Overview of Auditing

• Information technology (IT) developments Requirements of attestation services:

have had tremendous impact on auditing.
• Written assertions and practitioner’s
• Business organizations undergo different written report.
types of audits for different purposes. • Formal establishment of measurement
criteria.
• Most common are external (financial) audits,
• Limited to examination, review, and
internal audits and fraud audits.
application of agreed upon procedures

Advisory services
External (Financial) Audit
are professional services offered by public
-Independent attestation performed by an accounting firms to improve their client
expert (i.e., CPA) who expresses an opinion organizations’ operational efficiency and
regarding the fair presentation of financial effectiveness.
statements.
advisory services include:
-attest service,
actuarial advice, business advice, fraud
investigation services, information system
design and implementation, and internal
audit objective: assuring the fair presentation
control assessments for compliance with SOX.
of financial statements.

-SEC requires publicly traded companies be

subject to a financial audit annually SOX greatly restricts the types of non-audit
services auditors may render to audit clients.
Unlawful to provide many accounting, financial,
CPAs represent the interests of outsiders: internal audit, management, human resource or
legal services unrelated to the audit.
• stockholders,
• Creditors
• government agencies, Internal Audits
• general public
 Internal auditing is an independent appraisal
function to examine and evaluate activities
CPA’s role concept within, and as a service to, an organization.

• judge who collects and evaluates  Internal auditors perform a wide variety of
evidence activities including financial, operational,
• independent compliance and fraud audits.
• cannot be an advocate of either party  Auditors may work for the organization or
• renders an opinion based on the task may be outsourced
evidence
.  Independence is self-imposed, but auditors
Attest Service versus Advisory Services represent the interests of the organization.

attest service

-an engagement in which a practitioner is External vs. Internal Auditor

engaged to issue, or does issue, a written
communication that expresses a conclusion  External auditors represent outsiders while
about the reliability of a written assertion that is internal auditors represent organization’s
the responsibility of another party. interests.
 Internal auditors often cooperate with and FINANCIAL AUDIT COMPONENTS
assist external auditors in some aspects of
The auditor’s report
financial audits.
-expresses an opinion as to whether the
 Extent of cooperation depends upon the
financial statements are in conformity with
independence and competence of the internal
generally accepted accounting principles
audit staff.
(GAAP);
 External auditors can rely in part on evidence
Auditing Standards
gathered by internal audit departments that are
organizationally independent and report to the  Three classes of auditing standards: general
board of directors’ audit committee. qualification, field work, and reporting.

 Specific guidance provided by AICPA

Statements on Auditing Standards (SASs) as
Fraud Audits
authoritative interpretations of GAAS.
Objective: investigate anomalies and gather
 First one issued in 1972.
evidence of fraud that may lead to criminal
convictions.  If recommendations are not followed,
auditor must be able to show why a SAS does
 May be initiated by management who suspect
not apply to a given situation.
employee fraud or the board of directors who
suspect executive fraud.  Conducing an audit is a systematic and logical
process that applies to all forms of information
fraud auditors have earned the Certified Fraud
systems
Examiner (CFE) certification, which is governed
by the Association of Certified Fraud Examiners Generally Accepted Auditing Standards
(ACFE).
General Standards
fraud auditors have earned the Certified Fraud
Examiner (CFE) certification, which is governed 1. The auditor must have adequate technical
by the Association of Certified Fraud Examiners training and proficiency.
(ACFE). 2. The auditor must have independence of
mental attitude

ROLE OF THE AUDIT COMMITTEE

 Subcommittee of the board of directors 3. The auditor must exercise due professional
care in the performance of the audit and the
• Usually three members who are preparation of the report
outsiders.
Standards of Field Work
• SOX requires at least one member must
be a “financial expert”. 1. Audit work must be adequately planned

2. The auditor must gain a sufficient

understanding of the internal control structure.
 independent “check and balance” for the
internal audit function. 3. The auditor must obtain sufficient,
competent evidence.
 SOX mandates that external auditors report to
the audit committee:

 Committee hires and fires auditors and Reporting Standards

resolve disputes.
1. The auditor must state in the report whether
-Looks for ways to identify risk. financial statements were prepared in
accordance with generally accepted accounting
-independent guardian of the entity’s assets
principles.
2. The report must identify those circumstances Evidence is collected by performing tests of
in which generally accepted accounting controls and substantive tests.
principles were not applied.
Ascertaining Materiality
3. The report must identify any items that do
In all audit environments assessing materiality is
not have adequate informative disclosures.
an auditor judgment.
4. The report shall contain an expression of the
In an IT environment this decision is
auditor’s opinion on the financial statements as
complicated further by technology and a
a whole
sophisticated internal control structure

Statements on Auditing Standards

-authoritative pronouncements

burden of justifying departures from the SASs

falls upon the individual auditor

A logical framework for conducting an audit in

the IT environment is critical to help the auditor
identify all-important processes and data files.

Management Assertions and Audit Objectives

Obtaining Evidence

in the IT environment, this process involves

gathering evidence relating to the reliability of
computer controls as well as the contents of
databases that have been processed by
computer programs.
Communicating Results Detection risk is the risk that auditors are
willing to take that errors not detected or
prevented by the control structure will also not
Auditors must communicate the results of their
be detected by the auditor.
tests to interested users.
acceptable level of detection risk (planned
An independent auditor renders a report to the
detection risk) that influences the level of
audit committee of the board of directors or
substantive tests that they perform. \
stockholders of a company.

IT auditors often communicate their findings to

internal and external auditors, who can then Audit Risk Model
integrate these findings with the non-IT aspects
The audit risk model is AR IR × CR × DR
of the audit
Assume that acceptable audit risk is assessed at
a value of 5 percent, consistent with the 95
AUDIT RISK percent confidence interval associated with
statistics.
Audit risk is the probability that the auditor will
render an unqualified (clean) opinion on What would be the level of planned detection
financial statements that are, in fact, materially risk (DR) needed to achieve the acceptable
misstated. audit risk (AR) of 5 percent

Material misstatements may be caused by 5% =40% × 60% × DR

errors or irregularities or both.
DR =.05 /.24
Errors are unintentional mistakes.
DR= .20
Irregularities are intentional misrepresentations
The Relationship Between Tests of Controls and
associated with the commission of a fraud such
Substantive Tests
as the misappropriation of physical assets or the
deception of financial statement users Tests of controls and substantive tests are
auditing techniques used for reducing audit risk
to an acceptable level.
Audit Risk Components
stronger the internal control structure = lower
Acceptable audit risk (AR) is estimated based on control risk and the less substantive testing the
the ex ante value of the components of the auditor must do.
audit risk model.
substantive tests are labor intensive and time-
These are inherent risk, control risk, and consuming, they drive up audit costs Thus,
detection risk management’s best interests are served by
having a strong internal control structure
Inherent Risk

Inherent risk is associated with the unique

characteristics of the business or industry of the THE IT AUDIT
client.
IT audit focuses on the computer-based aspects
Firms in declining industries have greater of an organization’s information system; and
inherent risk than firms in stable or thriving modern systems employ significant levels of
industries technology.

Control risk is the likelihood that the control

structure is flawed because controls are either
The Structure of an IT Audit
absent or inadequate to prevent or detect
errors in the accounts. Audit Planning - first step

gain a thorough understanding of the client’s

Detection Risk business
major part of this phase of the audit is the
analysis of audit risk.
The third phase of the audit process

This phase involves a detailed investigation of

Tests of Controls specific account balances and transactions
through what are called substantive tests.
The objective of the tests of controls phase is
to determine whether adequate internal customer confirmation is a substantive test
controls are in place and functioning properly. sometimes used to verify account balances

The evidence-gathering techniques used in this Some substantive tests are labor-intensive
phase may include both manual techniques and activities, such as counting cash, counting
specialized computer audit techniques. inventories in the warehouse

tests-of-controls phase, the auditor must assess In an IT environment, the data needed to
the quality of the internal controls by assigning perform substantive tests (such as account
a level for control risk balances and names and addresses of individual
customers) are contained in data files that often
must be extracted using Computer-Assisted
Audit Tools and Techniques (CAATTs) software.

Substantive Testing
INTERNAL CONTROL The AICPA adopted the model into auditing
standards and published SAS No. 78—
SEC:
Consideration of Internal Control in a Financial
The establishment and maintenance of a system Statement Audit
of internal control is management obligation.

management has a responsibility to furnish

Sarbanes -Oxley Act of 2002 (SOX) requires
shareholders and potential investors with
management of public companies to implement
reliable financial information on a timely basis.
adequate internal control system over their
financial reporting process.

Brief History of Internal Control Legislation Under Section 302: Managers must certify
organization’s internal controls quarterly and
SEC Acts of 1933 and 1934 annually.
Securities Act of 1933, which had two main External auditors must perform certain
objectives: procedures quarterly to identify any material
(1) require that investors receive financial and control modifications that may impact financial
other significant information concerning reporting
securities being offered for public sale; Section 404 requires the management of public
(2) prohibit deceit, misrepresentations, and companies to assess the effectiveness of their
other fraud in the sale of securities. organization’s internal controls

INTERNAL CONTROL OBJECTIVES, PRINCIPLES,

Copyright Law–1976 AND MODELS

added software and other intellectual An organization’s internal control system

properties into the existing copyright protection comprises policies, practices, and procedures to
laws. achieve four broad objectives:

management is held personally liable for 1. To safeguard assets of the firm.

violations (e.g., software piracy) if “raided” by 2. To ensure the accuracy and reliability of
the software police accounting records and information.

3. To promote efficiency in the firm’s

Foreign Corrupt Practices Act (FCPA) of 1977 operations.

FCPA requires companies registered with the 4. To measure compliance with management’s
SEC to do the following: prescribed policies and procedures

1. Keep records that fairly and reasonably Modifying Principles

reflect the transactions of the firm and its
financial position.
1.Management Responsibility
2. Maintain a system of internal control that
provides reasonable assurance that the This concept holds that the establishment and
organization’s objectives are met. maintenance of a system of internal control is a
management responsibility.
violation of the FCPA could lead to heavy fines
and imprisonment,
2.Methods of Data Processing

Committee of Sponsoring Organizations–1992 data processing method used (whether manual

or computer based).
COSO Model – effective model for internal
controls from a management perspective. specific techniques used to achieve these
objectives will vary with different types of
technology.
 The PDC Model Figure

3.Limitations Preventive Controls Prevention

(1) the possibility of error—no system is perfect, -first line of defense in the control structure.

(2) circumvention—personnel may circumvent -passive techniques designed to reduce the

the system through collusion or other means, frequency of occurrence of undesirable events.

