View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Final Exam ReviewIS Audit (ISMT 350)
Time & Venue: 7 Dec 2006, 10:30 to 11:50 am
Note: You will be allowed one A4 sized sheet of paper as a “ Cheat Sheet” for your reference during the IST300S Final Exam. You can fill out both sides, and there are no limits on handwriting, font, or techniques for the information you place on the page. No other materials will be allowed during the exam
Classes of Things You have Learned
Concepts: Things you need to know These include: Theories and frameworks Facts
‘ Activities and Tasks: Things an auditor needs to
do
Tools: Used to make audit decisioms
Logical Structure of the CourseWith Readings from the Text
I S Au d itin g
C u r r en t an dF u tu r e I s s u es in
I S Au d itin g
I S C o m p o n en tsC h . 1 & 2
Au d it C o m p o n en tsC h 3 & 4
C o n tr o ls o v er I SAs s e ts
C h . 7 & 8
P r o c ed u r a lC o n tr o ls
C h . 9
Au d it S tan d ar d san d P r o c ed u r es
C h . 1 0
F o r en s ic s an dF r au d Au d its
C h . 1 2
E n c r y p tio nC h . 11
Prac·ti·cum (prăk-tĭ-kəm) nounLessons in a specialized field of study designed to give students supervised practical application of previously studied theory
Student Competence Case Study
1 Evaluating IT Benefits and Risks Jacksonville Jaguars
2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey
3 Recognizing Fraud The Anonymous Caller
4 Evaluating a Prospective Audit Client Ocean Manufacturing
5 Inherent Risk and Control Risk Comptronix Corporation
6 Evaluating the Internal Control Environment Easy Clean
7 Fraud Risk and the Internal Control Environment Cendant Corporation
8 IT-based vs. Manual Accounting Systems St James Clothiers
9 Materiality / Tolerable Misstatement Dell Computer
10 Analytical Procedures as Substantive Tests Burlington Bees
11 Information Systems and Audit Evidence Henrico Retail
IS Audit Programs
Chapter 2
What is IS Auditing?Why is it Important? What is the Industry Structure?Attestation and Assurance
Auditing
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
Au d it R ep o r t /O p in io n
J o u r n a l E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
Ac c o u n tin gS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
The P hys i c al W o r l d
The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng
L ed g er s :D atab as es
Audi t i ng
C o r p o r a te L aw
Su b
stan
tiv e
Te s
ts
Te st s o f T
ran sa c ti o n s
Attes ta tion
A n a ly tic a l T ests
How Auditors Should Visualize Computer Systems
Bu s in es s Ap p lic a tio nS y s tem s
T r an s ac tio n F lo w s
As s e t L o s s R is k s( I n te r n a l Au d its )
R ep o r tin g R is k s( E x ter n a l Au d it)
C o n tr o l P r o c es s R is k s( I n te r n a l & E x ter n a l
Au d its )
O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th er s p ec ia l s y s tem s )
Har d w ar e P la tf o r m
Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t
A u dit O bje ct iv e s
The IS Auditor’s Challenge
Corporate Accounting is in a constant state of flux Because of advances in Information Technology applied to
Accounting Information that is needed for an Audit is often hidden from
easy access by auditors Making computer knowledge an important prerequisite for
auditing
IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations
The Challenge to Auditing Presented by Computers
Transaction flows are less visible Fraud is easier Computers do exactly what you tell them
To err is human But, to really screw up you need a computer
Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the
auditor) Audits grow bigger and bigger from year to year
And there is more pressure to eat hours Environmental, physical and logical security problems grow
exponentially Externally originated viruses and hacking are the major source of risk
(10 years ago it was employees)
The Challenge to Auditing Presented by The Internet
Transaction flows are External External copies of transactions on many Internet nodes External Service Providers for accounting systems
require giving control to outsiders with different incentives
Audit samples may be impossible to obtain Because they require access to 3rd party databases
Transaction flows are intermingled between companies
Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk
(10 years ago it was employees)
Practicum:
A Day in the Life of Brent Dorsey
A Staff Auditors’ Professional Pressure
Understand some of the pressures faced by young professionals in the workplace
Generate and evaluate alternative courses of action to resolve a difficult workplace issue
Understand more fully the implications of "eating time" and "premature sign-off"
More fully appreciate the need to balance professional and personal demands
Ideas, not Things, have Value … and these ideas are tracked in the computer
0
2
4
6
8
10
12
14
16
Rank order by increasing return
Ass
et In
tens
ity (F
ixed
Ass
ets
/ Sal
es)
-100
0
100
200
300
400
500
600
5-yr
Sha
reho
lder
Ret
urn
%
How Accounting has had to ChangeBecause of Business Automation
M an u f ac tu r in gValu e Ad d ed
C o n s u m er
M ater ia lL ab o r
C ap ita l
5 0 %
3 0 %
2 0 %
1 1 0 %
M an u f ac tu r in gValu e Ad d ed
C o n s u m er
M ater ia lL ab o r
C ap ita l
5 %
5 %
1 0 %Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
K n o w led g e B as e (u n certainclaim s , co n t rib u t io n s an d
p ro p erty rig h t s )
8 0 %
11 0 %
M an u fac tu ring
S p ec if ica tio n s
F in ished
P ro d u c t 2 0 %
Flowcharting Accounting Systems
Each bubble is associated with a person or entity that is responsible for that processThe same individuals with:
Managerial ControlAccountabilityResponsibility for the process
Should all be responsible for the same bubble
Flowcharting Accounting Systems
A data flow diagram
Data Flow Diagram Notations
Flowcharting Accounting Systems
A process transforms incoming data flow into outgoing data flow.
