Chapter 15: IT Controls Part I: Sarbanes-Oxley and IT Governance

Computer Fraud

Computer fraud includes:

1. Theft, misuse or misappropriation of assets by altering computer-readable records and files

2. Theft, misuse or misappropriation of assets by altering the logic of computer software
3. Theft or illegal use of computer-readable information
4. Theft, corruption, illegal copying, or intentional destruction of computer software
5. Theft, misuse or misappropriation of computer hardware
*application controls – ensure the validity, completeness and accuracy of financial transactions
* general controls – apply to all systems ; include controls over IT governance, IT infrastructure, security and access to
operating systems and databases, application acquisition and development, and program changes

Data Collection

- First operational stage in information system

- Control objective is to ensure that event data entering the system are valid, complete and free from material
errors
- Most common access point for perpetrating computer fraud is at the data collection stage
- Fraud: Require little or no computer skills but do require poorly designed controls
- The perpetrator need only understand how the system works its control weakness
- Fraudulent act involves entering falsified data into the system ; involves deleting, altering or creating a
transaction
- EX: payroll fraud; disburse cash in payment of false accounts payable by entering false documents
- Masquerading – perpetrator gaining access to the system from a remote site by pretending to be an authorized
user
- Piggybacking – technique in which perpetrator at a remote site taps in to the telecommunication lines and
latches on to an authorized user
- Hacking – involve both. Motivated by the challenge of breaking into the system rather than the theft of assets
-
Data Processing
- Includes mathematical algorithms used for production scheduling applications, statistical techniques,
forecasting, etc
- Program fraud –
o Create illegal programs that can access data files to alter, delete or insert values into accounting records
o Destroying or corrupting a program’s logic using a computer virus
o Altering program logic to cause the application to process data incorrectly
- Example: program banks uses to calculate interest
- Salami fraud : involves modifying the rounding logic of the program so it no longer adds the one cent randomly ;
instead the modified program always adds the plus cent to the perpetrator’s account

- Operations fraud – misuse or theft of the firm’s computer resources; involves using the computer to conduct
personal business
- Example: programmer use the firm’s computer time to write software that he sells commercially; cpa may use
the company’s computer to prepare tax returns and fs for her private clients; lawyer using the firm’s computer
search charge to the organization
Database Management – physical repository for financial and nonfinancial data
- Database management fraud includes altering, deleting, corrupting, destroying or stealing an organization’s data
- Associated with transaction or program fraud
- TECHNIQUE: access the database from a remote site and browse the files for useful information that can be
copied and sold to competitors
 - Ex: insert destructive routine called a LOGIC BOMB into a program; at a specified time, the logic bomb erases the
data files that the program accesses

Information Generation – process of compiling, arranging, formatting and presenting information to users. (sales
order, published fs, report)
- Steal, misdirect or misuse computer output
- SCAVENGING – involves searching through the trash of the computer center for discarded output
- EAVESDROPPING – involves listening to output transmissions over telecommunication lines

IT GOVERNANCE CONTROLS
- Broad concept relating to the decision rights and accountability for encouraging desirable behavior in the use of
IT

Organizational Structure Controls

- Operational task should be separated to
o Segregate the task of transaction authorization from transaction processing
o Segregate record keeping from asset custody
o Divide transaction – processing tasks among individuals so that fraud will require collusion between 2 or
more individuals
SEGREGATION OF DUTIES WITHIN THE CENTRALIZED FIRM

Separating systems development from computer operations

- Operations stuff should not comingle with the responsibility of systems developer

Separating database administrator form other functions

- DBA is responsible for a number of critical tasks pertaining to database security
o Separating the dba from systems development
 Programmers create apps that access, update and retrieve data from database
 Assigning responsibility for user view definition to individuals with programming responsibility
removes this need to seek agreement and thus effectively erodes access controls to dbms

Separating new systems development from maintenance

- Two groups:
o System analysis – works with the user to produce detailed design of the new system
o Programming group - codes the programs according to these design specifications
Programmer who codes the original programs and who also maintains them may promote 2 potential
problems:
 Inadequate documentation - poor quality systems documentation; (1) systems
professionals prefer to move in to an exciting new project rather than document one
just completed (2) job security – programmer who understands the system maintains
bargaining power; when programmer leaves the firm, new programmer inherits
maintenance responsibility for the undocumented system; transition period is costly
 Program fraud – involves making unauthorized changes to program modules for the
purpose of committing illegal act; programmer can protect the fraud controls from the
one who is maintaining the program
A superior structure for systems development
- New systems development – responsible for designing, programming and implementing new systems projects
- Systems maintenance group – system’s ongoing maintenance
o Documentation standards are improved
o Denying the original programmer of future access