(3) management override— management is in a - force compliance with prescribed or desired

position to override control procedures by actions and thus screen out aberrant events.
personally distorting transactions or by
Preventing errors and fraud is far more cost-
directing a subordinate to do so, and
effective than detecting and correcting
(4) changing conditions—conditions may problems after they occur.
change over time so that existing effective
The logical layout of the screen into zones that
controls may become ineffectual.
permit only specific types of data, such as
customer name, address, items sold, and
quantity, forces the data entry clerk to enter
4.Reasonable Assurance
the required data and prevents necessary data
The internal control system should provide from being omitted

reasonable assurance that the four broad Detective Controls

objectives of internal control are met.
-second line of defense
This reasonableness means that the cost of
achieving improved control should not -devices, techniques,
outweigh its benefits. and procedures designed to identify and
expose undesirable events that elude
Some weaknesses are immaterial and tolerable. preventive controls.
- may not be worth fixing.

Material weaknesses in controls, however, -reveal specific types of errors by comparing

increase the firm’s risk to financial loss or injury actual occurrences to pre-established
from the undesirable events. The cost of standards.
correcting these weaknesses is offset by the
benefits derived -sounds an alarm to attract attention to the
problem

-detective control should

recalculate the total value using the price and • Management’s philosophy and operating
quantity style.

• The procedures for delegating responsibility

Corrective Controls
and authority.
-must be taken to reverse the effects of
• Management’s methods for assessing
detected errors
performance.
“Distinction between detective controls and
• External influences, such as examinations by
corrective controls”
regulatory agencies.
-Detective controls identify undesirable events
• The organization’s policies and practices for
and draw attention to the problem; corrective
managing its human resources.
controls actually fix the problem.

Linking a corrective action to a detected error,

as an automatic response, may result in an “The following paragraphs provide examples of
incorrect action that causes a worse problem techniques that may be used to obtain an
understanding of the control environment
“error correction should be viewed as a
separate control step” 1.Auditors should assess the integrity of the
organization’s management and may use
PDC control model is conceptually pleasing but
investigative agencies to report on the
offers little practical guidance for designing or
backgrounds of key managers.
auditing specific controls
2.Auditors should be aware of conditions that
would predispose the management of an
COSO framework organization to commit fraud. Some of the
obvious conditions may be lack of sufficient
Five components:
working capital, adverse industry conditions,
1. control environment bad credit ratings, and the existence of
2. risk assessment extremely restrictive conditions in bank.
3. information and communication
3. Auditors should understand a client’s
4. monitoring
business and industry and should be aware of
5. control activities.
conditions peculiar to the industry that may
A. Control environment affect the audit.

-foundation for the other four control 4. The board of directors should adopt, as a
components. minimum, the provisions of SOX.

-sets the tone for the organization and The following guidelines represent established
influences the control awareness of its best practices:
management and employees.
• Separate CEO and chairman -

• Set ethical standards- code of ethics should

address such issues as outside employment
conflicts, acceptance of gifts that could be
“Important elements of the control construed as bribery, falsification of financial
environment” and/or performance data, conflicts of interest
• The integrity and ethical values of etc.
management. • Establish an independent audit committee-
• The structure of the organization. audit committee is responsible for selecting and
engaging an independent auditor, ensuring that
The participation of the organization’s board of an annual audit is conducted, reviewing the
directors and the audit committee, if one exists. audit report, and ensuring that deficiencies are
addressed.
• Compensation committees -Excessive use of assets and liabilities. An effective accounting
short-term stock options to compensate information system will:
directors and executives may result in decisions
• Identify and record all valid financial
that influence stock prices at the expense of the
transactions.
firm’s long-term health.
• Provide timely information about transactions
• Nominating committees - nominations
in sufficient detail
committee should have a plan to maintain a
fully staffed board of directors with capable • Accurately measure the financial value of
people. Committee must recognize the need for transactions
independent directors and have criteria for
determining independence. • Accurately record transactions in the time
period in which they occurred
• Access to outside professionals – should have
access to attorneys and consultants other than SAS 109 requires that auditors obtain sufficient
the corporation’s normal counsel and knowledge of the organization’s information
consultants system to understand:

2. RISK ASSESSMENT • The classes of transactions that are material

to the financial statements
Organizations must perform a risk assessment
to identify, analyze, and manage risks relevant • The accounting records and accounts that are
to financial reporting. Risks can arise or change used in the processing of material transactions.
from circumstances such as: • The transaction processing steps involved
• Changes in the operating environment from the initiation of a transaction to its
inclusion in the financial statements.
• New personnel who have a different or
inadequate understanding of internal control. • The financial reporting process used to
prepare financial statements, disclosures, and
• New or reengineered information systems accounting estimates.
that affect transaction processing.

• Significant and rapid growth that strains

existing internal controls. D. MONITORING

• The implementation of new technology into Monitoring is the process by which the quality
the production process or information system of internal control design and operation can be
assessed.
• The introduction of new product lines or
activities which the organization has little An organization’s internal auditors may monitor
experience. the entity’s activities in separate procedures.
They gather evidence of control adequacy by
• Organizational restructuring resulting in the testing controls then communicate control
reduction and/or reallocation of personnel strengths and weaknesses to management.
• Entering into foreign markets that may impact Ongoing monitoring - may be achieved by
operations (that is, the risks associate with integrating special computer modules into the
foreign currency transactions). information system that capture key data
and/or permit tests of controls.
• Adoption of a new accounting principle that
impacts the preparation of financial statements. Another technique for achieving ongoing
monitoring is the judicious use of management
reports. By summarizing activities, highlighting
C. Information and Communication trends, and identifying exceptions from normal
performance, well-designed management
- accounting information system consists of the
reports provide evidence of internal control
records and methods used to initiate, identify,
function or malfunction.
analyze, classify, and record the organization’s
transactions and to account for the related
E. CONTROL ACTIVITIES - purpose of transaction authorization is to
ensure that all material transactions processed
are the policies and procedures used to ensure
by the information system are valid and in
that appropriate actions are taken to deal with
accordance with management’s objectives
the organization’s identified risks.
-may be general or specific

-General authority is granted to operations

personnel to perform day-to-day activities

-example of general authorization is the

procedure to authorize the purchase of
inventories from a designated vendor only
when inventory levels fall to their
predetermined reorder

points - programmed procedure

-specific authorizations deal with case-by-case

decisions associated with non-routine
Two distinct categories of control activities transactions. Example of this is the decision to
(Physical and IT Controls): extend a particular customer’s credit limit
beyond the normal amount. Usually a
1. Physical Controls management responsibility.
- relates primarily to the human activities
employed in accounting systems

- may be purely manual, such as the physical

custody of assets, or they may involve the
physical use of computers to record
transactions or update accounts

- do not relate to the computer logic that

actually performs accounting tasks

-relate to the human activities that trigger and

2. Segregation of Duties.
utilize the results of those tasks
-segregation of employee duties to minimize
- all systems, regardless of their sophistication,
incompatible functions
employ human activities that need to be
controlled Three Objectives of Segregation of Duties:

Objective 1. The segregation of duties should

be such that the authorization for a transaction
is separate from the processing of the
transaction. Example, the purchasing
department should not initiate purchases until
Six categories of physical control the inventory control department gives
-transaction authorization authorization. This separation of tasks is a
control to prevent individuals from purchasing
- segregation of duties unnecessary inventory.
- supervision Objective 2. Responsibility for asset custody
- accounting records should be separate from the recordkeeping
responsibility. For example, the department
-access control that has physical custody of finished goods
inventory (the warehouse) should not keep the
-independent verification.
official inventory records.
1.Transaction Authorization
Objective 3. The organization should be -Unauthorized access exposes assets to
structured so that a successful fraud requires misappropriation, damage, and theft
collusion between two or more individuals with
Access to assets can be direct or indirect:
incompatible responsibilities. For example, no
individual should have sufficient access to Direct access - Physical security devices, such as
accounting records to perpetrate a fraud. locks, safes, fences, and electronic and infrared
alarm systems.
3. Supervision. Implementing adequate
segregation of duties requires that a firm Indirect access - achieved by gaining access to
employ a sufficiently large number of the records and documents that control the
employees. use, ownership, and disposition of the asset.
-Achieving adequate segregation of duties often For example, an individual with access to all the
presents difficulties for small organizations. relevant accounting records can destroy the
audit trail that describes a particular sales
-in small organizations or in functional areas
transaction.
that lack sufficient personnel, management
must compensate for the absence of 6. Independent Verification
segregation controls with close supervision
Verification procedures are independent checks
-underlying assumption of supervision control of the accounting system to identify errors and
is that the firm employs competent and misrepresentations.
trustworthy personnel
- Verification differs from supervision because
4. Accounting Records it takes place after the fact, by an individual
who is not directly involved with the transaction
-accounting records of an organization consist
or task being verified.
of source documents, journals, and ledgers.
Through independent verification procedures,
-These records capture the economic essence of
management can assess :
transactions and provide an audit trail of
economic events. (1) the performance of individuals,
-audit trail enables the auditor to trace any (2) the integrity of the transaction processing
transaction through all phases of its processing system
from the initiation of the event to the financial
statements. (3) the correctness of data contained in
accounting records.
Two reasons to keep an audit trail:
Examples of independent verifications:
1. This information is needed for
conducting day-to-day operations. The • Reconciling batch totals at points during
audit trail helps employees respond to transaction processing.
customer inquiries by showing the • Comparing physical assets with accounting
current status of transactions in records.
process.
2. The audit trail plays an essential role in • Reconciling subsidiary accounts with control
the financial audit of the firm. It accounts.
enables external (and internal) auditors • Reviewing management reports (both
to verify selected transactions by computer and manually generated) that
tracing them from the financial summarize business activity.
statements to the ledger accounts, to
the journals, to the source documents,
and back to their original source.
2. IT CONTROLS
5. Access Control
-Automated systems initiate, authorize, record,
-purpose of access controls is to ensure that and report the effects of financial transactions.
only authorized personnel have access to the
firm’s assets
COSO identifies two broad groupings of IT auditors to understand transaction flows,
controls: application controls and general including the controls pertaining to how
controls transactions are initiated, authorized, recorded,
and reported
a) application controls - are to ensure the
validity, completeness, and accuracy of financial -SOX places responsibility on auditors to detect
transactions. These controls are designed to be fraudulent activity and emphasizes the
application-specific. Examples include: importance of controls designed to prevent or
detect fraud that could lead to material
• A cash disbursements batch balancing routine
misstatement of the financial statements.
that verifies that the total payments to vendors
reconciles with the total postings to the “Management is responsible for implementing
accounts payable subsidiary ledger. such controls, and auditors are expressly
required to test them.”
• An account receivable check digit procedure
that validates customer account numbers on
sales transactions.

• A payroll system limit check that identifies and

flags employee time card records with reported
hours worked in excess of the predetermined
normal limit.

b) general controls - they are not application-

specific but, rather, apply to all systems.