Flowcharting Accounting Systems
Datastores are repositories of data in the system.
They are sometimes also referred to as databases or files.
Flowcharting Accounting Systems
Dataflows are pipelines through which transactions (packets of information) flow.
Label the arrows with the name of the data that moves through it.
Flowcharting Accounting Systems
External entities are entities outside the firm, with which the accounting system communicates E.g., vendors, customers,
advertisers, etc.
External entities are sources and destinations of the transaction input and output
Flowcharting Accounting Systems
The Context diagram lists all of the external relationships
Flowcharting Accounting Systems …Levels
Context
known as Level 0) data flow diagram. It only contains one process node (process 0) that generalizes the function of the entire system in relationship to external entities.
DFD levels
The first level DFD shows the main processes within the system.
Each of these processes can be broken into further processes until you reach the level at which individual actions on transaction flows take place
If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily nest data flow diagrams in SmartDraw. Draw the high-level diagrams first, then select the process you want to expand, go to the Tools menu, and select Insert Hyperlink. Link the selected process notation to another SmartDraw diagram or a web page.
The Datastore
The Datastore is used to represent Ledgers, Journals
Or more often in the current world Their computer
implemented counterpart Since almost no one keeps
physical records
Flowcharting Accounting Systems …Lower Level with Multiple Processes
Data Flow Diagram Layers Draw data flow diagrams in
several nested layers. A single process node on a
high level diagram can be expanded to show a more detailed data flow diagram
Practicum:
Jacksonville Jaguars
Assurance Services for the Electronic Payments System of a privately held company
Identify benefits, costs and risks to businesses from implementing information technologies
Determine how CPAs can provide assurance about processes designed to reduce risks created when new IT systems are introduced
Understand ways CPAs can identify new assurance services opportunities (i.e., new areas for revenue generation)
Identifying Computer Systems
Chapter 11. Identifying what you are going to audit
2. The Computer Asset Inventory
3. Identification of Transactions, and Risk Levels
4. Audit programs for high risk transactions
Audit Program Audit programs are checklists of the various tests (audit
procedures) that auditors must perform within the scope of their audits to determine whether key controls intended to mitigate significant risks are functioning as designed.
Objective To determine the adequacy of the controls over the particular
accounting processes covered by the audit program This is fundamentally what the assurance and attestation
aspects of the audit are expected to achieve during the ‘tests of transactions’ or mid-year or internal control tests
The objective
The reason for an audit is to write an opinion: Saying stock price is fairly stated (external) Control processes are effective (internal & external) Assets are not at risk of theft or damage (internal)
We only need to identify computer systems where one of more of these objectives is affected
Benefits
The use of audit programs is fairly standard for audit firms, and is considered good business practice. List three (3) benefits to the audit firm of using an audit program The improve resource planning (where to spend money and
employ people on an audit) They promote consistency from year to year when personnel and
situations of an audit change Prior years’ programs are the basis for the current year’s audit
procedures Anything else that seems reasonable
Control assessment
Information systems audit programs should assess the adequacy of controls in four (4) areas.
1. Environmental controls
2. Physical security controls
3. Logical security controls
4. IS operating controls
Computer Assets
Central Processing Unit
MemoryPeripheral Processor
(Video, Bus, Etc.)Network Devices
RAM / ROMOptical &
Magnetic Media
Operating Systems
Specialized O/S
Utilities
Network O/S Database O/SProgramming Languages,
Tools & EnvironmentsUtilities and Services
Applications
The main categories of Computer Applications, and their relative importance
InformationTechnology Market
Annual Expenditures($US billion)
Employees(thousand)
Major Suppliers
Operations & Accounting 500 2000 US, India
Search & Storage 1000 5000 US
Tools 300 300 US, Germany
Embedded 1500 700 US, Japan, Korea, Greater China
Communications 700 2000 US, Germany, Japan, Greater China
Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion)
US GDP ~$10 trillion (Pop: 300 million)
The Risk Assessment Database
Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)
Primary OS OwnerApplication
Asset Value ($000,000 to Owner)*
Transaction Flow Description
Total Annual Transaction Value Flow managed by Asset($000,000)* Risk Description
Probability of Occurrence (# per Year)
Cost of single occurrence ($)
Expected Loss
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23 Theft 100 100 10000
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23
Obsolescence and spoilage 35 350 12250
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
*Whether you list depends on Audit Materiality
Materiality Materiality represents the maximum, combined, financial statement
misstatement or omission that could occur before influencing the decisions of reasonable individuals relying on the financial statements.
The magnitude and nature of financial statement misstatements or omissions will not have the same influence on all financial statement users.
For example, a 5 percent misstatement with current assets may be more relevant for a creditor than a stockholder, whereas a 5 percent misstatement with net income before income taxes may be more relevant for a stockholder than a creditor. Therefore, the primary consideration when determining materiality is the expected users of the financial statements.
The specific amounts established for each financial statement element must be determined by considering the primary users as well as qualitative factors.
For example, if the client is close to violating the minimum current ratio requirement for a loan agreement, a smaller planning materiality amount should be used for current assets and liabilities.
