Update from Business WeekUpdate from Business Week CybertricksSlide 3Study: Insider revenge often behind cyberattacks (MAY 20, 2005 COMPUTERWORLD)Internal ControlPrimary objectives of an AISAIS AuditingIS Auditing TechniquesSlide 9Slide 10Slide 11Slide 12Slide 13Internal Control Process Control EnvironmentControl EnvironmentInternal Control Process Risk AssessmentApply Risk Assessment FrameworkInternal Control Process Control ActivitiesControl ActivitiesSegregation of Systems DutiesInternal Control Process Information and CommunicationInformation and CommunicationInternal Control Process MonitoringMonitoringIn-Class ExerciseFinal ProjectUpdate from Business WeekNumber of Net Fraud Complaints–2002 – 48,252–2004 – 207,449Update from Business WeekCybertricksPhishingPharming – viruses attached to emails and web sites drop monitoring software onto peoples computersWi-Phishing – Cybercrooks set up “free” wireless networks. Monitor use and steal passwords and other identify informationTyposquatting – Web site addresses similar to real sites (whitehouse.com)Scope Of Bank Data Theft Grows To 676,000 Customers–largest breach of banking security in the U.S. to date –investigators learned that the bank employees normally conducted 40 to 50 searches of customer bank accounts as a daily part of their jobs. While the ring was in operation, however, they performed up to 500 account searches a day, looking for new data to steal.Study: Insider revenge often behind cyberattacks (MAY 20, 2005 COMPUTERWORLD)Companies hoping to thwart insider attacks need to have good password, account and configuration management practices in place, as well as the right processes for disabling network access when employees are terminated Investigation of 49 cases of insider attacks –In 92% of the cases, a negative work-related event triggered the insider actionInternal ControlPrimary objectives of an AISIdentify and record all valid transactionsProperly classify transactionsRecord transactions at the proper monetary valueRecord transactions in the proper accounting periodProperly present transactions and related disclosures in the financial statementsAICPAAIS AuditingAudit Through the Computer–Review and evaluate internal controls during compliance testingAudit With the Computer–Direct verification of financial statement balances–Part of substantive testing of account balancesAudit Around the Computer–Treat AIS as a black box–Enter specific test transactions, determine if output reflects those transactionsIS Auditing TechniquesTest data (black box testing)–Both valid and invalid inputDetermine expected output before processing the inputRun the input transaction through the systemCompare actual output with expected outputDetermine the cause of any discrepancy–Good for:Verifying validation controlsVerifying computational routines (depreciation calculations)IS Auditing TechniquesTest data (black box testing)–ComplicationsWill not detect fraud by clever programmersHow do you reverse the test transactions?Not feasible to test all combinations of logic within a programIS Auditing TechniquesIntegrated Test Facility–Create fictitious entities within system for testRun test transactions in conjunction with live data–Must exclude fictitious entities and data from normal output reports (financial statements)–Same technique used in Equity Funding scandalIS Auditing TechniquesParallel Simulation–Process real data through test programsAs opposed to processing test data through real programs–Compare regular output with simulated output–Very useful when evaluating changes or upgrades to a systemNeed to ensure that upgrades did not negatively affect existing routinesIS Auditing TechniquesEmbedded Audit Routines – modify computer programs for audit purposes–SnapshotStatus of the system at a given point in timeTake a snapshot of database before transaction, process the transaction, then take snapshot of database after.–TraceDetailed audit trailRequires in-depth knowledge of computer program–Desk CheckManually process transaction through program logic (as provided in flowchart or program listing)Internal ControlTime to put it all togetherInternal Control Process Control EnvironmentBridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030BControl EnvironmentIntegrity and ethical values–Ethics and corporate cultureCommitment to competenceManagement philosophy and operating styleResponsibility and commensurate authorityHuman resources–Adequate supervision–Job rotation and forced vacations–Dual controlInternal Control Process Risk AssessmentBridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030BApply Risk Assessment FrameworkWhat is threat?What is likelihood that threat will occur?What is potential damage from threat?What controls can be used to minimize damage?What is the cost of implementing the control?Internal Control Process Control ActivitiesBridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030BControl ActivitiesConstraints imposed on a user or a system to secure systems against risks.Types–Prevent–Detect–CorrectGeneral vs IT specificSegregation of Systems DutiesSystems AdministrationNetwork ManagementSecurity ManagementChange ManagementSystems AnalysisProgramming/DevelopmentTest and ValidationComputer OperationsData ControlInternal Control Process Information and CommunicationBridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030BInformation and CommunicationNeed to understand:–How transactions are initiated–How data are captured in machine-readable form (or converted from source documents into machine-readable form)–How computer files are accessed and updated–How data are processed–How information is reported to internal and external usersInternal Control Process MonitoringBridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030BMonitoringEffective