They include controls over IT governance, IT

infrastructure, security and access to operating
systems and databases, application acquisition - PCAOB Auditing Standard No. 5 emphasizes
and development, and program change that management and auditors use a risk-based
procedures. approach rather than a one-size- fits-all
approach in the design and assessment of
-Although general controls do not control controls.
specific transactions, they have an effect on
transaction integrity. -the size and complexity of the organization
needs to be considered in determining the
Audit Implications of SOX nature and extent of controls that are necessary
-SOX legislation dramatically expands the role
of external auditors by mandating that they
attest to the quality of their client
organizations’ internal controls.

-constitutes the issuance of a separate audit

opinion on the internal controls in addition to
the opinion on the fairness of the financial
statements.

-auditor is precluded from issuing an

unqualified opinion if only one material
weakness in internal control is detected

-auditors are permitted to simultaneously

render a qualified opinion on internal controls
and an unqualified opinion on the financial
statements.

As part of the new attestation responsibility,

PCAOB Standard No. 5 specifically requires
 CHAPTER 2−Auditing IT Governance Controls  Primary Service Areas of a Centralized IT Services
Structure
 COSO (Committee of Sponsoring Organizations) 1. Database Administration-In the shared data
Framework is a system used to establish internal controls arrangement (data resources in a central location that
to be integrated into business processes. The five
are shared by all end users), an independent group
components of COSO – control environment, risk headed by the database administrator (DBA) is
assessment, information and communication, monitoring responsible for the security and integrity of the
activities, and existing control activities – are often
database.
referred to by the acronym C.R.I.M.E. 2. Data Processing-The data processing group manages
 Information technology (IT) governance is a relatively the computer resources used to perform the day-to-
new subset of corporate governance that focuses on the day processing of transactions. It consists of the
management and assessment of strategic IT resources. following organizational functions:
Key objectives of IT governance are to reduce risk and a. Data Conversion. This function transcribes
ensure that investments in IT resources add value to the transaction data from hard-copy source
corporation. documents into computer input.
 Three IT governance issues that are addressed by SOX and b. Computer Operations. The electronic files
the COSO internal control framework: produced in data conversion are later processed
1. Organizational structure of the IT function by the central computer, which is managed by
2. Computer center operations the computer operations groups.
3. Disaster recovery planning c. Data Library. It is a room adjacent to the
 Centralized Data Processing Approach-all data processing computer center that provides safe storage for
is performed by one or more large computers housed at a the off-line data files. Those files could be
central site that serves users throughout the organization. backups or current data files. The data library is
used to store original copies of commercial
software and their licenses for safekeeping.
3. Systems Development and Maintenance-The
information systems needs of users are met by two
related functions: system development and systems
maintenance. The system development is
responsible for analyzing user needs and for designing
new systems to satisfy those needs. The participants
in system development activities include systems
professionals, end users, and stakeholders.
a. Systems professionals include systems analysts,
database designers, and programmers who
design and build the system. Systems
professionals gather facts about the user’s
problem, analyze the facts, and formulate a
solution. The product of their efforts is a new
information system.
b. End users are those for whom the system is built.
They are the managers who receive reports from
the system and the operations personnel who
work directly with the system as part of their
daily responsibilities.
c. Stakeholders are individuals inside or outside the
firm who have an interest in the system, but are
IT services activities are consolidated and managed as a not end users. They include accountants, internal
shared organization resource. End users compete for auditors, external auditors, and others who
these resources on the basis of need. The IT services oversee systems development.
function is usually treated as a cost center whose
Once a new system has been designed and
operating costs are charged back to the end users.
implemented, the systems maintenance group
assumes responsibility for keeping it current with user
 needs. The term maintenance refers to making unauthorized changes to program modules for
changes to program logic to accommodate shifts in the purpose of committing an illegal act.
user needs over time.  A Superior Structure for Systems Development
First, documentation standards are improved because the
 Segregation of Incompatible IT Functions. Operational maintenance group requires documentation to perform
tasks should be segregated to: its maintenance duties. Without complete and adequate
1. Separate transaction authorization from transaction documentation, the formal transfer of system
processing.
responsibility from new systems development to systems
2. Separate record keeping from asset custody. maintenance simply cannot occur.
3. Divide transaction-processing tasks among individuals
Second, denying the original programmer future access to
such that short of collusion between two or more the program deters program fraud. That the fraudulent
individuals’ fraud would not be possible.
code, once concealed within the system, is out of the
 Separating Systems Development from Computer programmer’s control and may later be discovered
Operations-The relationship between these groups increases the risk associated with program fraud.
should be extremely formal, and their responsibilities
 The Distributed Model
should not be commingled. Systems development and
An alternative to the centralized model is the concept of
maintenance professionals should create (and maintain) distributed data processing (DDP). DDP involves
systems for users, and should have no involvement in reorganizing the central IT function into small IT units that
entering data, or running applications (i.e., computer
are placed under the control of end users. The IT units may
operations).
be distributed according to business function, geographic
 Separating Database Administration from Other location, or both.
Functions-The DBA function is responsible for a number of
critical tasks pertaining to database security, including
creating the database schema and user views, assigning
database access authority to users, monitoring database
usage, and planning for future expansion. Delegating
these responsibilities to others who perform
incompatible tasks threatens database integrity.
 Separating New Systems Development from
Maintenance-Some companies organize their in-house
systems development function into two groups: systems
analysis and programming. The systems analysis group
works with the users to produce detailed designs of the
new systems. The programming group codes the
programs according to these design specifications.
Although a common arrangement, this approach is
associated with two types of control problems:
inadequate documentation and the potential for
program fraud.
a. Inadequate Documentation. Poor-quality
systems documentation is a chronic IT problem
and a significant challenge for many
organizations seeking SOX compliance. There are
at least two explanations for this phenomenon.
First, documenting systems is not as interesting
as designing, testing, and implementing them.
The second possible reason for poor
documentation is job security. When a system is
poorly documented, it is difficult to interpret,
test, and debug.
b. Program Fraud. When the original programmer
of a system is also assigned maintenance
responsibility, the potential for fraud is
increased. Program fraud involves making
 Notice the interconnections between the distributed units 1. Cost Reductions. For many years, achieving economies
in Figure 2.4. These connections represent a networking of scale was the principal justification for the centralized
arrangement that permits communication and data data processing approach. Thus, for many users, large
transfers between the units. centralized systems represented expensive overkill that
they should escape. Moreover, the move to DDP has
 Risks Associated with DDP reduced costs in two other areas: (1) data can be edited
1. Inefficient Use of Resources. and entered by the end user, thus eliminating the
2. Destruction of Audit Trails. centralized task of data preparation; and (2) application
3. Inadequate Segregation of Duties. complexity can be reduced, which in turn reduces systems
4. Hiring Qualified Professionals. development and maintenance costs.
5. Lack of Standards. 2. Improved Cost Control Responsibility. Proponents of
DDP contend that the benefits of improved management
1. Inefficient Use of Resources. First, is the risk of attitudes more than outweigh any additional costs
mismanagement of organization-wide IT resources by incurred from distributing these resources. They argue
end users. Second, DDP can increase the risk of that if IT capability is indeed critical to the success of a
operational inefficiencies because of redundant tasks business operation, then management must be given
being performed within the end-user committee. control over these resources.
Third, the DDP environment poses a risk of
incompatible hardware and software among end- 3. Improved User Satisfaction. DDP proponents claim that
user functions. distributing system to end users improves three areas of
2. Destruction of Audit Trails. An audit trail provides the need that too often go unsatisfied in the centralized
linkage between a company’s financial activities model: (1) users desire to control the resources that
(transactions) and the financial statements that influence their profitability; (2) users want systems
report on those activities. Auditors use the audit trail professionals (analysts, programmers, and computer
to trace selected financial transactions from the operators) to be responsive to their specific situation; and
source documents that captured the events. Should (3) users want to become more actively involved in
an end user inadvertently delete one of the files, the developing and implementing their own systems.
audit trail could be destroyed and unrecoverable.
4. Backup Flexibility. The final argument in favor of DDP is
Similarly, if an end user inadvertently inserts
the ability to back up computing facilities to protect
transaction errors into an audit trail file, it could
against potential disasters such as fires, floods, sabotage,
become corrupted.
and earthquakes. The only way to back up a central
3. Inadequate Segregation of Duties. The distribution of
computer site against such disasters is to provide a second
the IT services to users may result in the creation of
computer facility. If a disaster destroys a single site, the
small independent units that do not permit the
other sites can use their excess capacity to process the
desired separation of incompatible functions.
transactions of the destroyed site.
4. Hiring Qualified Professionals. End-user managers
may lack the IT knowledge to evaluate the technical
credentials and relevant experience of candidates  Controlling the DDP Environment
applying for IT professional positions. The risk of
programming errors and system failures increases Central Testing of Commercial Software and Hardware. A
directly with the level of employee incompetence. central, technically astute group can evaluate systems
 Lack of Standards. Because of the distribution of features, controls, and compatibility with industry and
responsibility in the DDP environment, standards for organizational standards. Test results can then be distributed
to user areas as standards for guiding acquisition decisions.
developing and documenting systems, choosing
programming languages, acquiring hardware and This allows the organization to effectively centralize the
software, and evaluating performance may be unevenly acquisition, testing, and implementation of software and
applied or even non-existent. hardware and avoid many problems.