Conversely, if the client is substantially above the minimum current ratio requirement for a loan agreement, it would be reasonable to use a higher planning materiality amount for current assets and current liabilities.
Planning materiality should be based on the smallest amount established from relevant materiality bases to provide reasonable assurance that the financial statements, taken as a whole, are not materially misstated for any user.
Tolerable misstatement
This is essentially materiality for individual financial statement accounts. The amount established for individual accounts is referred to as "tolerable misstatement."
Tolerable misstatement represents the amount an individual financial statement account can differ from its true amount without affecting the fair presentation of the financial statements taken as a whole.
Establishment of tolerable misstatement for individual accounts enables the auditor to design and execute an audit strategy for each audit cycle.
Tolerable misstatement should be established for all balance sheet accounts (except "retained earnings" because it is the residual account).
Practicum:
Dell Computer
This is the case that required you to come up with hard numbers for materiality!
Determine planning materiality for an audit client Allocate planning materiality to financial statement
elements Provide support for your materiality decisions
IS Security
Chapter 3
What is Security?
Security involves: the protection of a person, property or organization from attack. Knowing the types of possible attacks, being aware of the motivations for attacks and your relationship to those
motives. Proper security
makes it difficult to attack, threatens counter-measures, or make a pre-emptive attack on a source of threat.
IS Security is a collection of investments and procedures that: Protect information stored on computers Protect Hardware and Software assets From theft or vandalism by 3rd parties
What is a Lock & Key? Lock is a security system
The key is its password Keys used to be worn visibly around the neck
As a sign of authority (similar to employee badges today)
Newer Technology Badges and electronic keys Biometrics (M-28 fingerprint lock at right) Remote controls (Lexus keys)
‘Keys’ are just another Security Policy
Effective security policy
Security policy defines the organization’s attitude to Assets, and announces internally and externally which assets are mission critical
Which is to be protected from unauthorized access, vandalism and destruction by 3rd parties
Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a company’s
assets An effective security policy also protects people.
Anyone who makes decisions or takes action in a situation where information is a risk incurs personal risk as well.
A security policy allows people to take necessary actions without fear of reprisal.
Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for
employees.
IP
There are four types of Intellectual Property (IP) that are protected by law
Copyright Patent Trade secret Trademark
Two aspects of the use of IP are covered by intellectual property laws
Right of publicity Privacy
Almost All Security Controls use the Lock & Key paradigm. Authorization system = Who gets a Key (And Why?) Password, etc. = Key Encryption algorithms, SSL, etc. = Lock
Entry into Computer Crime
This flowchart describes the points at which Control Processes may be created to stop criminals
Controls may: Prevent access to the asset Detect asset access Correct the problems or
losses after an illicit access Remember that criminals
specialize in one type of crime
Personal Background
Learning Skills to Commit Crime
Reaction to Chance Event
Motives
Choose "Best" Option
Decision / Action Matrix
Select Asset
Don't Select
Commit Crime Don't Commit
• Unfamilar • Not enough valueN/A
• Face Penalties • Enjoy Rewards
• Too Hard • Monitored
PremeditatedUn-premeditated
Bringing a computer crime to court
Step Potential Terminal Outcome
Crime committed Not detectedReported Not investigatedInvestigation UnsolvedArrest Released without prosecutionBooking Released without prosecutionPreliminary appearance in court Charges dropped or dismissedBail or detentionAdjudication Arbitration, Settled "Out of Court"Arraignment Charge dismissedTrial AcquittedSentencing AppealSentencing ProbationSentencing Prison
Practicum:
The Anonymous Caller
Recognizing It's a Fraud and Evaluating What to Do
How would you politely and ethically handle a ‘dodgy’ request for help
Appreciate real-world pressures for meeting financial expectations Distinguish financial statement fraud from aggressive accounting Identify alternative actions when confronted with suspected
financial statement fraud Develop arguments to resist or prevent inappropriate accounting
techniques
Utility Computing and IS Service Organizations
Chapter 4
Old and New
Service Organizations like EDS Are in the business of running IS shops Only the transactions are handled by the client
They are being replaced by Utility Computing Which is an outgrowth of software vending business
models Particularly those of Oracle, SAP and Salesforce.com
Why do firms choose Utility computing?
Utility computing offers greater flexibility in the creation of computing
environments when they are needed. It opens up usage-based pricing and reduces users' use of capital.
Utility Computing allows an organization to have the ability to
harness latent computing power and resources, regardless of
application or other physical or organizational boundaries. It allows an organization to virtually repurpose operating systems,
application mix, processing power, and storage to the immediate needs
of the corporation, to meet new demand or to rapidly create computing
environments for projects.
