Chapter 1: Auditing and Internal Control and internal control assessments for compliance

with SOX
External audit - an independent attestation
performed by an expert—the auditor— who Internal auditing - an independent appraisal
expresses an opinion regarding the presentation function established within an organization to
of financial statement. examine and evaluate its activities as a service
to the organization.
- Also known as attest service which is
performed by Certified Public Internal auditors perform a wide range of
Accountants (CPAs) who work for public activities on behalf of the organization,
accounting firms that are independent including:
of the client organization being audited.
• Conducting financial audits
• Examining an operation’s compliance
- Key concept in this process is
with organizational policies
independence. The judge must remain
• Reviewing the organization’s
independent in his or her deliberations.
compliance with legal obligations
The rules in conducting financial audits to be • Evaluating operational efficiency
followed by an auditor have been defined by • Detecting and pursuing fraud within the
the following: firm.
• SEC Internal auditors are often certified as a
• Financial Accounting Standards Board Certified Internal Auditor (CIA) or a Certified
(FASB) Information Systems Auditor (CISA).
• American Institute of CPA (AICPA), and
While external auditors represent outsiders,
• By Federal law: Sarbanes– Oxley [SOX]
internal auditors represent the interests of the
Act of 2002
organization.
Attest service - defined as an engagement in
Fraud audits have, unfortunately, increased in
which a practitioner is engaged to issue, or does
popularity as a corporate governance tool. The
issue, a written communication that expresses a
objective of a fraud audit is to investigate
conclusion about the reliability of a written
anomalies and gather evidence of fraud that
assertion that is the responsibility of another
may lead to criminal conviction.
party.
Audit Committee - the board of directors of
Advisory services - professional services offered
publicly traded companies that form a
by public accounting firms to improve their
subcommittee which has special responsibilities
client organizations’ operational efficiency and
regarding audits. This committee usually
effectiveness. The domain of advisory services is
consists of three people who should be
intentionally unbounded so that it does not
outsiders and at least one member must be a
inhibit the growth of future services that are
“financial expert.”
currently unforeseen.
The product of the attestation function is a
Advisory services include actuarial advice,
formal written report that expresses an opinion
business advice, fraud investigation services,
about the reliability of the assertions contained
information system design and implementation,
in the financial statements as to whether these
are in conformity with GAAP.
Auditing standards are divided into three
classes:
General qualification standards
1. The auditor must have adequate
technical training and proficiency.
2. The auditor must have independence of
mental attitude.
3. The auditor must exercise due
professional care in the performance of
the audit and the preparation of the
report
Field work standards
1. Audit work must be adequately
planned.
2. The auditor must gain a sufficient
understanding of the internal control
structure.
3. The auditor must obtain sufficient,
competent evidence.
Reporting Standards
1. The auditor must state in the report
whether financial statements were
prepared in accordance with generally
accepted accounting principles.
2. The report must identify those
circumstances in which generally
accepted accounting principles were not
applied.
3. The report must identify any items that
do not have adequate informative
disclosures.
4. The report shall contain an expression of
the auditor’s opinion on the financial
statements as a whole.
Statements on Auditing Standards are regarded
as authoritative pronouncements because every
member of the profession must follow their
recommendations or be able to show why a SAS
does not apply in a given situation.
Conducting an audit is a systematic and logical
process that applies to all forms of information
systems.
The task of the auditor is to determine whether
the financial statements are fairly presented.
To accomplish this goal, the auditor establishes
audit objectives, designs procedures, and
gathers evidence that corroborate or refute
management’s assertions.
These assertions fall into five general categories:
1. The existence or occurrence assertion affirms
that all assets and equities contained in the
balance sheet exist and that all transactions in
the income statement occurred.
2. The completeness assertion declares that no
material assets, equities, or transactions have
been omitted from the financial statements.
3. The rights and obligations assertion maintain
that assets appearing on the balance sheet are
owned by the entity and that the liabilities
reported are obligations.
4. The valuation or allocation assertion states
that assets and equities are valued in
accordance with GAAP and that allocated
amounts such as depreciation expense are
calculated on a systematic and rational basis.
5. The presentation and disclosure assertion
alleges that financial statement items are
correctly classified (e.g., long-term liabilities will
not mature within one year) and that footnote
disclosures are adequate to avoid misleading
the users of financial statements.
Evidence is collected by performing tests of
controls, which establish whether internal
controls are functioning properly, and
substantive tests, which determine whether
accounting databases fairly reflect the
organization’s transactions and account
balances.
Audit opinion – included in an audit report
among other things. This opinion is distributed
along with the financial report to interested
parties both internal and external to the
organization.
Audit risk - the probability that the auditor will
render an unqualified (clean) opinion on
financial statements that are, in fact, materially
misstated. Material misstatements may be
caused by errors or irregularities or both.
Acceptable audit risk (AR) is estimated based
on the ex ante value of the components of the
audit risk model.
Inherent risk - associated with the unique
characteristics of the business or industry of the
client. Firms in declining industries have greater
inherent risk than firms in stable or thriving
industries.
Control risk - the likelihood that the control
structure is flawed because controls are either
absent or inadequate to prevent or detect
errors in the accounts.
Detection risk - the risk that auditors are willing
to take that errors not detected or prevented by
the control structure will also not be detected
by the auditor.