User Services. This activity provides technical help to users

 Advantages of DDP during the installation of new software and in troubleshooting
1. Cost Reductions. hardware and software problems. In many organizations user
2. Improved Cost Control Responsibility. services staff teach technical courses for end users as well as
3. Improved User Satisfaction. for computer services personnel.
4. Backup Flexibility.
Standard-Setting Body. The relatively poor control  Verify that compensating controls, such as
environment imposed by the DDP model can be improved by supervision and management monitoring, are
establishing some central guidance. The corporate group can employed when segregation of incompatible
contribute to this goal by establishing and distributing to user duties is economically infeasible.
areas appropriate standards for systems development,  Review systems documentation to verify that
programming, and documentation. applications, procedures, and databases are
designed and functioning in accordance with
Personnel Review. The corporate group is often better corporate standards.
equipped than users to evaluate the technical credentials of
prospective systems professionals. Although the systems
professional will actually be part of the end-user group, the
THE COMPUTER CENTER
involvement of the corporate group in employment decisions
can render a valuable service to the organization. The objective of this section is to present computer center risks
and the controls that help to mitigate risk and create a secure
 Audit Objective. The auditor’s objective is to verify that
environment.
the structure of the IT function is such that individuals in
incompatible areas are segregated in accordance with the
level of potential risk and in a manner that promotes a
working environment. This is an environment in which Physical Location- directly affects the risk of destruction to a
formal, rather than casual, relationships need to exist natural or man-made disaster.
between incompatible tasks.
- CC should be away from human-made and natural hazards
 Audit Procedures. The following audit procedures would (traffic, airports, basement, flood & high-crime areas, gas,
apply to an organization with a centralized IT function: water, etc.)
 Review relevant documentation, including the
current organizational chart, mission statement,
and job descriptions for key functions, to
Construction- CC should be located in a single-story building of
determine if individuals or groups are performing
solid construction with controlled access.
incompatible functions.
 Review systems documentation and maintenance - utility lines should be underground
records for a sample of applications. Verify that
maintenance programmers assigned to specific - the building windows should not open and an air filtration
projects are not also the original design system should be in place that is capable of extracting pollens,
programmers. dust, and dust mites.
 Verify that computer operators do not have
access to the operational details of a system’s
internal logic. Systems documentation, such as Access- should be limited to the operators and other
systems flowcharts, logic flowcharts, and employees who work there.
program code listings, should not be part of the
- physical controls, e.g. locked doors, should be employed to
operation’s documentation set.
limit access to the center.
 Through observation, determine that segregation
policy is being followed in practice. Review - should be controlled by a keypad or swipe card, should be
operations room access logs to determine monitored by closed-circuit cameras and video recording
whether programmers enter the facility for systems, CC should use sign-in logs for programmers and
reasons other than system failures. analysts who need access to correct program errors.
 The following audit procedures would apply to an
organization with a distributed IT function:
 Review the current organizational chart, mission
Air Conditioning- computers function best in an air-
statement, and job descriptions for key functions conditioned environment.
to determine if individuals or groups are
performing incompatible duties. - computers operate best in a temperature range of 70 to 75
 Verify that corporate policies and standards for degrees Fahrenheit and a relative humidity of 50 percent.
systems design, documentation, and hardware
and software acquisition are published and
provided to distributed IT units. Fire Suppression- fire is the most serious threat to a firm’s
computer equipment.
- many companies suffer due to the loss of critical records to • Physical security controls are adequate to reasonably protect
fire the organization from physical exposures

• Insurance coverage on equipment is adequate to

compensate the organization for the destruction of, or damage
Some of the major features of fire suppression system include
to, its computer center.
the following:

1. Automatic and manual alarms should be placed in strategic

locations around the installation. These alarms should be Audit Procedures (For CC)
connected to permanently staffed fire-fighting stations.
The following are tests of physical security controls:
2. There must be an automatic fire extinguishing system that
dispenses the appropriate type of suppressant for the location. • Tests of Physical Construction. The auditor should obtain
architectural plans to determine that the CC is solidly built of
For example, spraying water and certain chemicals on a
fireproof material. The facility should be located in an area that
computer can do as much damage as the fire.
minimizes its exposure to fire, civil unrest, and other hazards.
3. Manual fire extinguishers should be placed at strategic
• Tests of the Fire Detection System. The auditor should
locations.
establish that
4. The building should be of sound construction to withstand fire detection
water damage caused by fire suppression equipment. and
suppression
5. Fire exits should be clearly marked and illuminated during a
equipment,
fire both manual
and
automatic,
Fault Tolerance- is the ability of the system to continue are in place
operation when part of the system fails because of hardware and tested
failure, application program error, or operator error. regularly. The
fire-detection
- implementing fault tolerance control ensures that no single
system should
point of potential system failure exists.
detect smoke,
heat, and
combustible
2 examples of fault tolerance technologies:
fumes. The evidence may be obtained by reviewing official fire
1. Redundant arrays of independent disks (RAID). Raid marshal records of tests, which are stored at the CC.
involves using parallel disks that contain redundant elements
• Tests of Access Control. The auditor must establish that
of data and applications. If one disk fails, the lost data are
routine access to the CC is restricted to authorized employees.
automatically reconstructed from the redundant components
stored on the other disks. Details about visitor access can be obtained by reviewing the
2. Uninterruptible power supplies. Commercially provided access log. To establish the veracity of this document, the
electrical power can cause total power failures, brownouts, auditor may covertly observe the process by which access is
power fluctuations, and frequency variations. The equipment permitted, or review videotapes from cameras at the access
used to control these problems includes voltage regulators, point, if they are being used.
surge protectors, generators, and backup batteries. In the
event of a power outage, these devices provide backup power • Tests of Raid. Most systems that employ RAID provide a
for a reasonable period to allow commercial power service graphical mapping of their redundant disk storage. From this
restoration. In the event of an extended power outage, the mapping, the auditor should determine if the level of
backup power will allow the computer system to shut down in
RAID in place is adequate for the organization, given the level
a controlled manner and prevent data loss and corruption that
would otherwise result from an uncontrolled system crash. of business risk associated with disk failure. If the organization
is not employing RAID, the potential for a single point of
system failure exists. The auditor should review with the
Audit Objectives (For CC) system administrator alternative procedures for recovering
from a disk failure.
To evaluate the controls governing computer center security.
Specifically, the auditor must verify that:
• Tests of the Uninterruptible Power Supply. The CC should Creating a Disaster Recovery Team
perform periodic tests of the backup power supply to ensure
that it has sufficient capacity to run the computer and air - to avoid serious omissions or duplication of effort during
implementation of the contingency plan, task responsibility
conditioning. These are extremely important tests, and their
results should be formally recorded. Without such tests, an must be clearly defined and communicated to the personnel
organization may be unaware that it has outgrown its backup involved. The team members should be experts in their areas
and have assigned tasks.
capacity until it is too late.

• Tests for Insurance Coverage. The auditor should annually

review the organization’s insurance coverage on its computer
hardware, software, and physical facility. The auditor should
verify that all new acquisitions are listed on the policy and that
obsolete equipment and software have been deleted.

DISASTER RECOVERY PLANNING

Natural - most potentially devastating

Human-Made - can be destructive to individual organization,

but tend to be limited in scope of impact

System Failure - less severe, but most likely to occur

All of these disasters can deprive an organization of its data

processing facilities, halt those business functions that are
performed or aided by computers, and impair the
organization’s ability to deliver its products or services. The
more the business is dependent to technologies, the more it is Providing Second-Site Backup
prone to these risks.
- DRP should provide duplicate data processing facilities
following a disaster
Disaster Recovery Plan (DRP)

- a comprehensive statement of all actions to be taken before, Most common options:

during, and after any type of disaster. 4 common features:
Mutual Aid Pact - an agreement between two or more
1. Identify critical applications organizations to aid each other with their data processing
2. Create a disaster recovery team needs in the event of a disaster. This is driven by economics;
they are relatively cost-free to implement. To rely on such an
3. Provide site backup arrangement requires a level of faith and untested trust that is
uncharacteristic of sophisticated management and its
4. Specify backup and off-site storage procedures
auditors.

Empty Shell or Cold Site - an arrangement wherein the

Identify Critical Applications company buys or leases a building that will serve as a data
center. In the event of a disaster, the shell is available and
- recovery efforts must concentrate on restoring those ready to receive whatever hardware the temporary user needs
applications that are critical to the short-term survival (focus to run essential systems. Weakness: Recovery depends on the
of DRP) of the organization. timely availability of the necessary computer hardware to
restore the data processing function.

Recovery Operations Center or Hot Site - is a fully equipped

backup data center that many companies share. In the event
of a major disaster, a subscriber can occupy the premises and, Backup Supplies and Source Documents. The organization
within a few hours, resume processing critical application. should create backup inventories of supplies and source
documents used in processing critical transactions such as
Internally Provided Backup - larger organizations with
check stocks, invoices, purchase orders, and any other special-
multiple data processing centers often prefer the self-reliance purpose forms that cannot be obtained immediately.
that creating internal excess capacity provides. Pershing
Company recognized that ROC vendor could not provide the Testing the DRP. The most neglected aspect of contingency
recovery time they wanted and needed. Thus, they built its planning. Tests measure the preparedness of personnel and
own remote mirrored data center equipped with high- identify omissions or bottlenecks in the plan. It is most useful
capacity storage devices capable of storing more than 20 when the simulation of a disruption is a surprise. The results
terabytes of data and two IBM mainframes running high-speed can be analyzed and a DRP performance report prepared. The
copy software. At any point in time, the facility reflects current degree of performance achieved provides input for decisions
economic events of the firm. The mirrored system has reduced to modify the DRP or schedule additional tests. The
Pershing’s data recovery time from 24 hours to 1 hour. organization’s management should seek measures of
performance in each of the following areas: (1) the
effectiveness of DRP team personnel and their knowledge
Backup and Off-Site Storage Procedures levels; (2) the degree of conversion success

- data files, applications, documentation, and supplies needed (i. e., the number of lost records); (3) an estimate of financial
to perform critical functions should be automatically backed loss due to lost records or facilities; and (4) the effectiveness
up and stored at a secure off-site location. of program, data, and documentation backup and recovery
procedures.