Pervasiveness of Utility Computing Recent moves like
Oracle's acquisition of Siebel, And The growing popularity of software-as-a-service vendors like
Salesforce.com are indicators that the software industry is tilting toward an on-demand
future
Still, on-demand services are likely to account for less than 10 percent of business application use through 2010 (Gartner)
The reason why the on-demand model is not suitable for complex business uses like logistics
support and order handling nor for large complex companies requiring business process support
But the "complexity constraint bar" will rise over time since on-demand vendors can add functionality easily
Consequences: Control of Data and Programs
Copies of data outside the organization Accounting transactions (fraud, loss, alteration) Personnel and customer records (privacy, theft)
Operation of programs may be less well understood since there are no in-house experts This may lead to more audit exceptions
The Risk Assessment Database
Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)
Primary OS OwnerApplication
Asset Value ($000,000 to Owner)*
Transaction Flow Description
Total Annual Transaction Value Flow managed by Asset($000,000)* Risk Description
Probability of Occurrence (# per Year)
Cost of single occurrence ($)
Expected Loss
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23 Theft 100 100 10000
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23
Obsolescence and spoilage 35 350 12250
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
*Whether you list depends on Audit Materiality
Practicum:
Ocean Manufacturing
Deciding whether to accept a new client
Understand the types of information relevant to evaluating a prospective audit client
List some of the steps an auditor should take in deciding whether to accept a prospective client
Identify and evaluate factors important in the decision to accept or reject a pro spective client
Understand the process of making and justifying a recommendation regarding client acceptance
Physical Security Chapter 7 Logical Security Chapter 8
Security Policy
Env ironmenta lCompetitiv e
Interna l Financ ia lIn terna l
Non- f inanc ia l
Prof itab ilityEf f ic ienc y
Grow thSurv iv a l
QuantityQuality
Cos tTime
Manpow erMoney
Mac hinesMethodsMater ia ls
PlanOrganiz eA c tuateContro l
I n fo rm a t io n I n pu ts O u tpu ts O bje ct iv e sM a n a g e r A ct io n
In form ation System
Inform ation System s
Inf ormation Sy s tem
Inform ation System
Strategy Policy
Strategy defines the way that Top Management achieves corporate objectives
Policy is a written set of procedures, guidelines and rules Designed to accomplish a subset of strategic tasks By a particular subgroup of employees
Effective security policy
An effective security policy also protects people. Anyone who makes decisions or takes action in a situation where
information is a risk incurs personal risk as well. A security policy allows people to take necessary actions without
fear of reprisal. Security policy compels the safeguarding of information,
while it eliminates, or at least reduces, personal liability for employees.
Effective information security policy
Information security policy defines the organization’s attitude to information, and announces internally and externally that information is an asset
Which is to be protected from unauthorized access, modification, disclosure, and destruction
Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a
company’s information assets
Why Do You Need Security Policy?
A security policy should Protect people and information Set the rules for expected behavior by users, system
administrators, management, and security personnel Authorize security personnel to monitor, probe, and investigate Define and authorize the consequences of violation
The Three Elements of Policy Implementation
Standards – Standards specify the use of specific technologies in a uniform way. The example the book gives is the standardization of operating procedures
Guidelines – Similar to standards but are recommended actions
Procedures – These are the detailed steps that must be performed for any tasks.
Steps to Creation of IS Security PolicyPolicy Development Lifecycle
1. Senior management buy-in2. Determine a compliance grace period 3. Determine resource involvement . 4. Review existing policy5. Determine research materials (Internet, SANS, white papers, books…)6. Interview parties {Responsible, Accountable, Controlling} assets
1. Define your objectives 2. Control the interview 3. Sum up and confirm
4. Post-interview review
7. Review with additional stakeholders 8. Ensure policy is reflected in “awareness” strategies 9. Review and update 10. Gap Analysis11. Develop communication strategy12. Publish
What’s in a Policy Document
Governing Policy
Should cover Address information security policy at a general level define significant concepts describe why they are important, and detail what your company’s stand is on them
Governing policy will be read by managers and by technical custodians
Level of detail: governing policy should address the “what” in terms of security policy.
Governing Policy Outlinemight typically include
1. Authentication 2. Access Control 3. Authorization 4. Auditing 5. Cryptography 6. System and Network Controls 7. Business Continuity/Disaster Recovery 8. Compliance Measurement
Technical Policies
Used by technical custodians as they carry out their security responsibilities for the system they work with.
Are more detailed than the governing policy and will be system or issue specific, e.g., AS-400 or physical security.
Technical Policy Outline might typically include
1. Authentication 2. Authorization 3. Auditing 4. Network Services 5. Physical Security 6. Operating System 7. Business Continuity/Disaster Recovery 8. Compliance Measurement
User Policies
Cover IS security policy that end-users should ever have to know about, comply with, and implement.
Most of these will address the management of transaction flows and databases associated with applications
Some of these policy statements may overlap with the technical policy
Grouping all end-user policy together means that users will only have to go to one place and read one document in order to learn everything they need to do to ensure compliance with company security
User Policy Outline might typically include 1. User Access 2. User Identification and Accountability 3. Passwords 4. Software 5. System Configuration and Settings 6. Physical 7. Business Continuity Planning 8. Data Classification 9. Encryption 10. Remote Access 11. Wireless Devices/PDAs 12. Email 13. Instant Messaging 14. Web Conferencing 15. Voice Communications 16. Imaging/Output
Practicum:
Comptronix Corporation
Identifying Inherent Risk and Control Risk Factors
* Understand how managers can fraudulently manipulate financial statements
* Recognize key inherent risk factors that increase the potential for financial reporting fraud
* Recognize key control risk factors that increase the potential for financial reporting fraud
* Understand the importance of effective corporate governance for overseeing top executives
IS Operations
Chapter 9
What are ‘Operations’
Development and Test Production Outsourcing and Utility Computing
Also, two sides to one system Business Operations
All the tangible physical things that go on in a corporation Computer Operations
Business & Computer Operations
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
I n te r n a l C o n tr o lM em o
J o u r n al E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
C o m p u terS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
B us i ne s s O pe r at i o ns
The P ar al l e l (L o g i c al )W o r l d o f C o m pute r O pe r at i o ns
L ed g er s :D atab as es
Inte r nal C o ntr o l R e vi e wO ve r O pe r at i o ns
C o r p o r a te L aw
Measu rm
en t / P o s tin g
Mea su rem
en t / P o s tin g
Look Familiar?