Tests of controls and substantive tests are
auditing techniques used for reducing audit risk
to an acceptable level. The stronger the internal
control structure, as determined through tests of
controls, the lower the control risk and the less
substantive testing the auditor must do.
THE STRUCTURE OF AN IT AUDIT:
1. Audit Planning - The first step in the IT audit
is audit planning. Before the auditor can
determine the nature and extent of the tests to
perform, he or she must gain a thorough
understanding of the client’s business. A major
part of this phase of the audit is the analysis of
audit risk.
2. Tests of Controls - The objective of the tests
of controls phase is to determine whether
adequate internal controls are in place and
functioning properly. To accomplish this, the
auditor performs various tests of controls.
3. Substantive Testing - The third phase of the
audit process focuses on financial data. This
phase involves a detailed investigation of
specific account balances and transactions
through what are called substantive tests.
Organization management is required by law to
establish and maintain an adequate system of
internal control.
BRIEF HISTORY OF INTERNAL CONTROL
LEGISLATION
The first was the Securities Act of 1933, which
had two main objectives: (1) require that
investors receive financial and other significant
information concerning securities being offered
for public sale; and (2) prohibit deceit,
misrepresentations, and other fraud in the sale
of securities. The second act, the Securities
Exchange Act, 1934, created the Securities and
Exchange Commission (SEC) and empowered it
with broad authority over all aspects of the
securities industry, which included authority
regarding auditing standards.
Copyright Law—1976 - This law, which has had
multiple revisions, added software and other
intellectual properties into the existing
copyright protection laws.
Foreign Corrupt Practices Act (FCPA) of 1977 -
Among its provisions, the FCPA requires
companies registered with the SEC to do the
following:
1. Keep records that fairly and reasonably
reflect the transactions of the firm and its
financial position.
2. Maintain a system of internal control that
provides reasonable assurance that the
organization’s objectives are met
Sarbanes–Oxley Act of 2002 - As a result of
several large financial frauds and the resulting
losses suffered by stockholders, pressure was
brought by the U.S. Congress to protect the
public from such events. This led to the passage
of the Sarbanes–Oxley Act (SOX) on July 30,
2002. In general, the law supports efforts to
increase public confidence in capital markets by
seeking to improve corporate governance,
internal controls, and audit quality.
INTERNAL CONTROL OBJECTIVES, PRINCIPLES,
AND MODELS
An organization’s internal control system
comprises policies, practices, and procedures to
achieve four broad objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of
accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s
prescribed policies and procedures
Management Responsibility - This concept
holds that the establishment and maintenance
of a system of internal control is a management
responsibility.
Limitations - Every system of internal control
has limitations on its effectiveness. These
include the following:
(1) the possibility of error — no system is
perfect,
(2) circumvention —personnel may circumvent
the system through collusion or other means,
(3) management override — management is in
a position to override control procedures by
personally distorting transactions or by directing
a subordinate to do so, and
(4) changing conditions—conditions may
change over time so that existing effective
controls may become ineffectual.
The internal control system should provide
reasonable assurance that the four broad
objectives of internal control are met. This
reasonableness means that the cost of achieving
improved control should not outweigh its
benefits.
THE PDC MODEL
Preventive controls are passive techniques
designed to reduce the frequency of occurrence
of undesirable events. Preventive controls force
compliance with prescribed or desired actions
and thus screen out aberrant events. Prevention
is the first line of defense in the control
structure
Detective controls are devices, techniques, and
procedures designed to identify and expose
undesirable events that elude preventive
controls. Detective controls reveal specific types
of errors by comparing actual occurrences to
preestablished standards. Detection of
problems is the second line of defense in the
control structure
Corrective Controls Corrective actions must be
taken to reverse the effects of detected errors.
There is an important distinction between
detective controls and corrective controls.
Detective controls identify undesirable events
and draw attention to the problem; corrective
controls actually fix the problem. For any
detected error, there may be more than one
feasible corrective action, but the best course of
action may not always be obvious.
COSO INTERNAL CONTROL FRAMEWORK
- COSO meaning → Committee of Sponsoring
Organizations

Five Components of COSO Framework:
1. Control Environment - the foundation for the
other four control components. The control
environment sets the tone for the organization
and influences the control awareness of its
management and employees.
SAS 109 requires that auditors obtain sufficient
knowledge to assess the attitude and awareness
of the organization’s management, board of
directors, and owners regarding internal control
2. Risk Assessment - Organizations must
perform a risk assessment to identify, analyze,
and manage risks relevant to financial
reporting. Risks can arise or change from
circumstances such as: Changes in the operating
environment that impose new or changed
competitive pressures on the firm, new
personnel who have a different or inadequate
understanding of internal control, etc.
3. Information and Communication - The
accounting information system consists of the
records and methods used to initiate, identify,
analyze, classify, and record the organization’s
transactions and to account for the related
assets and liabilities. The quality of information
that the accounting information system
generates impacts management’s ability to take
actions and make decisions in connection with
the organization’s operations and to prepare
reliable financial statements.
4. Monitoring – Management must determine
that internal controls are functioning as
intended. It is the process by which the quality
of internal control design and operation can be
assessed. This may be accomplished by separate
procedures or by ongoing activities.