Operating System Backup. If the company uses a cold site or Audit Objective (For DRP)
other method of site backup that does not include a
The auditor should verify that management’s disaster recovery
compatible operating system (O/S), procedures for obtaining a
plan is adequate and feasible for dealing with a catastrophe
current version of the operating system need to be clearly
that could deprive the organization of its computing resources.
specified. The data librarian, if one exists, would be a key
person to involve in performing this task in addition to the
applications and data backups procedures.
Audit Procedures (For DRP)
Application Backup. The DRP should include procedures to
create copies of current versions of critical applications. In the In verifying that management’s DRP is a realistic solution for
case of commercial software, this involves purchasing backup dealing with a catastrophe, the following tests may be
copies of the latest software upgrades used by the performed:
organization. For in-house developed applications, backup • Site Backup - evaluate the adequacy of the backup site
procedures should be an integral step in the systems arrangement.
development and program change process.
(a) Mutual aid pact - system incompatibility and human nature
Backup Data Files. The state-of-the-art in database backup is reduces its effectiveness. Auditors should be skeptical: First,
the remote mirrored site, which provides complete data the sophistication of the computer system may make it difficult
currency. Databases should be copied daily to high-capacity, to find a potential partner with a compatible configuration.
high-speed media, such as tape or CDs/DVDs and secured Second, most firms do not have the necessary excess capacity
offsite. In the event of a disruption, reconstruction of the to support a disaster-stricken partner while also processing
database is achieved by updating the most current backed-up their own work.
version with subsequent transaction data. Likewise, master More viable but expensive options are:
files and transaction files should be protected.
(b) Empty shell - verify the existence of valid contracts with
Backup Documentation. The system documentation for hardware vendors that guarantee delivery of needed
critical applications should be backed up and stored off-site computer hardware with minimum delay after the disaster.
(c) Recovery operation center - be concerned about the
along with the applications. Documentation backup may be
number of ROC members and their geographic dispersion.
simplified and made more efficient through the use of
• Critical Application List - review the list of critical
Computer Aided Software Engineering (CASE) documentation
applications to ensure that it is complete. To include
tools.
applications on the critical list that are not needed to achieve
short-term survival can misdirect resources and distract
attention from the primary objective during the recovery Transaction Cost Economics (TCE) theory is in conflict with the
period. core competency school by suggesting that firms should retain
certain specific non–core IT assets inhouse. Specific assets
• Software Backup - verify that copies of critical applications
cannot be easily replaced once they are given up in an
and operating systems are stored off-site. Also verify that the outsourcing arrangement. But TCE theory supports the
applications stored off-site are current by comparing their outsourcing of commodity assets, which are easily replaced or
version numbers with those of the actual applications in use.
obtained from alternative vendors.
• Data Backup - verify that critical data files are backed up in
accordance with the DRP.
Risks Inherent to IT Outsourcing
• Backup Supplies, Documents, and Documentation - verify
that the types and quantities of items specified in the DRP such
as check stock, invoices, purchase orders, and any special
Failure to Perform. Once a client firm has outsourced specific
purpose forms exist in a secure location.
IT assets, its performance becomes linked to the vendor’s
• Disaster Recovery Team - verify that members of the team performance.
are current employees and are aware of their assigned
responsibilities. Vendor Exploitation. Large-scale IT outsourcing involves
transferring to a vendor “specific assets,” such as the design,
development, and maintenance of unique business
applications that are critical to an organization’s survival.
OUTSOURCING THE IT FUNCTION
Because the vendor assumes risk by acquiring the assets and
Often cited benefits of IT outsourcing include improved core can achieve no economies of scale by employing them
business performance, improved IT performance (because of elsewhere, the client organization will pay a premium to
the vendor’s expertise), and reduced IT costs. By moving IT transfer such functions to a third party.
facilities offshore to low labor-cost areas and/or through
Outsourcing Costs Exceed Benefits. IT outsourcing has been
economies of scale (by combining the work of several clients), criticized on the grounds that unexpected costs arise and the
the vendor can perform the outsourced function more cheaply
full extent of expected benefits are not realized. One survey
than the client firm could have otherwise. The resulting cost
revealed that 47 percent of 66 firms surveyed reported that
savings are then passed to the client organization.
the costs of IT outsourcing exceeded outsourcing benefits. One
reason for this is that outsourcing clients often fail to
anticipate the costs of vendor selection, contracting, and the
The logic underlying IT outsourcing follows from core transitioning of IT operations to the vendors.
competency theory, which argues that an organization should
focus exclusively on its core business competencies, while Reduced Security. Information outsourced to offshore IT
allowing outsourcing vendors to efficiently manage the non– vendors raises unique and serious questions regarding internal
core areas such as the IT functions. control and the protection of sensitive personal data.

Loss of Strategic Advantage. IT outsourcing may affect

incongruence between a firm’s IT strategic planning and its
Commodity IT assets are not unique to a particular business planning functions. A survey of 213 IT managers in
organization and are thus easily acquired in the marketplace. the financial services industry confirmed that a firm’s IT
These include such things as network management, systems leadership needs to be closely aligned with the firm’s
operations, server maintenance, and help-desk functions. competitive strategy. Further, because the financial
justification for IT outsourcing depends upon the vendor
achieving economies of scale, the vendor is naturally driven to
Specific IT assets are unique to the organization and support toward seeking common solutions that may be used by many
its strategic objectives. Because of their idiosyncratic nature, clients rather than creating unique solutions for each of them.
specific assets have little value outside their current use. Such
assets may be tangible (computer equipment), intellectual
(computer programs), or human. Examples of specific assets Audit Implications of IT Outsourcing
include systems development, application maintenance, data
warehousing, and highly skilled employees trained to use Management may outsource its organization’s IT functions,
organization specific software. but it cannot outsource its management responsibilities under
SOX for ensuring adequate IT internal controls. The PCAOB
specifically states in its Auditing Standard No. 2, “The use of a
service organization does not reduce management’s
responsibility to maintain effective internal control over
financial reporting. Rather, user management should evaluate
controls at the service organization, as well as related controls
at the user company, when making its assessment about
internal control over financial reporting.” Therefore, if an audit
client firm outsource its IT function to a vendor that processes
its transactions, hosts key data, or performs other significant
services, the auditor will need to conduct an evaluation of the
vendor organization’s controls, or alternatively obtain a SAS
No. 70 auditor’s report from the vendor organization.

Statement on Auditing Standard No. 70 (SAS 70) is the

definitive standard by which client organizations’ auditors can
gain knowledge that controls at the third-party vendor are
adequate to prevent or detect material errors that could
impact the client’s financial statements. The SAS 70 report,
which is prepared by the vendor’s auditor, attests to the
adequacy of the vendor’s internal controls. This is the means
by which an outsourcing vendor can obtain a single audit
report that may be used by its clients’ auditors and thus
preclude the need for each client firm auditor to conduct its
own audit of the vendor organization’s internal controls.

Service provider auditors issue two types of SAS 70 reports:

SAS 70 Type I report is the less rigorous of the two and

comments only on the suitability of the controls’ design.

SAS 70 Type II report goes further and assesses whether the

controls are operating effectively based on tests conducted by
the vendor organization’s auditor. The vast majority of SAS 70
reports issued are Type II.

Because Section 404 requires the explicit testing of controls,

SAS 70 Type I reports are of little value in a post-SOX world.
CHAPTER 3 priorities and balance the use of resources
among the competing applications.
Security Part I: Auditing Operating Systems
and Networks To perform these tasks consistently and reliably,
the operating system must achieve five
fundamental control objectives:
Operating system - is the computer’s control 1. The operating system must protect itself from
program. It allows users and their applications to users.
share and access common computer resources 2. The operating system must protect users from
(processors, main memory, databases, and each other.
printers)
3. The operating system must protect users from
The larger the computer facility, the greater the themselves.
scale of potential damage.
4. The operating system must be protected from
Operating System Objectives itself.
The operating system performs three main 5. The operating system must be protected from
tasks. its environment.
(1) it translates high-level languages, such as Operating system security - involves policies,
COBOL, C++, BASIC, and SQL, into the machine- procedures, and controls that determine who
level language that the computer can execute. can access the operating system, which
The language translator modules of the resources (files, programs, printers) they can
operating system are called compilers and use, and what actions they can take.
interpreters. The following security components are found in
(2) it allocates computer resources to users, secure operating systems: log-on procedure,
workgroups, and applications. This includes access token, access control list, and
assigning memory work space (partitions) to discretionary access privileges.
applications and authorizing access to terminals, Log-On Procedure- (formal) is the operating
telecommunications links, databases, and system’s first line of defense against
printers.
unauthorized access.
(3) it manages the tasks of job scheduling and Access Token- if the log-on attempt is successful,
multiprogramming. At any point, numerous user the operating system creates an access token
applications (jobs) are seeking access to the that contains key information about the user,
computer resources under the control of the including user ID, password, user group, and
operating system. privileges granted to the user. The information is
Jobs are submitted to the system in three ways: used to approve all actions the user attempts
(1) directly by the system operator, during the session.

(2) from various batch-job queues, and Access Control List - is assigned to each IT
resource (computer directory, data file,
(3) through telecommunications links from program, or printer), which controls access to
remote workstations. the resources. These lists contain information
To achieve efficient and effective use of finite that defines the access privileges for all valid
computer resources, the operating system must users of the resource.
schedule job processing according to established
Discretionary Access Privileges it may be incompatible functions and is in accordance with
granted by resource owners, which allow to the organization’s policy.
grant access privileges to other users.
Audit Procedures Relating to Access Privileges
Threats to Operating System Integrity To achieve their objectives auditors may perform
the following tests of controls:
Accidental threats include hardware failures
that cause the operating system to crash. Errors • Review the organization’s policies for
in user application programs, which the separating incompatible functions and ensure
operating system cannot interpret, also cause that they promote reasonable security.
operating system failures.
• Review the privileges of a selection of user
Accidental system failures may cause whole groups and individuals to determine if their
segments of memory to be dumped to disks and access rights are appropriate for their job
printers, resulting in the unintentional disclosure descriptions and positions. The auditor should
of confidential information. verify that individuals are granted access to data
and programs based on their need to know.
Intentional threats to the operating system are
most commonly attempts to illegally access data • Review personnel records to determine
or violate user privacy for financial gain. whether privileged employees undergo an
adequately intensive security clearance check in
The exposures come from three sources: compliance with company policy.
(1) Privileged personnel who abuse their • Review employee records to determine
authority.
whether users have formally acknowledged their
(2) Individuals, both internal and external to the responsibility to maintain the confidentiality of
organization, who browse the operating system company data.
to identify and exploit security flaws. • Review the users’ permitted log-on times.
(3) Individuals who intentionally (or accidentally) Permission should be commensurate with the
insert computer viruses or other forms of tasks being performed.
destructive programs into the operating system. Password Control
Operating System Controls and Audit Tests
Password- is a secret code the user enters to
If operating system integrity is compromised, gain access to systems, applications, data files, or
controls within individual accounting a network server.
applications that impact financial reporting may The most common forms of contra-security
also be compromised. behavior include:
For this reason, the design and assessment of • Forgetting passwords and being locked out of
operating system security controls are SOX the system.
compliance issues.
• Failing to change passwords on a frequent
Controlling Access Privileges - determine which basis.
directories, files, applications, and other
resources an individual or group may access. • The Post-it syndrome, whereby passwords are
written down and displayed for others to see.
Audit Objectives Relating to Access Privileges
The auditor’s objective is to verify that access • Simplistic passwords
privileges are granted in a manner that is
consistent with the need to separate a computer criminal easily anticipates.
Reusable Password/s – is the most common the account is locked. The duration of the
method of password control. lockout also needs to be determined. This could
range from a few minutes to a permanent
To improve access control, management should lockout that requires formal reactivation of the
require that passwords be changed regularly and
account.
disallow weak passwords.
Malicious and destructive programs are
An alternative to the standard reusable responsible for millions of dollars of corporate
password is the one-time password. losses annually. The losses are measured in
One-time password- was designed to overcome terms of data corruption and destruction,
the aforementioned problems. It can be used degraded computer performance, hardware
one time only. Under this approach, the user’s destruction, violations of privacy, and the
password changes continuously. This technology personnel time devoted to repairing the
employs a credit card–sized smart card. Another damage.
one-time password technique uses a This class of programs includes viruses, worms,
challenge/response approach to achieve the logic bombs, back doors, and Trojan horses.
same end.
Audit Objective Relating to Viruses and Other
Audit Objectives Relating to Passwords Destructive Programs
The auditor’s objective here is to ensure that the The key to computer virus control is prevention
organization has an adequate and effective through strict adherence to organizational
password policy for controlling access to the
policies and procedures that guard against virus
operating system. infection.
The auditor may achieve this objective by The auditor’s objective is to verify that effective
performing the following tests: management policies and procedures are in
• Verify that all users are required to have place to prevent the introduction and spread of
passwords. destructive programs, including viruses, worms,
back doors, logic bombs, and Trojan horses.
• Verify that new users are instructed in the use
of passwords and the importance of password System Audit Trails are logs that record activity
control. at the system, application, and user level.
Operating systems allow management to select
• Review password control procedures to ensure the level of auditing to be recorded in the log.
that passwords are changed regularly.
Audit trails typically consist of two types of audit
• Review the password file to determine that logs:
weak passwords are identified and disallowed.
This may involve using software to scan (1) detailed logs of individual keystrokes and
password files for known weak passwords.
(2) event-oriented logs.
• Verify that the password file is encrypted and Keystroke monitoring involves recording both
that the encryption key is properly secured. the user’s keystrokes and the system’s
• Assess the adequacy of password standards responses. It is the computer equivalent of a
such as length and expiration interval. telephone wiretap. It may also be regarded as a
violation of privacy.
• Review the account lockout policy and
procedures. The auditor should determine how Event monitoring summarizes key activities
many failed log-on attempts are allowed before related to system resources. Event logs typically
record the IDs of all users accessing the system; AUDITING NETWORKS
the time and duration of a user’s session;
programs that were executed during a session; Reliance on networks for business
and the files, databases, printers, and other communications poses concern about
unauthorized access to confidential information.
resources accessed.
Audit trails can be used to support security intranet risks posed by dishonest employees
objectives in three ways: who have the technical knowledge and position
to perpetrate frauds, and Internet risks that
(1) detecting unauthorized access to the system, threaten both consumers and business entities.
(2) facilitating the reconstruction of events, and
(3) promoting personal accountability. Intranets consist of small LANs and large WANs
that may contain thousands of individual nodes.
Detecting unauthorized access can occur in real These are used to connect employees within a
time or after the fact. single building, between buildings on the same
physical campus, and between geographically
The primary objective of real-time detection is to dispersed locations.
protect the system from outsiders attempting to
breach system controls. Interception of Network Messages
A real-time audit trail can also be used to report The individual nodes on most intranets are
changes in system performance that may connected to a shared channel across which
indicate infestation by a virus or worm. travel user IDs, passwords, confidential e-mails,
and financial data files.
After-the-fact detection logs can be stored
electronically and reviewed periodically or as The unauthorized interception of this
needed. information by a node on the network is called
sniffing.
Audit trail analysis can be used to reconstruct
the steps that led to events such as system This section looks at three of the more
failures, or security violations by individuals. significant business risks associated with
Internet commerce.
Audit trails can be used to monitor user activity
at the lowest level of detail. IP spoofing is a form of masquerading to gain
unauthorized access to a Web server and/ or to
Personal Accountability (capability) is a perpetrate an unlawful act without revealing
preventive control that can influence behavior. one’s identity. This technique could be used to
A system audit log can also serve as a detective crack into corporate networks to perpetrate
control to assign personal accountability for frauds, conduct acts of espionage, or destroy
actions taken such as abuse of authority. data.

