is written to multiple disk drives simultaneously.
● Data centre location and design. Common design features include the
following. Raised floors provide protection from damage caused by flooding.
Fire detection and suppression devices reduces the likelihood of fire damage
and more. An uninterruptible power supply (UPS) system provides protection
in the event of a prolonged power outage, using battery power to enable the
system to operate long enough to back up critical data and safely shut
down.
● Training. Well-trained operations are less likely to make mistakes and will
know how to recover, with minimal damage, from errors they do commit.
● Patch management and antivirus software

The second objective has the following key controls

● Back up procedures. A backup is an exact copy of the most current version

of a database, file, or software program that can be used in the event that
the original is no longer available.

26
 ● Disaster recovery plan (DRP)
● Business continuity plan (BCP)

The recovery point objective (RPO) represents the maximum amount of data that the
organization is willing to potentially lose.

The recovery time objective (RTO) represents the length of time that the organization is
willing to attempt to function without its information system.

Real-time mirroring involves maintaining two copies of the database at two separate
data centers at all times and updating both copies in real-time as each transaction
occurs.

There are two types of daily backups

1. An incremental backup involves copying only the data items that have
changed since the last partial backup.
2. A differential backup copies all changes made since the last full back up.

A disaster recovery plan (DRP) outlines the procedures to restore an organisation’s IT

function in the event that its data center is destroyed by a natural disaster or act of
terrorism. A cold site is an empty building that is prewired for necessary telephone and
internet access, plus a contract with one or more vendors to provide all necessary
equipment within a specific period of time.

A business continuity plan (BCP) specifies how to resume not only IT operations, but all
business processes, including relocating to new offices and hiring temporary
replacements, in the event that major calamity destroys not only an organization’s data
center but also its main headquarters. Having both a DRP and a BCP can mean the
difference between surviving a major catastrophe.

Change control is the formal process used to ensure that modifications to hardware,
software, or processes do not reduce system reliability. Good change control often
results in overall better operating performance: careful testing prior to implementation
reduces the likelihood of making changes that cause system downtime, and thorough
documentation facilitates quicker ‘trouble shooting’ and resolution of any problems that
do occur. Companies with a good change control process are also less likely to suffer
financial or reputational harm from security incidents.

Effective change control procedures require regularly monitoring for unauthorized

changes and sanctioning anyone who intentionally introduces such changes. Other
principles of a well-designed change control process include the following:

27
● All changes requests should be documented and follow a standardized
format that clearly identifies the nature of the change, the reason for the
request, the date of the request, and the outcome of the request.
● All changes should be approved by appropriate levels of management.
● To assess the impact of the proposed change on all five principles of systems
reliability.
● All documentation should be updated to reflect authorized changes to the
system.
● Emergency changes or deviations from standard operating policies must be
documented and subjected to a formal review and approval process as soon
after the implementation as practicable. All emergency changes need to be
logged to provide an audit trail.
● Backout plans need to be developed for reverting to previous configurations
in case approved changes need to be interrupted or abandoned.
● User rights and privileges must be carefully monitored during the change
process to ensure that proper segregation of duties is maintained.

28