5. Control activities - are the policies and
procedures used to ensure that appropriate
actions are taken to deal with the organization’s
identified risks. Control activities can be
grouped into two distinct categories: physical
controls and information technology (IT)
controls.
a. Physical Controls - This class of controls
relates primarily to the human activities
employed in accounting systems. These
activities may be purely manual, such as the
physical custody of assets, or they may involve
the physical use of computers to record
transactions or update accounts. Physical
controls do not relate to the computer logic that
performs accounting tasks. Rather, they relate
to the human activities that trigger and utilize
the results of those tasks.
Six Categories of Physical Control Activities
• Transaction Authorization - The
purpose of transaction authorization is
to ensure that all material transactions
processed by the information system
are valid and in accordance with
management’s objectives.
• Segregation of Duties - One of the most
important control activities is the
segregation of employee duties to
minimize incompatible functions.
Segregation of duties can take many
forms, depending on the specific duties
to be controlled.
• Supervision - Implementing adequate
segregation of duties requires that a
firm employ a sufficiently large number
of employees. Achieving adequate
segregation of duties often presents
difficulties for small organizations.
 • Accounting Records - The accounting
records of an organization consist of
source documents, journals, and
ledgers. These records capture the
economic essence of transactions and
provide an audit trail of economic
events. The audit trail enables the
auditor to trace any transaction through
all phases of its processing from the
initiation of the event to the financial
statements.
• Access Control - The purpose of access
controls is to ensure that only
authorized personnel have access to the
firm’s assets. Unauthorized access
exposes assets to misappropriation,
damage, and theft. Therefore, access
controls play an important role in
safeguarding assets.
• Independent Verification - Verification
procedures are independent checks of
the accounting system to identify errors
and misrepresentations. Verification
differs from supervision because it takes
place after the fact, by an individual
who is not directly involved with the
transaction or task being verified.
names in other frameworks, including
general computer controls and
information technology controls.
Chapter 2: Auditing IT Governance Controls
Information technology (IT) governance - is a
relatively new subset of corporate governance
that focuses on the management and
assessment of strategic IT resources. The key
objectives of IT governance are to reduce risk
and ensure that investments in IT resources add
value to the corporation.
Three IT governance issues that are addressed
by SOX and the COSO internal control
framework:
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
STRUCTURE OF THE CORPORATE IT FUNCTION
I. Centralized Data Processing Model - all data
processing is performed by one or more large
computers housed at a central site that serves
users throughout the organization.

b. IT Controls - Information technology drives

the financial reporting processes of modern
organizations. Automated systems initiate,
authorize, record, and report the effects of
financial transactions. As such, they are
inextricable elements of the financial reporting
processes considered by SOX and need to be
controlled. COSO identifies two broad groupings
of IT controls:
• Application controls - ensure the
validity, completeness, and accuracy of a. Database Administration – Centrally
financial transactions. These controls organized companies maintain their data
are designed to be application specific. resources in a central location that is shared by
• General controls - they are not all end users.
application-specific but, rather, apply to
all systems. General controls have other
b. Data Processing - manages the computer
resources used to perform the day-to-day
processing of transactions. It consists of the
following organizational functions: data
control/data entry, computer operations, and
the data library.
• Data Control/Data Entry - The data
control/data entry function receives
hard copy source documents from end
users and transcribes these into digital
format for computer processing in
batch systems.
• Computer Operations - The electronic
files produced in data conversion are
later processed by the central
computer, which is managed by the
computer operations groups.
• Data Library - The data library is a room
adjacent to the computer center that
provides safe storage for the off-line
data files. Those files could be backups
or current data files. For instance, the
data library could be used to store
backup data on DVDs, CD-ROMs, tapes,
or other storage devices.
(Data librarian -responsible for the
receipt, storage, retrieval, and custody
of data files, controls access to the
library.)
c. Systems Development and Maintenance -
The information systems needs of users are met
by two related functions: system development
and systems maintenance. The former group is
responsible for analyzing user needs and for
designing new systems to satisfy those needs.
Participants in System development activities
include the ff:
1. Systems professionals - include systems
analysts, database designers, and programmers
who design and build the system.
2. End users - are those for whom the system is
built. They are the managers who receive
reports from the system and the operations
personnel who work directly with the system as
part of their daily responsibilities.
3. Stakeholders - are individuals inside or
outside the firm who have an interest in the
system but are not end users. They include
accountants, internal auditors, external
auditors, and others who oversee systems
development.
Maintenance - refers to making changes to
program logic to accommodate shifts in user
needs over time
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS
Operational tasks should be segregated to:
1. Separate transaction authorization from
transaction processing.
2. Separate record keeping from asset custody.
3. Divide transaction-processing tasks among
individuals such that short of collusion between
two or more individuals fraud would not be
possible.
A. Separating Systems Development from
Computer Operations
The segregation of systems development and
operations activities is of the greatest
importance. The relationship between these
groups should be extremely formal, and their
responsibilities should not be commingled.
Systems development and maintenance
professionals should create (and maintain)
systems for users, and should have no
involvement in entering data, or running
applications (i.e., computer operations).
Operations staff should run these systems and
have no involvement in their design.
B. Separating Database Administration from
Other Functions
Another important organizational control is the
segregation of the DBA from other computer
center functions. The DBA function is
responsible for a number of critical tasks
pertaining to database security, including
creating the database schema and user views,
assigning database access authority to users,
monitoring database usage, and planning for
future expansion. Delegating these
responsibilities to others who perform
incompatible tasks threatens database integrity.
