Professional Documents
Culture Documents
IT Controls Part I
IT Controls Part I
Computer Fraud
Computer fraud includes:
1. Theft, misuse or misappropriation of assets by altering computer-readable records and files
2. Theft, misuse or misappropriation of assets by altering the logic of computer software
3. Theft or illegal use of computer-readable information
4. Theft, corruption, illegal copying, or intentional destruction of computer software
5. Theft, misuse or misappropriation of computer hardware
*application controls – ensure the validity, completeness and accuracy of financial transactions
*general controls – apply to all systems; include controls over IT governance, IT infrastructure, security and
access to operating systems and databases, application acquisition and development, and program changes
Data Collection
- First operational stage in information system
- Control objective is to ensure that event data entering the system are valid, complete and free from
material errors
- Most common access point for perpetrating computer fraud is at the data collection stage
- Fraud: Require little or no computer skills but do require poorly designed controls
- The perpetrator need only understand how the system works its control weakness
- Fraudulent act involves entering falsified data into the system ; involves deleting, altering or creating
a transaction
- EX: payroll fraud; disburse cash in payment of false accounts payable by entering false documents
- Masquerading – perpetrator gaining access to the system from a remote site by pretending to be an
authorized user
- Piggybacking – technique in which perpetrator at a remote site taps in to the telecommunication
lines and latches on to an authorized user
- Hacking – involve both. Motivated by the challenge of breaking into the system rather than the theft
of assets
Data Processing
- Includes mathematical algorithms used for production scheduling applications, statistical techniques,
forecasting, etc
- Program fraud –
o Create illegal programs that can access data files to alter, delete or insert values into
accounting records
o Destroying or corrupting a program’s logic using a computer virus
o Altering program logic to cause the application to process data incorrectly
- Example: program banks uses to calculate interest
- Salami fraud : involves modifying the rounding logic of the program so it no longer adds the one
cent randomly ; instead the modified program always adds the plus cent to the perpetrator’s account
- Operations fraud – misuse or theft of the firm’s computer resources; involves using the computer to
conduct personal business
- Example: programmer use the firm’s computer time to write software that he sells commercially; cpa
may use the company’s computer to prepare tax returns and fs for her private clients; lawyer using
the firm’s computer search charge to the organization
- Database Management – physical repository for financial and nonfinancial data
- Database management fraud includes altering, deleting, corrupting, destroying or stealing an
organization’s data
- Associated with transaction or program fraud
- TECHNIQUE: access the database from a remote site and browse the files for useful information that
can be copied and sold to competitors
- Ex: insert destructive routine called a LOGIC BOMB into a program; at a specified time, the logic
bomb erases the data files that the program accesses
IT GOVERNANCE CONTROLS
- Broad concept relating to the decision rights and accountability for encouraging desirable behavior in
the use of IT
The distributed model – effect of this is to consolidate some computer functions that are traditionally
separated nd to distribute under the centralized model
Incompatibility –distributing responsibility for the purchase of software and hardware can result in
uncoordinated and poorly conceived decisions
Redundancy – autonomous system development activities throughout the firm can result in the
creation of redundant applications and databases
Consolidating incompatible activities – redistribution of IT functions to user areas can result in the
creation of many very small units
Acquired qualified professionals –
Lack of standards
The control problems associated with DDP can be overcome by implementing a CORPORATE IT
FUNCTION
Central testing of commercial software and hardware – IT group that evaluates the merits of
competing vendor software and hardware
User services – provides technical help to users during the installation of new softwares and
troubleshooting problems
Standard-setting body – establish and distribute to user areas appropriate standards for systems
development, programming and documentation
Personnel review - hiring decisions for system professionals
Audit objectives relating organizational structure
Auditor’s objective is to verify that individuals in incompatible areas are segregated in accordance
with the level of potential risk
AUDIT page 666
SYSTEM AUDIT TRAIL CONTROLS – are logs that record activity at the system, application and user
level; OS allow management to select the level of auditing to be recorded in the log
- Keystroke monitoring – involves recording both the user’s keystrokes and the system’s responses;
may be used after the fact to reconstruct the details of an event or as a real-time control to prevent
unauthorized intrusion; telephone wiretap
- Event monitoring – summarizes key activities related to system resources; typically records the IDs
of all users accessing the system; the time and duration of session
System audit trail objectives in 3 ways
1. Detecting unauthorized access – to protect the system from outsiders attempting to breach system
controls
2. Reconstructing events - help in avoiding similar mistakes
3. Personal accountability – individuals less likely to violate when they know their actions are being
log
NETWORK CONTROLS
- 2 forms of risks
o Risks from subversive threats – a computer criminal intercepting a message transmitted
between the sender and the receiver, a computer hacking gaining unauthorized access
o Risks from equipment failure – failures in the communication system can disrupt, destroy or
corrupt transmissions between senders and receivers
Risks from subversive threats
1. Firewalls - system that enforces access control between two networks; only authorized traffic
between the organization and the outside is allowed to pass through the firewall; insulates the org
from external networks and intranet from internal access
- Network level firewalls – provide efficient but low security access control ; consists of a screening
router that examines the source and destination addresses that are attached to incoming message
packets; accepts or denies access requests based on filtering rules
- Application level firewalls – provide higher level of customizable network security but they add
overhead to connectivity; configured to run security applications called proxies that permit routine
services to pass through the firewall
2. Controlling denial service attacks – clogging the internet ports of the victim’s server with
fraudulently generated messages; transactions can be completely isolate from the internet for the
duration of the attack
a. Smurf attack – targeted organization can program their firewall to ignore all
communication from the attacking site
b. SYN flood attack – use IP spoofing to disguise the source, victims host computer views
these transmissions as coming from all over the internet
c. Distributed denial of service attack - victims site becomes inundated with messages from
thousands of zombie sites that are distributed across the internet
- Intrusion prevension system – to determine when an attack is in progress
- Deep packet inspection – can identify and classify malicious packets based on a database of known
attack signatures;
3. Encryption – conversion of data into a secret code for storage in databases and transmission over
networks
a. Private key encryption
i. Advance encryption standard – a 128-bit encryption technique ; algorithm that
uses a single key known to both the sender and the receiver of the msg
ii. Triple DES encryption – an enhancement to an older encryption technique called
data encryption standard; provides considerably improves security over most single
encryption techniques; very secure ; very slow
1. EEE3 – uses 3 different keys to encrypt the message 3 times
2. EDE3 – uses one key to encrypt the message; a 2nd key is used to decode it
b. Public key encryption – use 2 different keys: one for encoding and one for decoding;
private key secret; public key published
i. RSA (Rivest – Shamir – Adleman) – highly secure public key cryptography
method; computationally intensive and mush slower that standard DES
ii. Digital envelope – both des and rsa
4. Digital signature – electronic authentication that cannot be forged; ensures that message the sender
transmitted was not tampered with after the signature was applied
5. Digital certificate – proves that the message received is not tampered during transmission; verify’s
sender’s identity with a trusted party called certification authority
6. Message sequence numbering – a sequence number inserted in each message
7. Message transaction log – all incomeing and outgoing messages will be recorded
8. Request-response technique – a control message from the sender and a response from the receiver
are sent at a periodic synchronized intervals
9. Call-back devices – requires the dial-in user to enter a password and be identified
10. Controls from equipment failure - data communication due to line errors; message can be
corrupted through the noise on the communication lines
a. Echo check – involves the receiver of the message returning the message to the sender; the
sender compares the returned message and the original
b. Parity check - incorporates an extra bit into the structure of a bit string when it is created or
transmitted
EDI CONTROLS (ELECTRONIC DATA INTERCHANGE)