Update from Business WeekUpdate from Business Week CybertricksSlide 3Study: Insider revenge often behind cyberattacks (MAY 20, 2005 COMPUTERWORLD)Internal ControlPrimary objectives of an AISAIS AuditingIS Auditing TechniquesSlide 9Slide 10Slide 11Slide 12Slide 13Internal Control Process Control EnvironmentControl EnvironmentInternal Control Process Risk AssessmentApply Risk Assessment FrameworkInternal Control Process Control ActivitiesControl ActivitiesSegregation of Systems DutiesInternal Control Process Information and CommunicationInformation and CommunicationInternal Control Process MonitoringMonitoringIn-Class ExerciseFinal ProjectUpdate from Business WeekNumber of Net Fraud Complaints–2002 – 48,252–2004 – 207,449Update from Business WeekCybertricksPhishingPharming – viruses attached to emails and web sites drop monitoring software onto peoples computersWi-Phishing – Cybercrooks set up “free” wireless networks. Monitor use and steal passwords and other identify informationTyposquatting – Web site addresses similar to real sites (whitehouse.com)Scope Of Bank Data Theft Grows To 676,000 Customers–largest breach of banking security in the U.S. to date –investigators learned that the bank employees normally conducted 40 to 50 searches of customer bank accounts as a daily part of their jobs. While the ring was in operation, however, they performed up to 500 account searches a day, looking for new data to steal.Study: Insider revenge often behind cyberattacks (MAY 20, 2005 COMPUTERWORLD)Companies hoping to thwart insider attacks need to have good password, account and configuration management practices in place, as well as the right processes for disabling network access when employees are terminated Investigation of 49 cases of insider attacks –In 92% of the cases, a negative work-related event triggered the insider actionInternal ControlPrimary objectives of an AISIdentify and record all valid transactionsProperly classify transactionsRecord transactions at the proper monetary valueRecord transactions in the proper accounting periodProperly present transactions and related disclosures in the financial statementsAICPAAIS AuditingAudit Through the Computer–Review and evaluate internal controls during compliance testingAudit With the Computer–Direct verification of financial statement balances–Part of substantive testing of account balancesAudit Around the Computer–Treat AIS as a black box–Enter specific test transactions, determine if output reflects those transactionsIS Auditing TechniquesTest data (black box testing)–Both valid and invalid inputDetermine expected output before processing the inputRun the input transaction through the systemCompare actual output with expected outputDetermine the cause of any discrepancy–Good for:Verifying validation controlsVerifying computational routines (depreciation calculations)IS Auditing TechniquesTest data (black box testing)–ComplicationsWill not detect fraud by clever programmersHow do you reverse the test transactions?Not feasible to test all combinations of logic within a programIS Auditing TechniquesIntegrated Test Facility–Create fictitious entities within system for testRun test transactions in conjunction with live data–Must exclude fictitious entities and data from normal output reports (financial statements)–Same technique used in Equity Funding scandalIS Auditing TechniquesParallel Simulation–Process real data through test programsAs opposed to processing test data through real programs–Compare regular output with simulated output–Very useful when evaluating changes or upgrades to a systemNeed to ensure that upgrades did not negatively affect existing routinesIS Auditing TechniquesEmbedded Audit Routines – modify computer programs for audit purposes–SnapshotStatus of the system at a given point in timeTake a snapshot of database before transaction, process the transaction, then take snapshot of database after.–TraceDetailed audit trailRequires in-depth knowledge of computer program–Desk CheckManually process transaction through program logic (as provided in flowchart or program listing)Internal ControlTime to put it all togetherInternal Control Process Control EnvironmentBridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030BControl EnvironmentIntegrity and ethical values–Ethics and corporate cultureCommitment to competenceManagement philosophy and operating styleResponsibility and commensurate authorityHuman resources–Adequate supervision–Job rotation and forced vacations–Dual controlInternal Control Process Risk AssessmentBridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030BApply Risk Assessment FrameworkWhat is threat?What is likelihood that threat will occur?What is potential damage from threat?What controls can be used to minimize damage?What is the cost of implementing the control?Internal Control Process Control ActivitiesBridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030BControl ActivitiesConstraints imposed on a user or a system to secure systems against risks.Types–Prevent–Detect–CorrectGeneral vs IT specificSegregation of Systems DutiesSystems AdministrationNetwork ManagementSecurity ManagementChange ManagementSystems AnalysisProgramming/DevelopmentTest and ValidationComputer OperationsData ControlInternal Control Process Information and CommunicationBridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030BInformation and CommunicationNeed to understand:–How transactions are initiated–How data are captured in machine-readable form (or converted from source documents into machine-readable form)–How computer files are accessed and updated–How data are processed–How information is reported to internal and external usersInternal Control Process MonitoringBridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030BMonitoringEffective
View Full Document