The distributed model – effect of this is to consolidate some computer functions that are traditionally separated nd to
distribute under the centralized model
  Incompatibility –distributing responsibility for the purchase of software and hardware can result in
uncoordinated and poorly conceived decisions
 Redundancy – autonomous system development activities throughout the firm can result in the creation of
redundant applications and databases
 Consolidating incompatible activities – redistribution of IT functions to user areas can result in the creation of
many very small units
 Acquired qualified professionals –
 Lack of standards
The control problems associated with DDP can be overcome by implementing a CORPORATE IT FUNCTION
 Central testing of commercial software and hardware – IT group that evaluates the merits of competing vendor
software and hardware
 User services – provides technical help to users during the installation of new softwares and troubleshooting
problems
 Standard-setting body – establish and distribute to user areas appropriate standards for systems development,
programming and documentation
 Personnel review - hiring decisions for system professionals
Audit objectives relating organizational structure
 Auditor’s objective is to verify that individuals in incompatible areas are segregated in accordance with the level
of potential risk
AUDIT page 666
COMPUTER CENTER SECURITY AND CONTROLS
Computer center controls
 Physical location – should always be located away from human made and natural hazards
 Construction – should be located in a single-story building of solid construction with controlled access
 Access – should be limited to the operators and other employees who works there
 Air conditioning – 70-75 degrees Fahrenheit and 50% humidity
 Fire suppression –
 Fault tolerance controls – ability of the system to continue operation when part of the system fails because of
hardware failure, app program error or operator error
o RAID (Redundant arrays of independent disks) – involves using parallel disks that contain redundant
elements of data and applications. Lost data are automatically reconstructed from other disks
o Uninterruptible power supplies – help prevent data loss and system corruption, in the event of a power
supply failure
audit objectives
1. Physical security controls are adequate to reasonably protect the org from physical exposures
2. Insurance coverage on equipments
3. Operator documentation

DISASTER RECOVERY PLANNING

Disaster recovery plan – comprehensive statement of all actions to be taken before, during and after a disaster,
along with documented, tested procedures that will ensure the continuity of operations
Providing second-site backup (offsite backup facilities)
- Provides for duplicate data processing facilities following a disaster
 The empty shell – or cold site plan is an arrangement wherein a company buys or leases a building that will
serve as a data center
 Recovery operations center (ROC) – or hot site is a fully equipped backup data center that many companies
share
 Internally provided backup- mirrored data center – equipped with high-capacity storage devices capable of
storing more than 20 terabytes of data and 2 IBM mainframes running high speed copy software; all
transactions that the main system processes are transmitted in real time along fiber optic cables to the remote
backup facility
Performing backup and offsite storage procedures
- Back up data files – databases should be copied daily to tape or disks and secured offsite
 - Backup documentation – system documentation for critical applications should be backed up and stored off site
in much the same manner as data files; computer aided software documentation tools
- Backup supplies and source documents – maintain backup inventories of supplies and source documents
OPERATING SYSTEM CONTROLS
Operating system security – involves policies, procedures, and controls that determine who can access the
operating system, which resources than can access and what actions they can take,
- Log-on procedure – the os’s first line of defense against unauthorized access
- Access token – if the log-on attempt is successful, the os creates an access token that contains key information
about the user; this information is used to approve all actions the user attempts during the session
- Access control list – lists contains information that defines the access privileges for all valid users of the
resource; the system comprares hos or her ID and privileges contained in the access token with those contained
in the access control list
- Discretionary access privileges –grant access privileges to other users; central system administrator determines
who is granted access
Operating system controls and tests of controls
- Controlling access privileges – user access privileges are assigned to individuals and to entire workgroups
authorized to use the system
- Audit procedures relating to access privilieges
o Password control
 Password – a secret code the user enters to gain access to systems, applications, data files or
network server
 Reusable passwords- user defines the password to the system once and then reuse it to gain
future access
 One-time passwords – user’s password changes continuously
- Controlling against malicious and destructive programs
o Types of malicious virus
 Virus – program that attaches itself to a legitimate program to penetrate the operating system
and destroy application programs, data files, and operating system itself’ its ability to spread
throughout the host system and other system before destruct itself
 Worm – software program that virtually burrows into the computer’s memory and replicates
itself into areas of idle memory; systematically occupies memory until the memory is exhausted
and the system fails
 Logic bomb – destructive program that some predetermined event triggers
 Backdoor – software program that allows unauthorized access to a system without going
through the normal log on procedure
 Trojan horse – program whose purpose is to capture IDs and passwords from unsuspecting
users; program is designed to mimic the normal log on procedures of the OS
BACKUP CONTROLS
- GPC BACKUP TECHNIQUE – used in sequential file batch systems; backup procedure begins with the current
master file is processed against the transaction file to produce a new update master file . with the next batch of
transactions, the child becomes the current master file and the original parent becomes the bacjup file
- Direct access file backup -