C. Separating New Systems Development from
Maintenance
Some companies organize their in-house
systems development function into two groups:
(1) systems analysis and (2) programming. The
systems analysis group works with the users to
produce detailed designs of the new systems.
The programming group codes the programs
according to these design specifications.
This approach is associated with two types of
control problems:
• Inadequate documentation - Poor-
quality systems documentation is a
chronic IT problem and a significant
challenge for many organizations
seeking SOX compliance. There are at
least two explanations for this
phenomenon. First, documenting
systems is not as interesting as
designing, testing, and implementing
them. The second possible reason for
poor documentation is job security.
• Program fraud (Potential) - When the
original programmer of a system is also
assigned maintenance responsibility,
the potential for fraud is increased.
Program fraud involves making
unauthorized changes to program
modules for the purpose of committing
an illegal act.
The new systems development group is
responsible for designing, programming, and
implementing new systems projects. Upon
successful implementation, responsibility for
the system’s ongoing maintenance falls to the
systems maintenance group.
II. Distributed Model - An alternative to the
centralized model is the concept of distributed
data processing (DDP). Simply stated, DDP
involves reorganizing the central IT function into
small IT units that are placed under the control
of end users. The IT units may be distributed
according to business function, geographic
location, or both.
Risks Associated with DDP Advantages of DDP
Inefficient Use of Cost Reductions
Resources
Destruction of Audit Trails Improved Cost Control
Responsibility
Inadequate Segregation of Improved User Satisfaction
Duties
Hiring Qualified Backup Flexibility
Professionals
Lack of Standards
Note: An audit trail provides the linkage
between a company’s financial activities
(transactions) and the financial statements that
report on those activities.
Controlling the DDP Environment:
A. IMPLEMENT A CORPORATE IT FUNCTION
The completely centralized model and the
distributed model represent extreme positions
on a continuum of structural alternatives. The
needs of most firms fall somewhere between
these end points
• Central Testing of Commercial Software
and Hardware
• User Services
• Standard-Setting Body
• Personnel Review
Audit Objective - The auditor’s objective is to
verify that the structure of the IT function is
such that individuals in incompatible areas are
segregated in accordance with the level of
potential risk and in a manner that promotes a
working environment.
Audit Procedures – examples include: review
relevant documentation and review the current
organizational chart etc.
B. THE COMPUTER CENTER
Accountants routinely examine the physical
environment of the computer center as part of
their annual audit.
• Physical Location → directly affects the
risk of destruction to a natural or man-
made disaster. (ex. processing plants,
gas and water mains, airports, high-
crime areas, flood plains, and geological
faults)
• Construction → should be located in a
single-story building of solid
construction with controlled access
• Access → should be limited to the
operators and other employees who
work there. Physical controls, such as
locked doors, should be employed to
limit access to the center.
• Air Conditioning → Computers function
best in an air-conditioned environment,
and providing adequate air-conditioning
is often a requirement of the vendor’s
warranty.
• Fire Suppression → Fire is the most
serious threat to a firm’s computer
equipment. Many companies that suffer
computer center fires go out of business
because of the loss of critical records,
such as accounts receivable.
• Fault Tolerance → is the ability of the
system to continue operation when part
of the system fails because of hardware
failure, application program error, or
operator error.
(ex. Redundant arrays of independent
disks – RAID involves using parallel disks
that contain redundant elements of
data and applications; Uninterruptible
power supplies - Commercially
provided electrical power presents
several problems that can disrupt the
computer center operations, including
total power failures, brownouts, power
fluctuations, and frequency variations.)
• Audit Objectives → evaluate the
controls governing computer center
security.
• Audit Procedures → The following are
tests of physical security controls:
a. Tests of Physical Construction
b. Tests of the Fire Detection System
c. Tests of Access Control
d. Tests of RAID
e. Tests of the Uninterruptible Power
Supply
f. Tests for Insurance Coverage
C. DISASTER RECOVERY PLANNING
Disasters such as earthquakes, floods, sabotage,
and even power failures can be catastrophic to
an organization’s computer center and
information systems.
• Natural disaster - such as hurricanes,
widespread flooding, and earthquakes
are the most potentially devastating of
the three from a societal perspective
because they can simultaneously impact
many organizations within the affected
geographic area.
• Man-made disasters - such as sabotage
or errors, can be just as destructive to
an individual organization, but tend to
be limited in their scope of impact.
• System failures - such as power outages
or a hard drive failure are generally less
severe but are the most likely to occur.
The more dependent an organization is
on technology, the more susceptible it is to
these types of risks.
Companies develop recovery procedures and
formalize them into a disaster recovery plan
(DRP). All workable plans possess four common
features:
1. Identify critical applications - Recovery
efforts must concentrate on restoring
those applications that are critical to the
short-term survival of the organization
2. Create a disaster recovery team - The
team members should be experts in
their areas and have assigned tasks.
Following a disaster, team members will
delegate subtasks to their subordinates.
3. Provide (second) site backup - A
necessary ingredient in a DRP is that it
provides duplicate data processing
facilities following a disaster.