Implementing a System Audit Trail Denial of service attacks (Dos) is an assault on a

Web server to prevent it from servicing its
The information contained in audit logs is useful legitimate users.
to accountants in measuring the potential
damage and financial loss associated with Three common types of Dos attacks are:
application errors, abuse of authority, or (1) SYN (SYNchronize) Flood Attack - The
unauthorized access by outside intruders. connecting server sends an initiation code called
a SYN packet to the receiving server. The
receiving server then acknowledges the request
by returning a SYNchronize–ACKnowledge (SYN- described in the previous sections, network
ACK) packet. topologies are subject risks from equipment
failure.
The SYN flood attack is accomplished by not
sending the final acknowledgment to the Controlling Risks from Subversive Threats
server’s SYN-ACK response, which causes the
server to keep signaling for acknowledgement A firewall is a system that enforces access
until the server times out. control between two networks. To accomplish
this:
(2) Smurf Attack - involves three parties: the
perpetrator, the intermediary, and the victim. It • All traffic between the outside network and the
is accomplished by exploiting an Internet organization’s intranet must pass through the
maintenance tool called a ping, which is used to firewall.
test the state of network congestion and • Only authorized traffic between the
determine whether a particular host computer is organization and the outside, as formal security
connected and available on the network. policy specifies, is allowed to pass through the
The ping works by sending an echo request firewall.
message (like a sonar ping) to the host computer • The firewall must be immune to penetration
and listening for a response message (echo from both outside and inside the organization.
reply).
Firewalls can be used to authenticate an outside
(3) Distributed Denial of Service (DDos) attack user of the network, verify his or her level of
may take the form of a SYN flood or smurf attack. access authority, and then direct the user to the
The distinguishing feature of the DDos is the program, data, or service requested.
sheer scope of the event.
Firewalls may be grouped into two general
The perpetrator of a DDos attack may employ a types:
virtual army of so-called zombie or bot (robot)
computers to launch the attack. Because vast Network-level firewalls provide efficient but
numbers of unsuspecting intermediaries are low-security access control. This type of firewall
needed, the attack often involves one or more consists of a screening router that examines the
Internet relay chat (IRC) networks as a source of source and destination addresses that are
zombies. IRC is a popular interactive service on attached to incoming message packets. This
the Internet that lets thousands of people from method does not explicitly authenticate outside
around the world engage in real-time users.
communications via their computers. Application-level firewalls provide a higher level
Risks from Equipment Failure of customizable network security, but they add
overhead to connectivity. These systems are
Network topologies consist of various configured to run security applications called
configurations of proxies that permit routine services such as e-
(1) communications lines (twisted-pair wires, mail to pass through the firewall, but can
coaxial cables, microwaves, and fiber optics), perform sophisticated functions such as user
authentication for specific tasks. Application-
(2) hardware components (modems, level firewalls also provide comprehensive
multiplexers, servers, and front-end processors), transmission logging and auditing tools for
and reporting unauthorized activity.
(3) software (protocols and network control A high level of firewall security is possible using
systems). In addition to the subversive threats a dual-homed system.
The more security the firewall provides, however, receiver then uses his or her private key to
the less convenient it is for authorized users to decode the message.
pass through it to conduct business.
RSA (Rivest-Shamir-Adleman) is a highly secure
Encryption is the conversion of data into a secret public key cryptography method. This method is,
code for storage in databases and transmission however, computationally intensive and much
over networks. slower than standard DES encryption.
The sender uses an encryption algorithm to A digital signature is electronic authentication
convert the original message (called cleartext) that cannot be forged. It ensures that the
into a coded equivalent (called ciphertext). message or document that the sender
transmitted was not tampered with after the
At the receiving end, the ciphertext is decoded signature was applied.
(decrypted) back into cleartext.
The digest is a mathematical value calculated
The earliest encryption method is called the from the text content of the message.
Caesar cipher, which Julius Caesar is said to have
used to send coded messages to his generals in A digital certificate is used in conjunction with a
the field. public key encryption system to authenticate the
sender of a message. The process for
Like modern-day encryption, the Caesar cipher certification varies depending on the level of
has two fundamental components: certification desired. It involves establishing
(1) key is a mathematical value that the sender one’s identity with formal documents, such as a
selects driver’s license, notarization, and fingerprints,
and proving one’s ownership of the public key.
(2) algorithm is the procedure of shifting each
letter in the cleartext message the number of Public key infrastructure (PKI) constitutes the
positions that the key value indicates. policies and procedures for administering this
activity.
The more bits in the key, the stronger the
encryption method. A PKI system consists of:

Today, nothing less than 128-bit algorithms are 1. A certification authority that issues and
considered truly secure. Two commonly used revokes digital certificates.
methods of encryption are private key and 2. A registration authority that verifies the
public key encryption. identity of certificate applicants. The process
Private Key Encryption. Advance encryption varies depending on the level of certification
standard (AES) is a 128-bit encryption technique desired. It involves establishing one’s identity
that has become a U.S. government standard for with formal documents, such as a driver’s
private key encryption. Triple-DES encryption is license, notarization, fingerprints, and proving
an enhancement to an older encryption one’s ownership of the public key.
technique called the data encryption standard 3. A certification repository, which is a publicly
(DES). accessible database that contains current
Public key encryption uses two different keys: information about current certificates and a
one for encoding messages and the other for certification revocation list of certificates that
decoding them. Each recipient has a private key have been revoked and the reasons for
that is kept secret and a public key that is revocation.
published. The sender of a message uses the
receiver’s public key to encrypt the message. The
Through message sequence numbering, a • Proxy services. Adequate proxy applications
sequence number is inserted in each message, should be in place to provide explicit user
and any such attempt will become apparent at authentication to sensitive services,
the receiving end. applications, and data.
Using request-response technique, a control • Filtering. Strong filtering techniques should be
message from the sender and a response from designed to deny all services that are not
the receiver are sent at periodic, synchronized explicitly permitted. In other words, the firewall
intervals. The timing of the messages should should specify only those services the user is
follow a random pattern that will be difficult for permitted to access, rather than specifying the
the intruder to determine and circumvent. services that are denied.
A call-back device requires the dial-in user to • Segregation of systems. Systems that do not
enter a password and be identified. The system require public access should be segregated from
then breaks the connection to perform user the Internet.
authentication. If the caller is authorized, the
call-back device dials the caller’s number to • Audit tools. The firewall should provide a
establish a new connection. This restricts access thorough set of audit and logging tools that
to authorized terminals or telephone numbers identify and record suspicious activity.
and prevents an intruder masquerading as a • Probe for weaknesses. To validate security,
legitimate user. the auditor (or a professional security analyst)
should periodically probe the firewall for
Audit Objectives Relating to Subversive Threats
The auditor’s objective is to verify the security weaknesses just as a computer Internet hacker
and integrity of financial transactions by would do.
determining that network controls (1) can 2. Verify that an intrusion prevention system
prevent and detect illegal access both internally (IPS) with deep packet inspection (DPI) is in place
and from the Internet, (2) will render useless any for organizations that are vulnerable to DDos
data that a perpetrator successfully captures, attacks, such as financial institutions.
and (3) are sufficient to preserve the integrity
and physical security of data connected to the 3. Review security procedures governing the
network. administration of data encryption keys.

