IT Controls Part I: Sarbanes-Oxley and IT Governance

Computer Fraud
Computer fraud includes:
1. Theft, misuse or misappropriation of assets by altering computer-readable records and files
2. Theft, misuse or misappropriation of assets by altering the logic of computer software
3. Theft or illegal use of computer-readable information
4. Theft, corruption, illegal copying, or intentional destruction of computer software
5. Theft, misuse or misappropriation of computer hardware
*application controls – ensure the validity, completeness and accuracy of financial transactions
*general controls – apply to all systems; include controls over IT governance, IT infrastructure, security and
access to operating systems and databases, application acquisition and development, and program changes

Processes for IT Audit

1. Planning- extent, scope, objective, and approach.
2. Risk assessment – identify potential IT area/control with the highest possible risk
3. Control evaluation – asses the design of their system/it controls. Examine controls, policies,
procedures, interview,
4. Testing – test eh controls that were identified
5. Finding remedies/ suggesting remedies – look at the deficiencies and recommend solution
6. Reporting - communicate the audit finding and recommendation to the mgmt.
7. Follow-up - monitor

Data Collection
- First operational stage in information system
- Control objective is to ensure that event data entering the system are valid, complete and free from
material errors
- Most common access point for perpetrating computer fraud is at the data collection stage
- Fraud: Require little or no computer skills but do require poorly designed controls
- The perpetrator need only understand how the system works its control weakness
- Fraudulent act involves entering falsified data into the system ; involves deleting, altering or creating
a transaction
- EX: payroll fraud; disburse cash in payment of false accounts payable by entering false documents
- Masquerading – perpetrator gaining access to the system from a remote site by pretending to be an
authorized user
- Piggybacking – technique in which perpetrator at a remote site taps in to the telecommunication
lines and latches on to an authorized user
- Hacking – involve both. Motivated by the challenge of breaking into the system rather than the theft
of assets

Data Processing
- Includes mathematical algorithms used for production scheduling applications, statistical techniques,
forecasting, etc
- Program fraud –
o Create illegal programs that can access data files to alter, delete or insert values into
accounting records
o Destroying or corrupting a program’s logic using a computer virus
o Altering program logic to cause the application to process data incorrectly
- Example: program banks uses to calculate interest
- Salami fraud : involves modifying the rounding logic of the program so it no longer adds the one
cent randomly ; instead the modified program always adds the plus cent to the perpetrator’s account
- Operations fraud – misuse or theft of the firm’s computer resources; involves using the computer to
conduct personal business
- Example: programmer use the firm’s computer time to write software that he sells commercially; cpa
may use the company’s computer to prepare tax returns and fs for her private clients; lawyer using
the firm’s computer search charge to the organization
 - Database Management – physical repository for financial and nonfinancial data
- Database management fraud includes altering, deleting, corrupting, destroying or stealing an
organization’s data
- Associated with transaction or program fraud
- TECHNIQUE: access the database from a remote site and browse the files for useful information that
can be copied and sold to competitors
- Ex: insert destructive routine called a LOGIC BOMB into a program; at a specified time, the logic
bomb erases the data files that the program accesses

Information Generation – process of compiling, arranging, formatting and presenting information to

users. (sales order, published fs, report)
- Steal, misdirect or misuse computer output
- SCAVENGING – involves searching through the trash of the computer center for discarded output
- EAVESDROPPING – involves listening to output transmissions over telecommunication lines

IT GOVERNANCE CONTROLS
- Broad concept relating to the decision rights and accountability for encouraging desirable behavior in
the use of IT

Organizational Structure Controls

- Operational task should be separated to
o Segregate the task of transaction authorization from transaction processing
o Segregate record keeping from asset custody
o Divide transaction – processing tasks among individuals so that fraud will require collusion
between 2 or more individuals

SEN. Paul Sarbanes, Rep. Michael Oxley

SOX 2002
1. Corporate responsibility
2. Financial disclosures
3. Independent auditing
4. Internal control -sec 404
5. Whistleblower protection
6. Corporate governance
7. Penalties and enforcements

SEGREGATION OF DUTIES WITHIN THE CENTRALIZED FIRM

Separating systems development from computer operations
- Operations stuff should not comingle with the responsibility of systems developer
Separating database administrator form other functions
- DBA is responsible for a number of critical tasks pertaining to database security
o Separating the dba from systems development
 Programmers create apps that access, update and retrieve data from database
 Assigning responsibility for user view definition to individuals with programming
responsibility removes this need to seek agreement and thus effectively erodes
access controls to dbms
Separating new systems development from maintenance
- Two groups:
o System analysis – works with the user to produce detailed design of the new system
o Programming group - codes the programs according to these design specifications
Programmer who codes the original programs and who also maintains them may promote 2
potential problems:
Inadequate documentation - poor quality systems documentation; (1) systems
professionals prefer to move in to an exciting new project rather than document one just
completed (2) job security – programmer who understands the system maintains bargaining
 power; when programmer leaves the firm, new programmer inherits maintenance
responsibility for the undocumented system; transition period is costly
Program fraud – involves making unauthorized changes to program modules for the
purpose of committing illegal act; programmer can protect the fraud controls from the one
who is maintaining the program
A superior structure for systems development
- New systems development – responsible for designing, programming and implementing new
systems projects
- Systems maintenance group – system’s ongoing maintenance
o Documentation standards are improved
o Denying the original programmer of future access