• Mutual Aid Pact - A mutual aid pact is
an agreement between two or more
organizations to aid each other with
their data processing needs in the event
of a disaster.
• Empty Shell - The empty shell or cold
site plan is an arrangement wherein the
company buys or leases a building that
will serve as a data center. In the event
of a disaster, the shell is available and
ready to receive whatever hardware the
temporary user needs to run essential
systems.
• Recovery Operations Center - A
recovery operations center (ROC) or hot
site is a fully equipped backup data
center that many companies share. In
addition to hardware and backup
facilities, ROC service providers offer a
range of technical services to their
clients, who pay an annual fee for
access rights.
• Internally Provided Backup - Larger
organizations with multiple data
processing centers often prefer the self-
reliance that creating internal excess
capacity provides.
4. Specify backup and off-site storage
procedures - All data files, applications,
documentation, and supplies needed to
perform critical functions should be
automatically backed up and stored at a
secure off-site location.
• Operating System Backup - procedures
for obtaining a current version of the
operating system need to be clearly
specified
 • Application Backup - purchasing backup
copies of the latest software upgrades
used by the organization
• Backup Data Files - remote mirrored
site, which provides complete data
currency; reconstruction of the
database is achieved by updating the
most current backed-up version with
subsequent transaction data
• Backup Documentation - backed up and
stored off-site along with the
applications
• Backup Supplies and Source
Documents - should create backup
inventories of supplies and source
documents used in processing critical
transactions
• Testing the DRP - The most neglected
aspect of contingency planning is
testing the DRP. Nevertheless, DRP tests
are important and should be performed
periodically. Tests measure the
preparedness of personnel and identify
omissions or bottlenecks in the plan.
OUTSOURCING THE IT FUNCTION
IT outsourcing include improved core business
performance, improved IT performance
(because of the vendor’s expertise), and
reduced IT costs.
Core Competency Theory - argues that an
organization should focus exclusively on its core
business competencies, while allowing
outsourcing vendors to efficiently manage the
non-core areas such as the IT functions.
Commodity IT assets - are not unique to a
particular organization and are thus easily
acquired in the marketplace. These include such
things as network management, systems
operations, server maintenance, and help-desk
functions.
Specific IT assets, in contrast, are unique to the
organization and support its strategic objectives.
Examples of specific assets include systems
development, application maintenance, data
warehousing, and highly skilled employees
trained to use organization-specific software.
Transaction Cost Economics (TCE) theory - is in
conflict with the core competency school by
suggesting that firms should retain certain
specific non-core IT assets in-house.
Cloud Computing - a variant of IT outsourcing; is
location-independent computing whereby
shared data centers deliver hosted IT services
over the Internet. It is a model for enabling
convenient, on-demand network access to a
shared pool of configurable computing
resources that can be rapidly provisioned and
released with minimal management effort or
service provider interaction.
Offers three primary classes of computing
services:
1. Software-as-a-Service (SaaS) is a
software distribution model in which
service providers host applications for
client organizations over a private
network or the Internet.
2. Infrastructure-as-a-Service (IaaS) is the
provision of computing power and disk
space to client firms who access it from
desktop PCs.
3. Platform-as-a-Service (PaaS) enables
client firms to develop and deploy onto
the cloud infrastructure consumer-
generated applications using facilities
provided by the PaaS vendor.
Virtualization - The technology that has
unleashed cloud computing. Virtualization
multiplies the effectiveness of the physical
system by creating virtual (software) versions of
the computer with separate operating systems
that reside in the same physical equipment. In
other words, virtualization is the concept of
running more than one “virtual computer” on
a single physical computer.
Network virtualization - increases effective
network bandwidth by dividing it into
independent channels, which are then assigned
to separate virtual computers. Network
virtualization optimizes network speed,
flexibility, and reliability; most importantly, it
improves network scalability.
Storage virtualization - is the pooling of physical
storage from multiple network storage devices
into what appears to be a single virtual storage
device.
Risks Inherent to IT Outsourcing:
• Failure to Perform
• Vendor Exploitation
• Outsourcing Costs Exceed Benefits
• Reduced Security
• Loss of Strategic Advantage
SSAE 16 Report Contents - The SSAE 16 attest
report provides a description of the service
provider’s system including details of how
transactions are processed and results are
communicated to their client organizations
The SSAE 16 standard was designed to address
the subservice organization issue. Two
reporting techniques are outlined next.
a. Carve-out Method. When using the
carve-out method, service provider
management would exclude the
subservice organization’s relevant
control objectives and related controls
from the description of its system.
b. Inclusive Method. When using the
inclusive method of subservice
organization reporting the service
provider’s description of its system will
include the services performed by the
subservice organization.
Chapter 3: Security Part I – Auditing
Operating Systems and Networks
Operating system - is the computer’s control
program. It allows users and their applications
to share and access common computer
resources, such as processors, main memory,
databases, and printers.
The language translator modules of the
operating system are called compilers and
interpreters.
The operating system performs three main
tasks:
1. It translates high-level languages, such as
Java, C++, BASIC, and SQL, into the machine-
level language that the computer can execute.
2. The operating system allocates computer
resources to users, workgroups, and
applications.
3. The operating system manages the tasks of
job scheduling and multiprogramming.
Jobs are submitted to the system in three ways:
• directly by the system operator,
• from various batch job queues, and
• through telecommunications links from
remote workstations.
