0% found this document useful (0 votes)
16 views8 pages

CH ccc10 Control, Security and Audit

Uploaded by

Bunthea
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
16 views8 pages

CH ccc10 Control, Security and Audit

Uploaded by

Bunthea
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Chapter 10: Control, security and audit

6. Cyber-Attacks
Cyber-attacks are malicious attempts by individuals or organizations to breach the information
systems of another individual or organization.

1. Phishing
Phishing is a cyber-attack where the attacker sends fraudulent communications, often emails,
that appear to come from a reputable source to trick individuals into revealing sensitive
information.

• Methods Used:
o Deceptive Emails: Messages that prompt the recipient to click on a malicious
link or download an attachment.
o Spoofed Websites: Fake websites designed to mimic legitimate ones to steal
login credentials.

• Common Targets:
o Individuals: Personal bank accounts, social media profiles.
o Organizations: Employee credentials, customer data.

For example, an individual might receive an email that looks like it's from their bank, asking
them to verify their account details. Unsuspecting users who click the link and enter their
information are actually providing it directly to cyber-attackers.

2. Pharming
Pharming is a cyber-attack that redirects users from a legitimate website to a fraudulent one
without their knowledge, aiming to steal personal information.

• Techniques Employed:
o DNS Poisoning: Altering the domain name system entries to redirect traffic.
o Malware Installation: Infecting a user's computer to manipulate web traffic.

• Impact:
o Data Theft: Harvesting usernames, passwords, and financial information.
o Credential Compromise: Unauthorized access to user accounts.

A user may type in the correct URL of their bank's website, but due to DNS poisoning, they are
taken to a fake site that looks identical. Any information entered is captured by the attacker.

3. Hacking
Hacking involves unauthorized access to or control over computer network security systems for
some illicit purpose.

• Types of Hacking:
o Black Hat Hacking: Malicious hacking for personal gain.
o White Hat Hacking: Ethical hacking to identify security flaws.

• Common Goals:
o Data Breach: Stealing sensitive information.
o System Disruption: Causing systems to malfunction or shut down.

An example of hacking is when cyber-attackers exploit a vulnerability in a company's software


to access customer databases, stealing personal and financial data.

FAU, FFM, FBT Kim Mara | 1


.
5. Webcam Manager
Webcam manager attacks involve cyber-attackers gaining unauthorized access to a user's
webcam to spy on them.

• Methods of Access:
o Malware Infection: Installing remote access trojans (RATs) on the user's
device.
o Phishing Links: Trick users into downloading malicious software.

• Risks:
o Privacy Invasion: Capturing images or videos without consent.
o Blackmail: Using obtained footage to extort victims.

An attacker might send an email with an attachment that, when opened, installs malware giving
them control over the user's webcam. The attacker can then record activities or take snapshots
without the user's knowledge.

6. File Hijacker/Ransomware
File hijacker, commonly known as ransomware, is a type of malware that encrypts the
victim's files, making them inaccessible, and demands a ransom for the decryption key.

• How It Works:
o Encryption of Files: Uses strong encryption algorithms to lock files.
o Ransom Demand: Displays a message demanding payment, often in
cryptocurrency.

• Preventive Measures:
o Regular Backups: Keeping copies of important data.
o Security Software: Using antivirus and anti-malware programs.

A hospital might fall victim to ransomware where patient records are encrypted. The attackers
demand a ransom to restore access, putting patient care at risk and forcing the hospital to choose
between paying the ransom or attempting to recover the data through other means.

7. Cyber Risk
Any risk of financial loss, disruption, or damage to an organization's reputation from a failure of
its information technology systems.

1. Unauthorized Access
Unauthorized access occurs when an individual gains access to a system, network, or data
without permission.

• Causes:
o Weak Passwords: Simple or default passwords that are easily guessed or
cracked.
o Phishing Attacks: Deceptive communications designed to trick individuals into
revealing login credentials.
o Insider Threats: Employees or contractors accessing data beyond their
authorized privileges.

For example, if an employee falls victim to a phishing email and unknowingly provides their
login details to an attacker, the attacker can access confidential company information without
authorization.

FAU, FFM, FBT Kim Mara | 2


.
2. Data Theft
Data theft involves the unauthorized copying, transfer, or retrieval of data from a system.

• Targets:
o Personally Identifiable Information (PII): Names, addresses, Social Security
numbers.
o Financial Information: Credit card details, bank account numbers.
o Intellectual Property: Trade secrets, proprietary algorithms, product designs.

A cyber-attacker might infiltrate a company's network to steal customer credit card information,
leading to financial fraud and legal consequences for the organization.

3. Financial Loss
Financial loss refers to the monetary damages that an organization may suffer as a result of
cyber incidents.

• Direct Costs:
o Theft of Funds: Cybercriminals stealing money directly from accounts.
o Ransom Payments: Paying attackers to regain access to encrypted data.
o Incident Response Expenses: Costs for forensic investigations and
remediation efforts.