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
Au d it R ep o r t /O p in io n
J o u r n a l E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
Ac c o u n tin gS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
The P hys i c al W o r l d
The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng
L ed g er s :D atab as es
Audi t i ng
C o r p o r a te L aw
Su b
stan
tiv e
Te s
ts
Te st s o f T
ran sa c ti o n s
Attes ta tion
A n a ly tic a l T ests
Computer Operations
Only a subset of business operations are computerized (automated)
Computers do the following well: High-speed arithmetic operations Storage and search of massive quantities of data Standardization of repetitive procedures
All other Business Operations require human intervention Even computer operations require human intervention at some level
E.g., turning the computer on and off
In both business and computer operations Human interventions demand the most auditing
Automation & Operations Objectives
Operations should be about following predetermined procedures The appeal rests largely on the ability to reduce or alter the role of
people in the process The intent is to take people out of the loop entirely, Or to increase the likelihood that people will do what they are
supposed to do, and that they do it accurately People are flexible and clever We sometimes don’t want to take people out of the loop on a lot of
systems The problem is when a lot of things break at the same time.
There’ll probably be a few things that are hard to fix, a cascade of effects
Fully automated (computerized) procedures Can be audited once with a small data set And these results can be considered to hold over time
Operations ObjectivesWhat to look for in an audit
Production jobs are completed in time Output (information) are distributed on time Backup and recovery procedures are adequate
(requires risk analysis) Maintenance procedures adequately protect
computer hardware and software Logs are kept of all changes to HW & SW
Backup and Recovery Objectives Best Practices
Determination of appropriate recovery and resumption objectives for activities in support of critical markets. Core organizations should develop the capacity to recover and resume activities within
the business day on which the disruption occurs. The overall goal is to resume operations within two hours
Maintenance of sufficient geographic dispersion of resources to meet recovery and resumption objectives. back-up sites should not rely on the same infrastructure components used by the
primary site, and back-up operations should not be impaired by a wide-scale evacuation or
inaccessibility of staff that services the primary site
Routine use or testing of recovery and resumption arrangements. Testing should not only cover back-up facilities of the firm,
but connections with the markets, third party service providers and customers
Connectivity, functionality and volume capacity should be covered.
How Does Backup & Recovery Fit into your Risk Assessment Framework?
Your Toolkit: Computer Inventory, Risk Assessment Matrix, Dataflow Diagrams and Systems Components Hierarchy
Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)
Primary OS OwnerApplication
Asset Value ($000,000 to Owner)*
Transaction Flow Description
Total Annual Transaction Value Flow managed by Asset($000,000)* Risk Description
Probability of Occurrence (# per Year)
Cost of single occurrence ($)
Expected Loss
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23 Theft 100 100 10000
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23
Obsolescence and spoilage 35 350 12250
Bu s in es s Ap p lic a t io nS y s tem s
T r an s ac tio n F lo w s
As s e t L o s s R is k s( I n te r n a l Au d its )
R ep o r t in g R is k s( E x te r n a l Au d it)
C o n tr o l P r o c es s R is k s( I n te r n a l & E x te r n a l
Au d its )
O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th e r s p ec ia l s y s tem s )
Har d w ar e P la tf o r m
Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t
A u dit O bje ct iv e s
Prioritizing Backup & Recovery Tasks
Find the critical transactions (High value; High volume)
Identify the critical applications for processing these transactions
Identify the critical personnel including those you may not have hired or defined jobs for Who are essential to processing these transactions
Practicum:
Easy Clean
Evaluation of Internal Control Environment
Evaluate a new audit client's control environment. Provide an initial evaluation of certain components of
the client's control environment Appreciate the judgment involved in evaluating the
overall internal control environment based on interview data
Provide support for your internal control assessments
Controls Self Assessment
Chapter 10
What is ‘Control Self-Assessment’?
DEFINITION Control Self-assessment (CSA) is a leading edge process
in which auditors facilitate a group of staff members
who have expertise in a specific process,
with the objective of identifying opportunities for internal control enhancement pertaining to critical operating areas designated by management
Originally a way of measuring ‘soft controls' which traditional auditing found difficult to measure, e.g.