The operating system must achieve five
fundamental control objectives:
1. The operating system must protect itself from
users.
2. The operating system must protect users
from each other.
3. The operating system must protect users
from themselves.
4. The operating system must be protected from
itself.
5. The operating system must be protected from
its environment.
Operating system security - involves policies,
procedures, and controls that determine who
can access the operating system, which
resources (files, programs, printers, etc.) they
can use, and what actions they can take.
The following security components are found in
secure operating systems:
• Log-On Procedure - A formal log-on
procedure is the operating system’s first
line of defense against unauthorized
access. When the user initiates the
process, he or she is presented with a
dialog box requesting the user’s ID and
password.
• Access Token - If the log-on attempt is
successful, the operating system creates
an access token that contains key
information about the user, including
user ID, password, user group, and
privileges granted to the user.
• Access control list - assigned to each IT
resource (computer directory, data file,
program, or printer), which controls
access to the resources. These lists
contain information that defines the
access privileges for all valid users of the
resource.
• Discretionary Access Privileges - The
central system administrator usually
determines who is granted access to
specific resources and maintains the
access control list.
Threats to Operating System Integrity
Operating system control objectives may not be
achieved because of flaws in the operating
system that are exploited either accidentally or
intentionally.
Accidental threats include hardware failures
that cause the operating system to crash.
Intentional threats to the operating system are
most commonly attempts to illegally access data
or violate user privacy for financial gain.
Exposure Sources:
1. Privileged personnel who abuse their
authority.
2. Individuals, both internal and external to the
organization, who browse the operating system
to identify and exploit security flaws.
3. Individuals who intentionally (or accidentally)
insert computer viruses or other forms of
destructive programs into the operating system.
If operating system integrity is compromised,
controls within individual accounting
applications that impact financial reporting may
also be compromised.
Controlling Access Privileges
- User access privileges are assigned to
individuals and to entire workgroups authorized
to use the system. Privileges determine which
directories, files, applications, and other
resources an individual or group may access.
They also determine the types of actions that
can be taken.
The auditor’s objective is to verify that access
privileges are granted in a manner that is
consistent.
Audit Procedures Relating to Access Privileges
• Review the organization’s policies
• Review the privileges of a selection of
user groups and individuals
• The auditor should verify that
individuals are granted access to data
and programs based on their need to
know
• Review personnel and employee
records.
Password Control - A password is a secret code
the user enters to gain access to systems,
applications, data files, or a network server.
The most common forms of contra-security
behavior include:
• Forgetting passwords and being locked out of
the system.
• Failing to change passwords on a frequent
basis.
• The post-it syndrome, whereby passwords are
written down and displayed for others to see.
• Simplistic passwords that a computer criminal
easily anticipates
Reusable Passwords - The most common
method of password control is the reusable
password. The user defines the password to the
system once and then reuses it to gain future
access. The quality of the security that a
reusable password provides depends on the
quality of the password itself.
One-Time Passwords - An alternative to the
standard reusable password is the one-time
password (OTP). It was designed to overcome
the aforementioned problems. Under this
approach, the user’s password changes
continuously. This technology employs a credit
card-sized smart card that contains a
microprocessor programmed with an algorithm
that generates, and electronically displays, a
new and unique password every 60 seconds.
The auditor’s objective here is to ensure that
the organization has an adequate and effective
password policy for controlling access to the
operating system.
Audit Procedures Relating to Passwords
• Verify that all users are required to have
passwords.
• Verify that new users are instructed in
the use of passwords and the
importance of password control.
• Review password control procedures to
ensure that passwords are changed
regularly
Controlling Against Malicious and Destructive
Programs Malicious and destructive programs
are responsible for millions of dollars of
corporate losses annually. This class of programs
includes viruses, worms, logic bombs, back
doors, and Trojan horses.
Threats from destructive programs can be
substantially reduced through a combination of
technology controls and administrative
procedures.
Destructive Programs - The key to computer
virus control is prevention through strict
adherence to organizational policies and
procedures that guard against virus infection.
System Audit Trail Controls - System audit trails
are logs that record activity at the system,
application, and user level. Operating systems
allow management to select the level of
auditing to be recorded in the log.
a. Keystroke monitoring involves recording both
the user’s keystrokes and the system’s
responses. This form of log may be used after
the fact to reconstruct the details of an event or
as a real-time control to prevent unauthorized
intrusion.
b. Event monitoring - summarizes key activities
related to system resources. Event logs typically
record the IDs of all users accessing the system;
the time and duration of a user’s session;
programs that were executed during a session;
and the files, databases, printers, and other
resources accessed.
Audit trails can be used to support security
objectives in three ways:
• Detecting unauthorized access - protect
the system from outsiders attempting to
breach system controls; report changes
in system performance that may
indicate infestation by a virus or worm
• Reconstructing Events - Audit trail
analysis can be used to reconstruct the
steps that led to events such as system
failures, or security violations by
individuals.
• Personal Accountability - Audit trails
can be used to monitor user activity at
the lowest level of detail. This capability
is a preventive control that can
influence behavior.
AUDITING NETWORKS
The paradox of networking is that networks exist
to provide user access to shared resources, yet
the most important objective of any network is
to control such access.