The distributed model – effect of this is to consolidate some computer functions that are traditionally
separated nd to distribute under the centralized model
 Incompatibility –distributing responsibility for the purchase of software and hardware can result in
uncoordinated and poorly conceived decisions
 Redundancy – autonomous system development activities throughout the firm can result in the
creation of redundant applications and databases
 Consolidating incompatible activities – redistribution of IT functions to user areas can result in the
creation of many very small units
 Acquired qualified professionals –
 Lack of standards

The control problems associated with DDP can be overcome by implementing a CORPORATE IT
FUNCTION
 Central testing of commercial software and hardware – IT group that evaluates the merits of
competing vendor software and hardware
 User services – provides technical help to users during the installation of new softwares and
troubleshooting problems
 Standard-setting body – establish and distribute to user areas appropriate standards for systems
development, programming and documentation
 Personnel review - hiring decisions for system professionals
Audit objectives relating organizational structure
 Auditor’s objective is to verify that individuals in incompatible areas are segregated in accordance
with the level of potential risk
AUDIT page 666

COMPUTER CENTER SECURITY AND CONTROLS

Computer center controls
 Physical location – should always be located away from human made and natural hazards
 Construction – should be located in a single-story building of solid construction with controlled
access
 Access – should be limited to the operators and other employees who works there
 Air conditioning – 70-75 degrees Fahrenheit and 50% humidity
 Fire suppression –
 Fault tolerance controls – ability of the system to continue operation when part of the system fails
because of hardware failure, app program error or operator error
o RAID (Redundant arrays of independent disks) – involves using parallel disks that
contain redundant elements of data and applications. Lost data are automatically
reconstructed from other disks
o Uninterruptible power supplies – help prevent data loss and system corruption, in the
event of a power supply failure
audit objectives
1. Physical security controls are adequate to reasonably protect the org from physical exposures
2. Insurance coverage on equipments
3. Operator documentation
DISASTER RECOVERY PLANNING
Disaster recovery plan – comprehensive statement of all actions to be taken before, during and after
a disaster, along with documented, tested procedures that will ensure the continuity of operations
Providing second-site backup (offsite backup facilities)
- Provides for duplicate data processing facilities following a disaster
 The empty shell – or cold site plan is an arrangement wherein a company buys or leases a building
that will serve as a data center
 Recovery operations center (ROC) – or hot site is a fully equipped backup data center that many
companies share
 Internally provided backup- mirrored data center – equipped with high-capacity storage devices
capable of storing more than 20 terabytes of data and 2 IBM mainframes running high speed copy
software; all transactions that the main system processes are transmitted in real time along fiber optic
cables to the remote backup facility
Performing backup and offsite storage procedures
- Back up data files – databases should be copied daily to tape or disks and secured offsite
- Backup documentation – system documentation for critical applications should be backed up and
stored off site in much the same manner as data files; computer aided software documentation tools
- Backup supplies and source documents – maintain backup inventories of supplies and source
documents

OPERATING SYSTEM CONTROLS

Operating system security – involves policies, procedures, and controls that determine who can access
the operating system, which resources than can access and what actions they can take,
- Log-on procedure – the os’s first line of defense against unauthorized access
- Access token – if the log-on attempt is successful, the os creates an access token that contains key
information about the user; this information is used to approve all actions the user attempts during the
session
- Access control list – lists contains information that defines the access privileges for all valid users of
the resource; the system comprares hos or her ID and privileges contained in the access token with
those contained in the access control list
- Discretionary access privileges –grant access privileges to other users; central system administrator
determines who is granted access
Operating system controls and tests of controls
- Controlling access privileges – user access privileges are assigned to individuals and to entire
workgroups authorized to use the system
- Audit procedures relating to access privilieges
o Password control
 Password – a secret code the user enters to gain access to systems, applications,
data files or network server
 Reusable passwords- user defines the password to the system once and then reuse
it to gain future access
 One-time passwords – user’s password changes continuously
- Controlling against malicious and destructive programs
o Types of malicious virus
 Virus – program that attaches itself to a legitimate program to penetrate the
operating system and destroy application programs, data files, and operating system
itself’ its ability to spread throughout the host system and other system before
destruct itself
 Worm – software program that virtually burrows into the computer’s memory and
replicates itself into areas of idle memory; systematically occupies memory until
the memory is exhausted and the system fails
 Logic bomb – destructive program that some predetermined event triggers
 Backdoor – software program that allows unauthorized access to a system without
going through the normal log on procedure
  Trojan horse – program whose purpose is to capture IDs and passwords from
unsuspecting users; program is designed to mimic the normal log on procedures of
the OS
BACKUP CONTROLS
- GPC BACKUP TECHNIQUE – used in sequential file batch systems; backup procedure begins
with the current master file is processed against the transaction file to produce a new update master
file . with the next batch of transactions, the child becomes the current master file and the original
parent becomes the bacjup file
- Direct access file backup -