• Indirect Costs:
o Business Interruption: Loss of revenue during downtime.
o Regulatory Fines: Penalties for failing to comply with data protection laws.
o Legal Fees: Costs associated with lawsuits from affected parties.

In the case of a ransomware attack, an organization may face significant expenses to restore
operations, including potential ransom payments, IT recovery costs, and lost revenue due to
halted business activities.

4. Damage to Reputation
Damage to reputation occurs when a cyber incident leads to a loss of trust and confidence
among customers, partners, and the public.

• Consequences:
o Customer Attrition: Clients may choose competitors due to security concerns.
o Negative Publicity: Media coverage highlighting the organization's
vulnerabilities.
o Investor Confidence Loss: Share prices may drop as stakeholders lose faith.

Following a data breach that exposes customer information, an organization might experience a
decline in sales as consumers lose trust in its ability to safeguard their data.

FAU, FFM, FBT Kim Mara | 3


.
Question 1:
Which of the following is NOT an aim of internal controls?

A. To enable the organisation to respond appropriately to business, operational and financial risks
B. To eliminate the possibility of impacts from poor judgement and human error
C. To help ensure the quality of internal and external reporting
D. To help ensure compliance with applicable laws and regulations

Aim of Internal Controls


(A) Enable the Organization to Respond Appropriately to Business, Operational, and
Financial Risks

Responding to risks involves identifying, assessing, and mitigating potential threats that could
hinder the organization's objectives.

• Business Risks: Potential events that could negatively impact the organization's ability
to achieve its goals.
o Example: Market competition or changes in consumer preferences.

• Operational Risks: Risks arising from internal processes, systems, or human factors.
o Example: Machinery breakdowns or employee errors.

• Financial Risks: Risks related to the organization's financial health and stability.
o Example: Cash flow shortages or investment losses.

For instance, a manufacturing company may implement internal controls such as regular
maintenance schedules to mitigate operational risks like machinery failure. Similarly, financial
controls like budgeting and financial forecasting help in managing financial risks by ensuring
adequate cash flow and investment planning.

(C) Help Ensure the Quality of Internal and External Reporting

Quality reporting ensures that the information provided both internally to management and
externally to stakeholders is accurate, reliable, and timely.

• Internal Reporting: Information used by management to make informed decisions.


o Example: Monthly sales reports and performance dashboards.

• External Reporting: Information disclosed to external stakeholders such as investors,


regulators, and the public.
o Example: Annual financial statements and sustainability reports.

• Accuracy and Reliability: Ensuring that data is free from errors and faithfully
represents the organization's financial position.

• Timeliness: Providing information promptly to support timely decision-making.

For example, implementing reconciliation processes ensures that internal financial records
match external bank statements, thereby enhancing the accuracy and reliability of both internal
and external reports. This reduces the risk of reporting errors that could mislead stakeholders or
result in regulatory penalties.

FAU, FFM, FBT Kim Mara | 4


.
(D) Help Ensure Compliance with Applicable Laws and Regulations

Compliance involves adhering to laws, regulations, and standards that govern the organization's
operations.

• Legal Compliance: Following laws and regulations relevant to the industry and
geographic location.
o Example: Adhering to the General Data Protection Regulation (GDPR) for data
privacy.

• Regulatory Compliance: Meeting the requirements set by regulatory bodies.


o Example: Complying with the Sarbanes-Oxley Act (SOX) for financial
reporting in the United States.

• Internal Policies: Following the organization's own rules and procedures.


o Example: Code of conduct or internal audit procedures.

For instance, a healthcare organization must comply with the Health Insurance Portability and
Accountability Act (HIPAA) to protect patient information. Implementing internal controls such
as access restrictions and regular audits helps ensure that the organization adheres to these legal
requirements, thereby avoiding fines and maintaining trust with patients.

Question 2:
Which term correctly completes this statement?

Some controls are provided automatically by the system and cannot be by-passed, ignored
or overridden: for example, having to input a password to enter a computer system. These
are classified as ______ controls.

Pull down list


• Administrative
• Detect
• Mandated
• Non-discretionary

Non-Discretionary Controls
Non-discretionary controls are automated safeguards embedded within systems to ensure that
specific protocols are always followed, regardless of user intent or actions.

• Automated Implementation: These controls are built into the system and operate
without the need for manual input.
o Example: Requiring a password to access a computer system.

• Cannot Be Bypassed: Users are unable to circumvent these controls, ensuring consistent
enforcement.
o Example: System-enforced encryption that cannot be disabled by the user.

• Consistent Enforcement: Provides uniform security measures across all users and
scenarios.
o Example: Automatic logout after a period of inactivity to prevent unauthorized
access.

For instance, a company’s IT system may require all employees to input a password that meets
certain complexity requirements before accessing the network. This control cannot be bypassed,
ensuring that only authorized individuals gain access, thereby enhancing overall security.

FAU, FFM, FBT Kim Mara | 5


.
Question 3:
The mnemonic SPAMSOAP is often used to remember the range of financial control
procedures.