Management integrity, honesty, trust Willingness of employees to circumvent controls Employee morale
The tone and ethics of a firm are set by top management And this is a way of eliciting these
It’s become especially important post Sarbanes-Oxley
Why is CSA Important? Without commitment to good internal control
And inherent honest and ethical behavior of employees throughout the organization
Internal control systems (preventive, detective and corrective) Would quickly become the single most expensive part of the firm’s
accounting systems Internal and external audits would become prohibitively expensive Financial statements would lose their value to outside investors
Causing stock price to fall Bank borrowing interest rates to rise And firm operations to cease being competitive
This happened in some of Arthur Andersen’s clients Where financial statements came to be known as: Andersen’s Fairy Tales
COSO Framework
COSO (Committee of Sponsoring Organizations of the Treadway Commission) Founded in aftermath of the 1977 Lockheed Scandal
Internal Control was supposed to insure:Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
COCO Framework
CoCo (Criteria of Control Board) Founded by Canadian Institute of Chartered Accountants
The world’s premier group in setting internal auditing standards
Internal Control was supposed to insure:Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations & internal policies
Cadbury Framework
Committee of the Financial Aspects of Corporate Governance of the Institute of Chartered Accountants in England and Wales (Cadbury Committee … you can see why they adopted the latter name) Contemporaneous with CoCo
Internal Control was supposed to insure: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets against unauthorized use of disposition Maintenance of proper accounting records and the reliability of
financial information used with in the business or for publication
COBIT Framework
COBIT (Control Objectives for Information and Related Technology) Contemporaneous with CoCo and Cadbury
Internal Control was supposed to insure: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets against unauthorized use of disposition Maintenance of proper accounting records and the reliability of
financial information used with in the business or for publication
An important difference as COBIT was directed specifically towards Information Technology
SAC / eSAC Framework SAC (Systems Auditability and Control report)
Originally published in 1977, but updated in 1991-4 contemporaneous with CoCo and Cadbury
Internal Control insure the same things as CoCo and Cadbury But provide an extensive module-based framework
Audit & control Environment IT in Auditing Managing computer resources Managing Information and Developing System Business Systems End user and Departmental Computing Telecommunications Security Contingency Planning Emerging tech
An important difference as SAC / eSAC was directed specifically towards Information Technology, and provides more detailed direction for IT audits
SASs 55, 78 & 94
Extensions to the COSO Framework that are essentially summarized in SAS 94 (2001)
Specific IT related Internal Control risks are targeted: Reliance on IT that is inaccurately processing data Unauthorized access to data, destruction, inaccurate recording, privacy
breach Unauthorized changes to systems Failure to make needed changes to systems Inappropriate manual intervention Potential loss of data
SAS 94 also emphasizes the importance of specialized IT Auditing skills (important for this class)
Prisoner's dilemma Two suspects A, B are arrested by the police. The police have insufficient evidence for a conviction, and having separated both
prisoners, visit each of them and offer the same deal: If one testifies for the prosecution (turns King's Evidence) against the other and the other
remains silent, the silent accomplice receives the full 10-year sentence and the betrayer goes free.
If both stay silent, the police can only give both prisoners 6 months for a minor charge. If both betray each other, they receive a 2-year sentence each.
This can be summarized:
Prisoner A Stays Silent Prisoner A Betrays
Prisoner B Stays Silent Bother Serve 6 months
Prisoner B serves ten years; Prisoner A goes free
Prisoner B Betrays
Prisoner A serves ten years; Prisoner B goes free Both serve two years
The Dilemma Each prisoner has two options:
to cooperate with his accomplice and stay quiet, or to betray his accomplice and give evidence.
The outcome of each choice depends on the choice of the accomplice. However, neither prisoner knows the choice of his accomplice.
The optimal solution would be for both prisoners to cooperate with each other, as this would reduce the total jail time served by the group to one year total. Any other decision would be worse for the two prisoners considered together.
However by each following their individual interests, the two prisoners each receive a lengthy sentence
The optimal multiperiod prisoner’s dilemma strategy is called ‘Tit-for-Tat’ Cooperate by default If your opponent defects, you defect the next time, and then go back to cooperating if
they opponent cooperates on that next play Be nice, but disciplined (tough love)
Prisoner's dilemma (Corporate Setting) Two officers of the corporation – the CEO and the Comptroller are arrested for Financial
Reporting fraud The police have insufficient evidence for a conviction (they didn’t take my course) and
having separated both prisoners, visit each of them and offer the same deal: If one testifies for the prosecution against the other and the other remains silent, the silent
accomplice receives the full 10-year sentence and the betrayer goes free. If both stay silent, the police can only give both prisoners 6 months for a minor charge. If both betray each other, they receive a 2-year sentence each.
This can be summarized:
Comptroller Cooperates Comptroller Betrays
CEO Cooperates -.5,-.5 0,-10
CEO Betrays -10,0 -2,-2
The Deal (another view)
Or stated differently Here is how the deal will look to the CEO and the
Comptroller
Comptroller Cooperates Comptroller Betrays
CEO Cooperates Win-win Win much – lose much
CEO Betrays Lose much – win much Lose - lose
The Deal
Or stated differently Here is how the deal will look to the CEO and the
Comptroller
Comptroller Cooperates Comptroller Betrays
CEO Cooperates Cooperation, 6 months eachComptroller Temptation to Defect
payoff of zero years
CEO BetraysCEO Temptation to Defect payoff
of zero years Sucker’s Payoff (two years each)
Why Ethics are Important! The prisoner's dilemma is a type of non-zero-sum game
it is assumed that each individual player ("prisoner") is trying to maximize his own advantage, without concern for the well-being of the other players.
In Econo-speak: The Nash equilibrium for this type of game does not lead to Pareto optimums (jointly optimum solutions)
Each side has an individual incentive to cheat even after promising to cooperate. This is the heart of the dilemma.
In the iterated prisoner's dilemma the game is played repeatedly. Thus each player has an opportunity to "punish" the other player for previous non-
cooperative play. Cooperation may then arise as an equilibrium outcome. The incentive to cheat may then be overcome by the threat of punishment, leading to
the possibility of a superior, cooperative outcome.