Intranets - consist of small LANs and large wide
area networks (WANs) that may contain
thousands of individual nodes. Intranets are
used to connect employees within a single
building, between buildings on the same
physical campus, and between geographically
dispersed locations. Typical intranet activities
include e-mail routing, transaction processing
between business units, and linking to the
outside Internet.
• Interception of Network Messages -
The individual nodes on most intranets
are connected to a shared channel
across which travel user IDs, passwords,
confidential e-mails, and financial data
files. The unauthorized interception of
this information by a node on the
network is called sniffing.
• Access to Corporate Databases -
Intranets connected to central
corporate databases increase the risk
that an employee will view, corrupt,
change, or copy data.
• Privileged Employees - an
organization’s internal controls are
typically aimed at lower-level
employees. However, middle managers,
who often possess access privileges that
allow them to override controls, are
most often prosecuted for insider
crimes.
Reluctance to Prosecute → A factor that
contributes to computer crime is many
organizations’ reluctance to prosecute the
criminals.
Internet Risks:
a. IP spoofing - is a form of masquerading
to gain unauthorized access to a Web
server and/ or to perpetrate an
unlawful act without revealing one’s
identity. To accomplish this, a
perpetrator modifies the IP address of
the originating computer to disguise his
or her identity.
b. Denial of Service (DoS) Attack - A denial
of service attacks is an assault on a Web
server to prevent it from servicing its
legitimate users.
SYN Flood Attack - When a user establishes a
connection on the Internet through Transfer
control protocol/Internet protocol (TCP/IP) (see
Internet protocols in the appendix), a three-way
handshake takes place.
The SYN flood attack is accomplished by not
sending the final acknowledgment to the
server’s SYN-ACK response, which causes the
server to keep signaling for acknowledgement
until the server times out.
Smurf attack - involves three parties: the
perpetrator, the intermediary, and the victim. It
is accomplished by exploiting an Internet
maintenance tool called a ping, which is used to
test the state of network congestion and
determine whether a particular host computer
is connected and available on the network.
Distributed Denial of Service - A distributed
denial of service (DDoS) attack may take the
form of a SYN flood or smurf attack. The
distinguishing feature of the DDoS is the sheer
scope of the event. The perpetrator of a DDoS
attack may employ a virtual army of so-called
zombie or bot (robot) computers to launch the
attack. Because vast numbers of unsuspecting
intermediaries are needed, the attack often
involves one or more Internet relay chat (IRC)
networks as a source of zombies.
c. Risks from Equipment Failure -
Network topologies consist of various
configurations of (1) communications
lines (twisted-pair wires, coaxial cables,
microwaves, and fiber optics), (2)
hardware components (modems,
multiplexers, servers, and front-end
processors), and (3) software (protocols
and network control systems).
CONTROLLING RISKS FROM SUBVERSIVE
THREATS
Firewall - system of software and hardware that
prevents unauthorized access to or from a
private network. Typically, firewalls are
implemented to prevent unauthorized Internet
users and hackers from accessing private
networks that are connected to the Internet.
• Network-level firewalls - provide
efficient but low-security access control.
This type of firewall consists of a
screening router that examines the
source and destination addresses that
are attached to incoming message
packets.
• Application-level firewalls - provide a
higher level of customizable network
security, but they add overhead to
connectivity. These systems are
configured to run security applications
called proxies that permit routine
services such as e-mail to pass through
the firewall, but can perform
sophisticated functions such as user
authentication for specific tasks.
Controlling Denial of Service attacks - As a
countermeasure to DDoS attacks, many
organizations have invested in intrusion
prevention systems (IPS) that employ deep
packet inspection (DPI) to determine when an
attack is in progress. DPI uses a variety of
analytical and statistical techniques to evaluate
the contents of message packets. It searches the
individual packets for protocol non-compliance
and employs predefined criteria to decide if a
packet can proceed to its destination.
Encryption - is the conversion of data into a
secret code for storage in databases and
transmission over networks. The sender uses an
encryption algorithm to convert the original
message (called cleartext) into a coded
equivalent (called ciphertext). At the receiving
end, the ciphertext is decoded (decrypted) back
into cleartext.
The earliest encryption method is called the
Caesar cipher, which Julius Caesar is said to
have used to send coded messages to his
generals in the field. Two fundamental
components include:
• Key - mathematical value that the
sender selects.
• Algorithm - procedure of shifting each
letter in the cleartext message the
number of positions that the key value
indicates.
Two methods of Encryption:
1. Private Key Encryption - Advance
encryption standard (AES) is a 128-bit
encryption technique that has become
a U.S. government standard for private
key encryption. The AES algorithm uses
a single key known to both the sender
and the receiver of the message.
Triple-DES encryption is an
enhancement to an older encryption
technique called the data encryption
standard (DES). Triple DES provides
considerably improved security over
most single encryption techniques. Two
forms of triple-DES encryption are EEE3
and EDE3. EEE3 uses three different keys
to encrypt the message three times.
EDE3 uses one key to encrypt the
message.
2. Public Key Encryption - Public key
encryption uses two different keys: one
for encoding messages and the other
for decoding them. Each recipient has a
private key that is kept secret and a
public key that is published.
Rivest-Shamir-Adleman (RSA) is a
highly secure public key cryptography
method. This method is, however,
computationally intensive, and much
slower than standard DES encryption.