Audit Procedures Relating to Subversive 4. Verify the encryption process by transmitting

Threats a test message and examining the contents at
various points along the channel between the
To achieve these control objectives, the auditor sending and receiving locations.
may perform the following tests of controls:
5. Review the message transaction logs to verify
1. Review the adequacy of the firewall in that all messages were received in their proper
achieving the proper balance between control sequence.
and convenience based on the organization’s
business objectives and potential risks. 6. Test the operation of the call-back feature by
placing an unauthorized call from outside the
Criteria for assessing the firewall effectiveness installation.
include:
Controlling Risks from Equipment Failure
• Flexibility. The firewall should be flexible
enough to accommodate new services as the The most common problem in data
security needs of the organization change. communications is data loss due to line error.
The echo check involves the receiver of the -transaction information
message returning the message to the sender.
The parity check incorporates an extra bit (the Many companies, however, choose to use a
parity bit) into the structure of a bit string when third-party value added network (VAN) to
connect to their trading partners.
it is created or transmitted.
Vertical parity adds the parity bit to each EDI Standards
character in the message when the characters The standard in the United States is the
are originally coded and stored in magnetic form. American National Standards Institute (ANSI)
Using horizontal parity in conjunction with X.12 format. The standard used internationally is
vertical parity reduces this problem. The the EDI for administration, commerce, and
combination of vertical and horizontal parity transport (EDIFACT) format.
provides a higher degree of protection from line The X-12 electronic envelope contains the
errors electronic address of the receiver,
Audit Objectives Relating to Equipment Failure communications protocols, and control
The auditor’s objective is to verify the integrity information.
of the electronic commerce transactions by A functional group is a collection of transaction
determining that controls are in place to detect sets (electronic documents) for a particular
and correct message loss due to equipment business application, such as a group of sales
failure. invoices or purchase orders.
Audit Procedures Relating to Equipment Failure Benefits of EDI
To achieve this control objective, the auditor can
select a sample of messages from the EDI has made considerable inroads in a number
transaction log and examine them for garbled of industries, including automotive, groceries,
content caused by line noise. The auditor should retail, health care, and electronics.
verify that all corrupted messages were The following are some common EDI cost savings
successfully retransmitted. that justify the approach.
AUDITING ELECTRONIC DATA INTERCHANGE • Data keying. EDI reduces or even eliminates
(EDI) the need for data entry.
To coordinate sales and production operations • Error reduction. Firms using EDI see reductions
and to maintain an uninterrupted flow of raw in data keying errors, human interpretation and
materials, many organizations enter into a classification errors, and filing (lost document)
trading partner agreement with their suppliers errors
and customers. This agreement is the foundation
for a fully automated business process called • Reduction of paper. The use of electronic
Electronic data interchange (EDI). envelopes and documents drastically reduces
the paper forms in the system.
A general definition of EDI is: The intercompany
exchange of computer-processible business • Postage. Mailed documents are replaced with
information in standard format. The definition much cheaper data transmissions.
reveals several important features of EDI.
• Automated procedures. EDI automates
-interorganization endeavor manual activities associated with purchasing,
sales order processing, cash disbursements, and
-information systems of the trading partners cash receipts.
automatically process the transaction
• Inventory reduction. By ordering directly as
needed from vendors, EDI reduces the lag time
that promotes inventory accumulation.
Financial EDI
Using electronic funds transfer (EFT) for cash
disbursement and cash receipts processing is
more complicated than using EDI for purchasing
and selling activities. EFT requires intermediary
banks between trading partners. The buyer’s EDI
system receives the purchase invoices and
automatically approves them for payment. On
the payment date, the buyer’s system
automatically makes an EFT to its originating
bank (OBK). The OBK removes funds from the
buyer’s account and transmits them
electronically to the automatic clearinghouse
(ACH) bank.
The ACH is a central bank that carries accounts
for its member banks. The ACH transfers the
funds from the OBK to the receiving bank (RBK),
which in turn applies the funds to the seller’s
account. Transferring funds by EFT poses no
special problem. A check can easily be
represented within the X.12 format.
Converting remittance information to electronic
form can result in very large records. Members
of the ACH system are required to accept and
process only EFT formats limited to 94
characters of data—a record size sufficient for
only very basic messages.
The services value-added banks (VABs) offer
allow their clients to employ a single cash
disbursement system that can accommodate
both EDI and non-EDI customers.

EDI Controls
EDI Controls - The absence of human intervention in the EDI process presents a unique twist to
traditional control problems, including ensuring that transactions are authorized and valid,
preventing unauthorized access to data files, and maintaining an audit trail of transactions. The
following techniques are used in dealing with these issues.

Transaction Authorization and Validation

Both the customer and the supplier must establish that the transaction being processed is to (or
from) a valid trading partner and is authorized. This can be accomplished at three points in the
process.
1. Some VANs have the capability of validating passwords and user ID codes for the vendor
by matching these against a valid customer file
2. Before being converted, the translation software can validate the trading partner’s ID and
password against a validation file in the firm’s database.
3. Before processing, the trading partner’s application software references the valid customer
and vendor files to validate the transaction

Access Control - EDI trading partners must permit a degree of access to private data files that
would be forbidden in a traditional environment. The trading partner agreement will determine the
degree of access control in place. Also, trading partners may agree that the prices on the purchase
order will be binding on both parties. The customer must, therefore, periodically access the
vendor’s price list file to keep pricing information current. Alternatively, the vendor may need
access to the customer’s price list to update prices.
To guard against unauthorized access, each company must establish valid vendor and customer
files. User authority tables can also be established, which specify the degree of access a trading
partner is allowed.

EDI Audit Trail

The absence of source documents in EDI transactions eliminates the traditional audit trail and
restricts the ability of accountants to verify the validity, completeness, timing, and accuracy of
transactions. One technique for restoring the audit trail is to maintain a control log, which records
the transaction’s flow through each phase of the EDI system.

Audit Objectives Relating to EDI

The auditor’s objectives are to determine that (1) all EDI transactions are authorized, validated,
and in compliance with the trading partner agreement; (2) no unauthorized organizations gain
access to database records; (3) authorized trading partners have access only to approved data; and
(4) adequate controls are in place to ensure a complete audit trail of all EDI transactions.

Audit Procedures Relating to EDI

To achieve these control objectives, the auditor may perform the following tests of controls.

Tests of Authorization and Validation Controls.

The auditor should establish that trading partner identification codes are verified before
transactions are processed. To accomplish this, the auditor should (1) review agreements with the
VAN facility to validate transactions and ensure that information regarding valid trading partners
is complete and correct, and (2) examine the organization’s valid trading partner file for accuracy
and completeness.

Tests of Access Controls.

Security over the valid trading partner file and databases is central to the EDI control framework.
The auditor can verify control adequacy in the following ways:
1. The auditor should determine that access to the valid vendor or customer file is limited to
authorized employees only. The auditor should verify that passwords and authority tables control
access to this file and that the data are encrypted.
2. The trading agreement will determine the degree of access a trading partner should have to the
firm’s database records (such as inventory levels and price lists). The auditor should reconcile the
terms of the trading agreement against the trading partner’s access privileges stated in the database
authority table.
3. The auditor should simulate access by a sample of trading partners and attempt to violate access
privileges.

Tests of Audit Trail Controls.

The auditor should verify that the EDI system produces a transaction log that tracks transactions
through all stages of processing. By selecting a sample of transactions and tracing these through
the process, the auditor can verify that key data values were recorded correctly at each point.
AUDITING PC-BASED ACCOUNTING SYSTEMS
PC applications tend to be general-purpose systems that serve a wide range of needs. This strategy
allows software vendors to mass-produce low-cost and error-free standard products. Most PC
systems are modular in design. Typical business modules include sales order processing and AR,
purchases and accounts payable, cash receipts, cash disbursements, general ledger and financial
reporting, inventory control, and payroll. Their modular design provides users with some degree
of flexibility in tailoring systems to their specific needs.
Commercial systems usually have fully integrated modules.

PC Systems Risks and Controls

PC accounting systems, however, create unique control problems for accountants that arise from
inherent weaknesses in their operating systems and the general PC environment.

Operating System Weaknesses

PCs provide only minimal security for data files and programs contained within them. This control
weakness is inherent in the philosophy behind the design of PC operating systems. while necessary
to promote end-user computing, is often at odds with internal control objectives. The data stored
on microcomputers that are shared by multiple users are exposed to unauthorized access,
manipulation, and destruction.

Weak Access Control

Security software that provides logon procedures is available for PCs. Most of these programs,
however, become active only when the computer is booted from the hard drive. Having bypassed
the computer’s stored operating system and security package, the criminal may have unrestricted
access to data and programs on the hard disk drive.

Inadequate Segregation of Duties

Employees in PC environments, particularly those of small companies, may have access to
multiple applications that constitute incompatible tasks. In small-company operations, there may
be little that can be done to eliminate these inherent conflicts of duties. However, multilevel
password control, discussed next, can reduce the risks.

Multilevel Password Control

Multilevel password control is used to restrict employees who are sharing the same computers to
specific directories, programs, and data files. Under this approach, different passwords are used to
access different functions. Thus, each employee is required to enter a password to access his or
her applications and data. a. This technique uses stored authorization tables to further limit an
individual’s access to read-only, data input, data modification, and data deletion capability.

Risk of Theft
Because of their size, PCs are objects of theft and the portability of laptops places them at the
highest risk. Formal policies should be in place to restrict financial and other sensitive data to
desktop PCs only. In addition, the organization should provide employee training about
appropriate computer usage.

Weak Backup Procedures

Computer failure, usually disk failure, is the primary cause of data loss in PC environments. If the
hard drive of a PC fails, recovering the data stored on it may be impossible. To preserve the
integrity of mission-critical data and programs, organizations need formal backup procedures.

Risk of Virus Infection

Strict adherence to organizational policies and procedures that guard against virus infection is
critical to effective virus control. The organization must also ensure that effective antivirus
software is installed on the PCs and kept up-to-date.