As the number of iterations approach infinity, the Nash equilibrium tends to the Pareto Optimum, because when you face eternity the threat of grudges is a grave one indeed
Practicum:
Cendant Corporation Evaluating Risk of Financial Statement Fraud and Assessing the
Control Environment
Describe the auditor's responsibility for considering a client's internal controls
Describe the auditor's responsibility to detect material misstatements due to fraud
Identify red flags present during the audits of CUC International, Inc.'s financial statements, which suggest weaknesses in the company's control environment (CUC was the predecessor company to Cendant Corporation)
Identify red flags present during the audits of CUC's financial statements suggesting a higher likelihood of financial statement fraud
Identify management assertions violated as a result of the misstatements included in CUC's 1995 through 1997 financial statements (prior to its merger with HFS, Inc.)
Identify audit procedures that could have been performed to detect misstatements that occurred
Encryption and Cryptography
Chapter 11
Goal of Encryption
To reasonable ensure the Confidentiality Integrity and Authenticity
Of electronic storage and transmission of data System components:
Encryption Hashing Digital Signatures
Uses of Encryption The most obvious application of a public key encryption system is
confidentiality a message which a sender encrypts using the recipient's public key can only be decrypted by the recipient's paired private key
Public-key digital signature algorithms can be used for sender authentication For instance, a user can encrypt a message with his own private key and
send it If another user can successfully decrypt it using the corresponding public
key, this provides assurance that the first user (and no other) sent it
These characteristics are useful for many other applications digital cash, password-authenticated key agreement, multi-party key agreement
Types of Encryption Public key cryptography is a form of cryptography which generally allows users to
communicate securely without having prior access to a shared secret key, by using a pair of cryptographic keys, designated as public key and private key, which are related mathematically.
The term asymmetric key cryptography is a synonym for public key cryptography. In public key cryptography, the private key is generally kept secret, while the public key
may be widely distributed. In a sense, one key "locks" a lock; while the other is required to unlock it. It should not be possible to deduce the private key of a pair given the public key.
There are many forms of public key cryptography, including: public key encryption — keeping a message secret from anyone that does not possess a
specific private key. public key digital signature — allowing anyone to verify that a message was created with
a specific private key. key agreement — generally, allowing two parties that may not initially share a secret key
to agree on one. Typically, public key techniques are much more computationally intensive than purely
symmetric algorithms, but the judicious use of these techniques enables a wide variety of applications.
Applying the Keys
Asymmetric or Public Key Encryption
Privacy: Single Key Encryption
Encryption: scramble a message rendering it readable only to the intended recipient
Single-key encryption: Sender supplies a "key" to encrypt the message Receiver uses the same key to decrypt it. At least
that's how it works e.g., Federal Data Encryption Standard (DES) Not usable over insecure channels (if you have a
secure channel for exchanging keys, why do you need cryptography in the first place?)
Public Key Encryption
Two related complementary keys a publicly revealed key and a secret key (called a private key) Each key unlocks the code that the other key
makes.
Anyone can use a recipient's public key to encrypt a message to that person
That recipient uses her own corresponding secret key to decrypt that message
Digital Signature
Sender's secret key can be used to encrypt a message, thereby "signing" it.
This creates a digital signature which the recipient can check by using the sender's
public key to decrypt it. Proving that the sender was the true originator of the
message Proving that the message has not been subsequently
altered by anyone else Forgery of a signed message is infeasible The sender cannot later disavow his signature.
These two processes can be combined
Asymmetric or Public Key Encryption
PGP (Pretty Good Privacy)
What is PGP? Pretty Good Privacy (PGP) is strong encryption software that
enables you to protect your email and files by scrambling them so others cannot read them.
It also allows you to digitally "sign" your messages in a way that allows others to verify that a message was actually sent by you. PGP is available in freeware and commercial versions all over the world.
PGP was first released in 1991 as a DOS program that earned a reputation for being difficult.
In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP 5.x included plugins for several popular email programs.
http://www.pgp.com/
Hashing
Uses one way ‘hash-function’ (i.e., you can’t determine the original message from the MAC)
And a block of data called the ‘message digest’ When both
Electronic message, and Cryptographic key
Are processed through a one-way hash function The resulting block of data is called
a message authentication code (MAC) If it doesn’t match the message, discard the transmission
Two common one-way hash functions are: Message Digest 5 (MD-5) Secure Hash Algorithm 1 (SHA-1)
‘Keys’ are just another Security Policy A security policy
establishes what must be done to protect information stored on computers
Keys are physical manifestations of “Authorization” Issuance and control of keys are just part of the authorization scheme.
Security policy defines the organization’s attitude to Assets, and announces internally and externally which assets are mission critical
Which is to be protected from unauthorized access, vandalism and destruction by 3rd parties
Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a company’s assets
Anyone who makes decisions or takes action in a situation where information is a risk incurs personal risk as well.
A security policy allows people to take necessary actions without fear of reprisal. Security policy compels the safeguarding of information,
while it eliminates, or at least reduces, personal liability for employees.
Who can revoke a key?
Obviously, a malicious (or erroneously) revocation of some (or all!) of the keys in the system will most likely be a system-wide failure
It is impossible to arrange things so that this can not happen (if keys can be revoked at all)
Because the principal having authority to revoke keys is very powerful, the mechanisms used to control it should involve as many
participants as possible to guard against malicious attacks, while at the same time as few as possible to ensure that a key
can be revoked without delay
How to distribute a new key
After a key has been revoked, a new key must be distributed in some pre-determined manner.