SYSTEM AUDIT TRAIL CONTROLS – are logs that record activity at the system, application and user
level; OS allow management to select the level of auditing to be recorded in the log
- Keystroke monitoring – involves recording both the user’s keystrokes and the system’s responses;
may be used after the fact to reconstruct the details of an event or as a real-time control to prevent
unauthorized intrusion; telephone wiretap
- Event monitoring – summarizes key activities related to system resources; typically records the IDs
of all users accessing the system; the time and duration of session
System audit trail objectives in 3 ways
1. Detecting unauthorized access – to protect the system from outsiders attempting to breach system
controls
2. Reconstructing events - help in avoiding similar mistakes
3. Personal accountability – individuals less likely to violate when they know their actions are being
log

DATABASE MANAGEMENT CONTROL

- Access controls
o User views – subschema; subset of the total database that defines the user’s data domain
and restricts her access to the database accordingly
o Database authorization table – contains rules that limit the action a user can take
o User-defined procedures – allows the user to create a personal security program or routine
to provide more positive user identification than a password can
o Data encryption – uses algorithm to scramble selected data, making it unreadable to an
intruder browsing the database
o Biometric devices – measures various personal characteristics such as fingerprints,
voiceprints, retina prints
BACKUP CONTROLS
- Database backup – makes a periodic backup of the entire database
- Transaction log (journal) – provides an audit trail of all processed transactions
- Checkpoint feature – suspends all data processing while the system reconciles the transaction log
and the database change log against the database
- Recovery module – use logs and backup files to restart the system after a failure

NETWORK CONTROLS
- 2 forms of risks
o Risks from subversive threats – a computer criminal intercepting a message transmitted
between the sender and the receiver, a computer hacking gaining unauthorized access
o Risks from equipment failure – failures in the communication system can disrupt, destroy or
corrupt transmissions between senders and receivers
Risks from subversive threats
1. Firewalls - system that enforces access control between two networks; only authorized traffic
between the organization and the outside is allowed to pass through the firewall; insulates the org
from external networks and intranet from internal access
- Network level firewalls – provide efficient but low security access control ; consists of a screening
router that examines the source and destination addresses that are attached to incoming message
packets; accepts or denies access requests based on filtering rules
 - Application level firewalls – provide higher level of customizable network security but they add
overhead to connectivity; configured to run security applications called proxies that permit routine
services to pass through the firewall
2. Controlling denial service attacks – clogging the internet ports of the victim’s server with
fraudulently generated messages; transactions can be completely isolate from the internet for the
duration of the attack
a. Smurf attack – targeted organization can program their firewall to ignore all
communication from the attacking site
b. SYN flood attack – use IP spoofing to disguise the source, victims host computer views
these transmissions as coming from all over the internet
c. Distributed denial of service attack - victims site becomes inundated with messages from
thousands of zombie sites that are distributed across the internet
- Intrusion prevension system – to determine when an attack is in progress
- Deep packet inspection – can identify and classify malicious packets based on a database of known
attack signatures;
3. Encryption – conversion of data into a secret code for storage in databases and transmission over
networks
a. Private key encryption
i. Advance encryption standard – a 128-bit encryption technique ; algorithm that
uses a single key known to both the sender and the receiver of the msg
ii. Triple DES encryption – an enhancement to an older encryption technique called
data encryption standard; provides considerably improves security over most single
encryption techniques; very secure ; very slow
1. EEE3 – uses 3 different keys to encrypt the message 3 times
2. EDE3 – uses one key to encrypt the message; a 2nd key is used to decode it
b. Public key encryption – use 2 different keys: one for encoding and one for decoding;
private key secret; public key published
i. RSA (Rivest – Shamir – Adleman) – highly secure public key cryptography
method; computationally intensive and mush slower that standard DES
ii. Digital envelope – both des and rsa
4. Digital signature – electronic authentication that cannot be forged; ensures that message the sender
transmitted was not tampered with after the signature was applied
5. Digital certificate – proves that the message received is not tampered during transmission; verify’s
sender’s identity with a trusted party called certification authority
6. Message sequence numbering – a sequence number inserted in each message
7. Message transaction log – all incomeing and outgoing messages will be recorded
8. Request-response technique – a control message from the sender and a response from the receiver
are sent at a periodic synchronized intervals
9. Call-back devices – requires the dial-in user to enter a password and be identified
10. Controls from equipment failure - data communication due to line errors; message can be
corrupted through the noise on the communication lines
a. Echo check – involves the receiver of the message returning the message to the sender; the
sender compares the returned message and the original
b. Parity check - incorporates an extra bit into the structure of a bit string when it is created or
transmitted
EDI CONTROLS (ELECTRONIC DATA INTERCHANGE)