Audit Objectives Associated with PC Security

Audit objectives for assessing controls in the PC environment include the following:
• Verify that controls are in place to protect data, programs, and computers from
unauthorized access, manipulation, destruction, and theft.
• Verify that adequate supervision and operating procedures exist to compensate for lack of
segregation between the duties of users, programmers, and operators.
• Verify that backup procedures are in place to prevent data and program loss due to system
failures, errors, and so on.
• Verify that systems selection and acquisition procedures produce applications that are high
quality, and protected from unauthorized changes.
• Verify that the system is free from viruses and adequately protected to minimize the risk
of becoming infected with a virus or similar object
Audit Procedures Associated with PC Security
• The auditor should observe that PCs are physically anchored to reduce the opportunity of
theft.
• The auditor should verify from organizational charts, job descriptions, and observation that
programmers of accounting systems do not also operate those systems. In smaller
organizational units where functional segregation is impractical, the auditor should verify
that there is adequate supervision over these tasks.
• The auditor should confirm that reports of processed transactions, listings of updated
accounts, and control totals are prepared, distributed, and reconciled by appropriate
management at regular and timely intervals.
• Where appropriate, the auditor should determine that multilevel password control is used
to limit access to data and applications and that the access authority granted is consistent
with the employees’ job descriptions.
• If removable or external hard drives are used, the auditor should verify that the drives are
removed and stored in a secure location when not in use.
• By selecting a sample of backup files, the auditor can verify that backup procedures are
being followed. By comparing data values and dates on the backup disks to production
files, the auditor can assess the frequency and adequacy of backup procedures. If an online
backup service is used, the auditor should verify that the contract is current and adequate
to meet the organizations needs.
• By selecting a sample of PCs, the auditor should verify that their commercial software
packages were purchased from reputable vendors and are legal copies. The auditor should
review the selection and acquisition procedures to ensure that end user needs were fully
considered and that the purchased software satisfies those needs.
• The auditor should review the organization’s policy for using antiviral software. This
policy may include the following points:
1. Antiviral software should be installed on all microcomputers and invoked as part of
the startup procedure when the computers are turned on. This will ensure that all key
sectors of the hard disk are examined before any data are transferred through the
network
2. All upgrades to vendor software should be checked for viruses before they are
implemented.
3. All public-domain software should be examined for virus infection before it is used.
4. Current versions of antiviral software should be available to all users. Verify that the
most current virus data files are being downloaded regularly, and that the antivirus
program is indeed running in the PC’s background continuously, and thus able to
scan all incoming documents. Corporate versions generally include a “push” update
where the software automatically checks the home Web site of the antivirus vendor
for new updates each time it is connected to the Internet and the PC is booted.

Appendix
Section A: Internet Technologies
Packet Switching
The Internet employs communications technologies based on packet switching whereby
messages are divided into small packets for transmission. Each packet contains address and
sequencing codes so they can be reassembled into the original complete message at the
receiving end.

Virtual Private Networks

A virtual private network (VPN) is a private network within a public network. VPNs have been
built on X.25 and frame-relay technologies. It maintains security and privacy in this setting,
however, requires encryption and authentication controls.

Extranets
This is a password-controlled network for private users rather than the general public.
Extranets are used to provide access between trading partner internal databases.

World Wide Web

The World Wide Web (WWW) is an Internet facility that links user sites locally and around
the world. The fundamental format for the Web is a text document called a Web page that has
embedded hypertext markup language (HTML) codes that provide the formatting for the page
as well as hypertext links to other pages. Web pages are maintained at Web sites, which are
computer servers that support hypertext transfer protocol (HTTP). The pages are accessed and
read via a Web browser such as Internet Explorer. To access a Web site, the user enters the
uniform resource locator (URL) address of the target site in the Web browser.

Internet Addresses
The Internet uses three types of addresses for communications: (1) e-mail addresses, (2) Web
site URL addresses, and (3) Internet protocol (IP) addresses of individual computers attached
to a network.
E-mail Address. The format for an e-mail address is USER NAME@DOMAIN NAME. A
domain name is an organization’s unique name combined with a top-level domain (TLD)
name.
.com - commercial
.net - network provider
.org - nonprofit organization
.edu - education and research
.gov - government
.mil - military agency
.int - international intergovernmental
generic top-level domain (gTLD)
.firm - a business
.store - goods for sale
.web - WWW activities
.arts - culture/entertainment
.rec - recreation/entertainment
.info - information service
.nom - individual/personal

URL Address. The URL is the address that defines the path to a facility or file on the Web.
URLs are typed into the browser to access Web site home pages and individual Web pages and
can be embedded in Web pages to provide hypertext links to other pages. Subdirectories can
be several levels deep. To reference them, each must be separated with a slash.
http://www.flyfish.com/equipment/rods/brand_name.html
http:// protocol prefix (most browsers default to HTTP if a prefix is not typed)
www.flyfish.com/ - domain name
equipment/ - subdirectory name
rods/ - subdirectory name
brand_name.html - document name (webWeb page)

IP Address. Every computer node and host attached to the Internet must have a unique Internet
protocol (IP) address. For a message to be sent, the IP addresses of both the sending and the
recipient nodes must be provided. . To illustrate the coding technique, the IP address
128.180.94.109 translates into:
128.180 - Lehigh University
94 - Business Department faculty server
109 - A faculty member’s office computer (node)

Protocols
Protocols are the rules and standards governing the design of hardware and software that permit
users of networks, which different vendors have manufactured, to communicate and share data.
The general acceptance of protocols within the network community provides both standards
and economic incentives for the manufacturers of hardware and software. Products that do not
comply with prevailing protocols will have little value to prospective customers.

What Functions Do Protocols Perform?

Protocols serve network functions in several ways. First, they facilitate the physical connection
between the network devices.
Second, protocols synchronize the transfer of data between physical devices.
Third, protocols provide a basis for error checking and measuring network performance.
Fourth, protocols promote compatibility among network devices.
Finally, protocols promote network designs that are flexible, expandable, and cost effective.

Internet Protocols
Transfer control protocol/Internet protocol (TCP/IP) is the basic protocol that permits
communication between Internet sites. It was invented by Vinton Cerf and Bob Kahn under
contract from the U.S. Department of Defense to network dissimilar systems. This protocol
controls how individual packets of data are formatted, transmitted, and received. This is known
as a reliable protocol because delivery of all the packets to a destination is guaranteed. The
TCP portion of the protocol ensures that the total number of data bytes transmitted was
received. The IP component provides the routing mechanism.

File Transfer Protocols

File transfer protocol (FTP) is used to transfer text files, programs, spreadsheets, and databases
across the Internet.

Mail Protocols
Simple network mail protocol (SNMP) is the most popular protocol for transmitting e-mail
messages. Other e-mail protocols are post office protocol (POP) and Internet message access
protocol (IMAP).

Security Protocols
Secure sockets layer (SSL) is a low-level encryption scheme used to secure transmissions in
higher-level HTTP format.

Network News Transfer Protocol

Network news transfer protocol (NNTP) is used to connect to Usenet groups on the Internet.
Usenet newsreader software supports the NNTP protocol

HTTP and HTTP-NG

HTTP controls Web browsers that access the Web. Hypertext transport protocol–next
generation (HTTP-NG) is an enhanced version of the HTTP protocol that maintains the
simplicity of HTTP while adding important features such as security and authentication

HTML
Hypertext markup language (HTML) is the document format used to produce Web pages.
HTML defines the page layout, fonts, and graphic elements as well as hypertext links to other
documents on the Web.

Section B: Intranet Technologies

NETWORK TOPOLOGIES
A network topology is the physical arrangement of the components (for example, nodes,
servers, communications links, and so on) of the network.

Local Area Networks and Wide Area Networks

One way of distinguishing between networks is the geographic area that their distributed sites
cover. Networks are usually classified as either local area networks (LANs) or wide area
networks (WANs). LANs are often confined to a single room in a building, or they may link
several buildings within a close geographic area. When networks exceed the geographic
limitations of the LAN, they are called WANs. Because of the distances involved and the high
cost of telecommunication infrastructure (telephone lines and microwave channels), WANs
are often commercial networks (at least in part) that the organization leases.

Network Interface Cards

The physical connection of workstations to the LAN is achieved through a network interface
card (NIC), which fits into one of the expansion slots in the microcomputer. This device
provides the electronic circuitry needed for internode communications.

Servers
LAN nodes often share common resources such as programs, data, and printers, which are
managed through special-purpose computers called servers

Star Topology
describes a network of computers with a large central computer (the host) at the hub that has
direct connections to a periphery of smaller computers. Communications between the nodes in
the star are managed and controlled from the host site.

Hierarchical Topology
Is one in which a host computer is connected to several levels of subordinate, smaller
computers in a master–slave relationship. This structure is applicable to firms with many
organizational levels that must be controlled from a central location.

Ring Topology
1 eliminates the central site. This is a peer-to-peer arrangement in which all nodes are of equal
status; thus, responsibility for managing communications is distributed among the nodes.
Every node on the ring has a unique electronic address, which is attached to messages such as
an address on an envelope.

Bus Topology
is the most popular LAN topology. It is so named because the nodes are all connected to a
common cable—the bus. One or more servers centrally control communications and file
transfers between workstations.

Client-Server Topology
The client-server model distributes the processing between User A’s (client) computer and the
central file server. Both computers are part of the network, but each is assigned functions that
it performs best.

NETWORK CONTROL
Network control exists at several points in the network architecture. The majority of network
control resides with software in the host computer, but control also resides in servers and
terminals at the nodes and in switches located throughout the network. The purpose of network
control is to perform the following tasks:
1. Establish a communications session between the sender and the receiver.
2. Manage the flow of data across the network.
3. Detect and resolve data collisions between competing nodes.
4. Detect errors in data that line failure or signal degeneration cause.

Data Collision
Only one node at a time can transmit a message on a single line. Two or more signals
transmitted simultaneously will result in a data collision, which destroys both messages.

Polling
Polling is the most popular technique for establishing a communication session in WANs. One
site, designated the master, polls the other slave sites to determine if they have data to transmit.
If a slave responds in the affirmative, the master site locks the network while the data are
transmitted.

Token Passing
Token passing involves transmitting a special signal—the token—around the network from
node to node in a specific sequence. Each node on the network receives the token, regenerates
it, and passes it to the next node. Only the node possessing the token is allowed to transmit
data. Token passing can be used with either ring or bus topologies.

Carrier Sensing
Carrier sensing is a random access technique that detects collisions when they occur. This
technique, which is formally labeled carrier-sensed multiple access with collision detection
(CSMA/CD), is used with the bus topology.

Section C: Malicious and Destructive Programs

VIRUS
A virus is a program (usually destructive) that attaches itself to a legitimate program to
penetrate the operating system and destroy application programs, data files, and the operating
system itself. An insidious aspect of a virus is its ability to spread throughout the host system
and on to other systems before perpetrating its destructive acts.
Virus programs usually attach themselves to the following types of files:
1. An .EXE or .COM program file
2. An .OVL (overlay) program file
3. The boot sector of a disk
4. A device driver program

WORM
The term worm is used interchangeably with virus. A worm is a software program that virtually
burrows into the computer’s memory and replicates itself into areas of idle memory. The worm
systematically occupies idle memory until the memory is exhausted and the system fails.

LOGIC BOMB
A logic bomb is a destructive program, such as a virus, that some predetermined event triggers.
Often a date (such as Friday the 13th, April Fool’s Day, or the 4th of July) will be the logic
bomb’s trigger.
BACK DOOR
A back door (also called a trap door) is a software program that allows unauthorized access to
a system without going through the normal (front door) log-on procedure. Programmers who
want to provide themselves with unrestricted access to a system that they are developing for
users may create a log-on procedure that will accept either the user’s private password or their
own secret password, thus creating a back door to the system.

TROJAN HORSE
A Trojan horse is a program whose purpose is to capture IDs and passwords from unsuspecting
users. These programs are designed to mimic the normal log-on procedures of the operating
system. When the user enters his or her ID and password, the Trojan horse stores a copy of
them in a secret file.