What does the 'O' stand for in this mnemonic?

A. Operations
B. Organisation
C. Oversight

Question 4:
Which of the following is NOT an internal check?

A. Separation of duties for authorising, custody and recording


B. Pre-lists, post-lists and control totals
C. Bank reconciliations
D. Systems for authorising transactions within specified spending limits

Internal Check
Internal check refers to the system of procedures and controls within an organization designed
to prevent errors and fraud by ensuring that the work of one person is independently verified
by another.

(A) Separation of Duties for Authorizing, Custody, and Recording

Separation of duties involves dividing responsibilities among different individuals to reduce


the risk of errors and fraud.

• Authorizing: Approving transactions and decisions.


o Example: A manager approves purchase orders before they are processed.

• Custody: Handling and safeguarding assets.


o Example: One employee is responsible for receiving and storing inventory,
while another manages the records.

• Recording: Maintaining accurate and timely records of transactions.


o Example: A separate employee records sales transactions in the accounting
system.

For instance, in a retail environment, one employee may be responsible for authorizing
discounts, another for handling cash transactions, and a third for recording sales in the financial
system. This separation ensures that no single individual has control over all aspects of a
transaction, thereby minimizing the risk of theft or manipulation.

(B) Pre-Lists, Post-Lists, and Control Totals

Pre-lists, post-lists, and control totals are tools used to ensure the completeness and accuracy
of transactions.

• Pre-Lists: Lists prepared before processing transactions to identify expected entries.


o Example: A list of purchase orders expected to be received in a month.

• Post-Lists: Lists created after processing transactions to verify actual entries.

FAU, FFM, FBT Kim Mara | 6


.
o Example: A list of received goods compared against the pre-list of purchase
orders.

• Control Totals: Totals that are calculated before and after processing to ensure
consistency.
o Example: The total amount of cash expected in the cash register before the
day’s sales are recorded should match the actual total after sales are processed.

For example, a company might prepare a pre-list of all expected invoices for a billing period.
After processing, the post-list of actual invoices is compared to the pre-list to identify any
discrepancies. Control totals, such as the total amount billed, are also compared to ensure that
all transactions have been accurately recorded.

Question 5:
Which of the following statements about internal audit is true?

A. Internal audit is an independent appraisal activity


B. Internal audit is separate from the organisation's internal control system
C. Internal audit is carried out solely for the benefit of the organisation's stakeholders
D. The internal audit function reports to the finance director

Internal Audit

(A) Independent Appraisal Activity

Independent appraisal refers to an objective evaluation conducted without bias or influence


from the areas being assessed.

• Objective Assessment: Conducted by individuals who do not have operational


responsibilities within the areas they audit.
o Example: An internal auditor evaluating the procurement process without
being involved in purchasing decisions.

• Unbiased Reporting: Findings and recommendations are based on evidence and


analysis, not influenced by internal politics or personal interests.
o Example: Reporting discrepancies in financial statements without favoring any
department.

For instance, in a corporation, an internal audit team may assess the effectiveness of IT security
measures. Since the audit team does not have a role in the IT department's daily operations, their
evaluation remains objective and credible, ensuring unbiased results.

Question 6:
The use of uninterruptible (protected) power supplies is a method of protecting data and IT
systems from what sort of security threat?

A. Accidental damage
B. Weather
C. Hacking

Lightning strike or electrical storms are a key cause of power supply failures and surges which
may effect computer functions.

Fire and accidental damage are also physical threats to data and equipment.

FAU, FFM, FBT Kim Mara | 7


.
Hacking is a non-physical threat involving unauthorised access to data (possibly resulting in
data theft or destruction).

Question 7:
Which of the following would be classed as a contingency control in an information
system?

A. Password-only access to the system


B. System recovery procedures
C. Audit trails
System recovery procedures are set in place for activation in the event of breakdown, to get the
system up and running again: this is a contingency control, because it plans for a 'worst case
scenario'.

Password access is an example of a security control: protecting data from unauthorised


modification, disclosure or destruction of data.

Audit trails (showing who has accessed a system and what they have done).

Question 8:
Which of the following statements about external auditors is NOT correct?

A. External auditors are appointed by the shareholders of a company


B. The primary responsibility of external auditors is to investigate financial irregularities and report
them to shareholders
C. External auditors may rely on the work of internal auditors, but first they have to assess its worth
D. External auditors are concerned with the financial records and statements of the organisation

Question 9:
In the context of audit, what are 'substantive tests' designed to accomplish?

A. To establish whether internal controls are being applied as prescribed


B. To identify errors and omissions in financial records
C. To establish the causes of errors or omissions in financial records
D. To establish an audit trail

Substantive tests 'substantiate' the figures in the accounts. They are used to discover whether
figures are correct or complete, not why they are incorrect or incomplete, or how the figures 'got
there'.

Establishing whether internal controls are being applied as prescribed is the aim of compliance
tests.

FAU, FFM, FBT Kim Mara | 8


.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy