Professional Documents
Culture Documents
Chapter Two
Data Collection
The simplest stage to perpetrate a computer fraud as it
only requires understanding the system and its control
weaknesses.
The fraudulent act involves entering falsified data into
the system. For example;
To commit a payroll fraud, the perpetrator may
insert a fraudulent payroll transaction along with
other legitimate transactions.
Thus, it should be ensure that transaction data enter to
the system are valid, complete, and free from material
errors.
Cont’d………..
18
Data Processing
Data processing frauds fall into two classes: program
fraud and operations fraud.
Program fraud techniques:
Database Management
DBM Fraud includes altering, deleting, corrupting,
destroying, or stealing an organization’s data.
A common fraud technique is accessing the database
from a remote site and browse useful information
that can be copied and sold to competitors.
Disgruntled employees may try to destroy company
data files simply to harm the organization.
Cont’d………..
21
Information Generation
It is the process of compiling, arranging, formatting,
and presenting information to users.
A common fraud at this stage is stealing, misdirect, or
misuse computer output.
Auditing of Computer based IS
22
Audit Procedures:
Review relevant documentation to verify if
individuals are performing incompatible functions.
Review system documentation and maintenance
records to verify maintenance programmers are not
original design programmers.
Review that computer operators do not have access
to the operational details of the system’s internal
logic and Systems documentation.
Determine that segregation policy is being followed
in practice through observation.
Cont’d………..
25
Operating Systems
Cont’d………
26
Computer Center
The auditor should examine the physical environment
of the computer center to
Identify risks, and check for controls
Operating Systems
Set of programs that controls the way a computer
works and runs other programs.
If the system integrity is compromised, controls
within individual applications may also be neutralized.
Operating system must achieve five control objectives:
OS Security Components
1. Log on Procedure
Use ID and Password
2. Access Token
If successfully logged in, the OS creates an access
token (sign).
Access token contains key information about the user;
ID, Password, User group and privileges granted
Threats to OS Integrity
Accidental: Disk failures, OS Crushes, Memory
damp
Intentional: Illegal access, Destructive programs
Operating System controls and Audit tests
The design of OS security controls must be
assessed, covering;
Access privileges,
Password control,
Virus control and
Audit trail control
Cont’d………
33
Access privileges
Audit Objective:
Verify that access privileges are granted in consistent
with the need to separate incompatible functions.
Audit Procedures:
Review the organization’s policy for separating
incompatible functions and ensure that they promote
reasonable security.
Review the privileges of selected users to determine
if their access rights are appropriate for their job
descriptions.
Cont’d………
34
Password Control
Audit Objective:
Ensure that there is adequate and effective password
policy.
Audit Procedures:
Verify that all users are required to have passwords.
Verify that new users are instructed in the use of
passwords.
Review password control procedures to ensure that
passwords are changed regularly.
Review the password file to determine weak
passwords are identified and disallowed.
Cont’d……..
36
Virus control
Audit Objective:
Verify that effective policies and procedures are in place
Audit Objective:
Ensure that the established audit trial system is
Audit Procedures
Verify that the audit trial has been activated according
to organization policy
Review audit trail logs to evaluate unauthorized or
terminated users failed log in attempts
Evaluate the effectiveness of security group in
security violation cases arrangement by taking
samples.
40
The End!
Thank You!