SYSTEM AUDIT TRAIL CONTROLS – are logs that record activity at the system, application and user level; OS allow
management to select the level of auditing to be recorded in the log
- Keystroke monitoring – involves recording both the user’s keystrokes and the system’s responses; may be used
after the fact to reconstruct the details of an event or as a real-time control to prevent unauthorized intrusion;
telephone wiretap
- Event monitoring – summarizes key activities related to system resources; typically records the IDs of all users
accessing the system; the time and duration of session
System audit trail objectives in 3 ways
1. Detecting unauthorized access – to protect the system from outsiders attempting to breach system controls
2. Reconstructing events - help in avoiding similar mistakes
 3. Personal accountability – individuals less likely to violate when they know their actions are being log

DATABASE MANAGEMENT CONTROL

- Access controls
o User views – subschema; subset of the total database that defines the user’s data domain and restricts
her access to the database accordingly
o Database authorization table – contains rules that limit the action a user can take
o User-defined procedures – allows the user to create a personal security program or routine to provide
more positive user identification than a password can
o Data encryption – uses algorithm to scramble selected data, making it unreadable to an intruder
browsing the database
o Biometric devices – measures various personal characteristics such as fingerprints, voiceprints, retina
prints
BACKUP CONTROLS
- Database backup – makes a periodic backup of the entire database
- Transaction log (journal) – provides an audit trail of all processed transactions
- Checkpoint feature – suspends all data processing while the system reconciles the transaction log and the
database change log against the database
- Recovery module – use logs and backup files to restart the system after a failure

NETWORK CONTROLS
- 2 forms of risks
o Risks from subversive threats – a computer criminal intercepting a message transmitted between the
sender and the receiver, a computer hacking gaining unauthorized access
o Risks from equipment failure – failures in the communication system can disrupt, destroy or corrupt
transmissions between senders and receivers
Risks from subversive threats
1. Firewalls - system that enforces access control between two networks; only authorized traffic between the
organization and the outside is allowed to pass through the firewall; insulates the org from external networks
and intranet from internal access
- Network level firewalls – provide efficient but low security access control ; consists of a screening router that
examines the source and destination addresses that are attached to incoming message packets; accepts or
denies access requests based on filtering rules
- Application level firewalls – provide higher level of customizable network security but they add overhead to
connectivity; configured to run security applications called proxies that permit routine services to pass through
the firewall
2. Controlling denial service attacks – clogging the internet ports of the victim’s server with fraudulently
generated messages; transactions can be completely isolate from the internet for the duration of the attack
a. Smurf attack – targeted organization can program their firewall to ignore all communication from the
attacking site
b. SYN flood attack – use IP spoofing to disguise the source, victims host computer views these
transmissions as coming from all over the internet
c. Distributed denial of service attack - victims site becomes inundated with messages from thousands of
zombie sites that are distributed across the internet
- Intrusion prevension system – to determine when an attack is in progress
- Deep packet inspection – can identify and classify malicious packets based on a database of known attack
signatures;
3. Encryption – conversion of data into a secret code for storage in databases and transmission over networks
a. Private key encryption
i. Advance encryption standard – a 128-bit encryption technique ; algorithm that uses a single key
known to both the sender and the receiver of the msg
 ii. Triple DES encryption – an enhancement to an older encryption technique called data
encryption standard; provides considerably improves security over most single encryption
techniques; very secure ; very slow
1. EEE3 – uses 3 different keys to encrypt the message 3 times
2. EDE3 – uses one key to encrypt the message; a 2nd key is used to decode it
b. Public key encryption – use 2 different keys: one for encoding and one for decoding; private key secret;
public key published
i. RSA (Rivest – Shamir – Adleman) – highly secure public key cryptography method;
computationally intensive and mush slower that standard DES
ii. Digital envelope – both des and rsa
4. Digital signature – electronic authentication that cannot be forged; ensures that message the sender
transmitted was not tampered with after the signature was applied
5. Digital certificate – proves that the message received is not tampered during transmission; verify’s sender’s
identity with a trusted party called certification authority
6. Message sequence numbering – a sequence number inserted in each message
7. Message transaction log – all incomeing and outgoing messages will be recorded
8. Request-response technique – a control message from the sender and a response from the receiver are sent at a
periodic synchronized intervals
9. Call-back devices – requires the dial-in user to enter a password and be identified
10. Controls from equipment failure - data communication due to line errors; message can be corrupted through
the noise on the communication lines
a. Echo check – involves the receiver of the message returning the message to the sender; the sender
compares the returned message and the original
b. Parity check - incorporates an extra bit into the structure of a bit string when it is created or
transmitted
EDI CONTROLS (ELECTRONIC DATA INTERCHANGE)