Sometimes, both DES and RSA are used
together in what is called a digital
envelope.
Digital signature - is electronic authentication
that cannot be forged. It ensures that the
message or document that the sender
transmitted was not tampered with after the
signature was applied.
Digital Certificate - The aforementioned process
proves that the message received was not
tampered with during transmission. It does not
prove, however, that the sender is who he or
she claims to be. The sender could be an
impersonator. Verifying the sender’s identity
requires a digital certificate, which is issued by a
trusted third party called a certification
authority (CA).
Public key infrastructure (PKI) constitutes the
policies and procedures for administering this
activity. A PKI system consists of:
1. Certification Authority
2. Registration Authority
3. Certification Repository
Message Sequence Numbering - g, a sequence
number is inserted in each message, and any
such attempt will become apparent at the
receiving end.
Message Transaction Log - An intruder may
successfully penetrate the system by trying
different password and user ID combinations.
Therefore, all incoming and outgoing messages,
as well as attempted (failed) access, should be
recorded in a message transaction log.
Request-Response Technique - Using request-
response technique, a control message from the
sender and a response from the receiver are
sent at periodic, synchronized intervals.
Call-Back Devices - requires the dial-in user to
enter a password and be identified. The system
then breaks the connection to perform user
authentication.
Criteria for assessing the firewall effectiveness
include:
• Flexibility
• Proxy services
• Filtering
• Segregation of systems
• Audit tools
• Probe for weaknesses
Controlling Risks from Equipment Failure
Line Errors - The most common problem in data
communications is data loss due to line error.
The bit structure of the message can be
corrupted through noise on the
communications lines.
The following two techniques are commonly
used to detect and correct such data errors
before they are processed. These are:
1. Echo Check - The echo check involves
the receiver of the message returning
the message to the sender. The sender
compares the returned message with a
stored copy of the original.
2. Parity Check. The parity check
incorporates an extra bit (the parity bit)
into the structure of a bit string when it
is created or transmitted. Parity can be
both vertical and horizontal
(longitudinal).
AUDITING ELECTRONIC DATA INTERCHANGE
(EDI)
To coordinate sales and production operations
and to maintain an uninterrupted flow of raw
materials, many organizations enter into a
trading partner agreement with their suppliers
and customers. This agreement is the
foundation for a fully automated business
process called electronic data interchange (EDI).
Electronic Data Interchange (EDI) - the
intercompany exchange of computer-
processable business information in standard
format.
EDI Standards - The standard in the United
States is the American National Standards
Institute (ANSI) X.12 format. The standard used
internationally is the EDI for administration,
commerce, and transport (EDIFACT) format.
Benefits of EDI:
• Data keying
• Error reduction
• Reduction of paper
• Postage
• Automated procedures
• Inventory reduction
Financial EDI - Using electronic funds transfer
(EFT) for cash disbursement and cash receipts
processing is more complicated than using EDI
for purchasing and selling activities. EFT
requires intermediary banks between trading
partners.
EDI Controls:
Transaction Authorization and Validation - Both
the customer and the supplier must establish
that the transaction being processed is to (or
from) a valid trading partner and is authorized.
Access Control:
To function smoothly, EDI trading partners must
permit a degree of access to private data files
that would be forbidden in a traditional
environment. The trading partner agreement
will determine the degree of access control in
place
EDI Audit Trail → The absence of source
documents in EDI transactions eliminates the
traditional audit trail and restricts the ability of
accountants to verify the validity, completeness,
timing,
Audit Objectives Relating to EDI:
1. All EDI transactions are authorized,
validated, and in compliance with the
trading partner agreement.
2. No unauthorized organizations gain
access to database records.
3. Authorized trading partners have access
only to approved data.
4. Adequate controls are in place to
ensure a complete audit trail of all EDI
transactions.
AUDITING PC-BASED ACCOUNTING SYSTEMS
The software market offers hundreds of PC-
based accounting systems. In contrast to
mainframe and client-server systems that are
frequently custom-designed to meet specific
user requirements, PC applications tend to be
general-purpose systems that serve a wide
range of needs.
Commercial systems usually have fully
integrated modules. This means that data
transfers between modules occur automatically.
PC Systems Risks and Controls
a. Operating System Weaknesses - In
contrast to mainframe systems, PCs
provide only minimal security for data
files and programs contained within
them. This control weakness is inherent
in the philosophy behind the design of
PC operating systems.
b. Weak Access Control - Security
software that provides log-on
procedures is available for PCs. Most of
these programs, however, become
active only when the computer is booted
from the hard drive.
c. Inadequate Segregation of Duties -
Employees in PC environments,
particularly those of small companies,
may have access to multiple
applications that constitute
incompatible tasks.
d. Multilevel password control - is used to
restrict employees who are sharing the
same computers to specific directories,
programs, and data files. Under this
approach, different passwords are used
to access different functions. Thus, each
employee is required to enter a
password to access his or her
applications and data.
e. Risk of Theft - Because of their size, PCs
are objects of theft, and the portability
of laptops places them at the highest
risk.
f. Weak Backup Procedures - Computer
failure, usually disk failure, is the
primary cause of data loss in PC
environments. If the hard drive of a PC
fails, recovering the data stored on it
may be impossible.
g. Risk of Virus Infection - Virus infection
is one of most common threats to PC
integrity and system availability.