Assume that Carol's key has been revoked. Until a new key has been disseminated, Carol is effectively silenced. No one will be able to send her data without violating system security,
and data coming from her will be discarded for the same reason. Or, in other words, the part of the system controlled by Carol is
disconnected and so unavailable. The need for security was deemed higher than the need for availability in
this design. One could lump together the authority to create new keys (and
certify them) with the authority to revoke keys, but there is no need to do so. In fact, for reasons of security, this likely a bad idea.
How to spread the revocation
The notification that a key has been revoked and should not be used again must be spread to all those that potentially hold the key, and as rapidly as possible.
There are two means of spreading information (e.g., a key revocation here) in a distributed system: either the information is pushed to users from a central point(s), or it is pulled from a central point(s) to end users.
Pushing the information is the simplest solution in that a message is sent to all participants. However, there is no way of knowing that all participants actually receive the message, and, pushing is not very securable nor very reliable.
The alternative to pushing is pulling. In this setup, all keys are included within a certificate that requires the one using them to verify that the key is valid.
Recovery from a leaked key
If loss of secrecy and/or authenticity is a system-wide failure, a strategy for recovery must be in place.
This strategy will determine who has authority to revoke the key, how to spread the revocation, also how to deal with all messages encrypted with the key
since the leak is recognized This recovery procedure can be extremely
complicated, and while it is in progress the system might be very vulnerable to Denial of Service attacks
Practicum:
St James Clothiers
Evaluation of Manual & IT-Based Sales Accounting System Risks
Recognize risks in a manual-based accounting sales system Explain how an information technology-based accounting
system can reduce manual system risks Identify new risks potentially arising from the use of an
information technology (IT)-based accounting system Recognize issues associated with the process of converting
from a manual to an IT-based accounting system Prepare a formal business memorandum
Forensics and Ethics
Chapter 12
Why ‘Computer’ Crime?
‘Because that's where the money is‘ (c. 2005)
Money is no longer held in physical form
How much money is being handled daily by computer exchange systems in 2005? Foreign exchange $2 trillion daily Derivatives markets $5 trillion daily Outstanding derivatives positions $200 trillion NYSE daily activity $1.6 trillion daily
Types of Computer Crime:
Business as a Victim Employee Thefts Payroll Fraud Fraudulent Billing Schemes Fraud Committed by outsiders Management Thefts Corporate Thefts
Business as a Vehicle Organized Crime Money laundering Theft from Minority Shareholders Other Stock Market Fraud Bankruptcy Fraud
Crime’s new venue
The Internet (With an estimated 1 billion people ) is now in a golden age of criminal invention. It's a "dot-con" boom, in which electronic crime runs rampant in a frantic search for business
models. Even encryption, supposedly a defensive measure, has become a tool for extortion
witness the weird new crime of breaking into a computer, encrypting its contents, and then demanding a payoff to supply a password to the victim's own data.
The crime's so new, it doesn't even have a name yet. All the classic scams and rackets that city sharpies push on rubes can be digitized once there were a few relatively uncomplicated viruses, now there are torrents of fast-
evolving, multifaceted viruses. Where once there was just small-time credit-card fraud, now there is international credit-card
racketeering. Computer-network password theft has turned into sophisticated ID fraud that robs patrons of
banks and online auction sites. Spam, once an occasional rude violation of "netiquette," now arrives by the ton (12.9 billion
pieces a day worldwide last May, according to the e-mail security firm IronPort) Then there are the newer electronic crimes, proliferating so fast that even experts have
trouble keeping up with the jargon. Phishing. Spear phishing. Pharming. DDOS. DDOS protection rackets. Spyware. Scumware. Web site defacement. Botnets. Keylogging.
Hotspots for Internet crime
Brazil, Bulgaria, China, Estonia, Hungary, Indonesia, Japan, Latvia, Malaysia, North Korea, Romania, Russia, and the United States are major centers for organized hacking
Why are certain areas hotspots? Places where there's a significant amount of activity usually have
a technically advanced population and a large population of computer users.
You also have a poor economy, so you have people with the technical skills to do good work, but they can't find a job that will provide for them,
so they may have to resort to doing things that are against the law
These hotspots (other than the United States and Japan) also tend to be countries where laws and law enforcement lag hackers will find the weakest link, the country with no laws
Denial-of-service (DoS attack)
A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include 1. attempts to "flood" a network, thereby preventing legitimate
network traffic
2. attempts to disrupt connections between two machines, thereby preventing access to a service
3. attempts to prevent a particular individual from accessing a service
4. attempts to disrupt service to a specific system or person Details are at
http://www.cert.org/tech_tips/denial_of_service.html
Zombies Zombies do a lot of the heavy lifting
malware-infected computers that an online puppet master controls Set to work in thousands or even tens of thousands, the machines in a zombie network or "botnet"
attempt to carry out the high-tech money grab. Botnets are popular because of their increasing sophistication and multiple uses.
versatile zombie armies pull in cash for their controllers in a variety of ways. Sending spam (a big money-maker)is one common use.
Zombie networks can also steal personal information for purposes of identity theft.
When botnets are used to launch a DDoS attack, the ringleader instructs each zombie computer to send a flood of data to a particular Web site. By itself, the data from a single PC can't hurt a site. But multiply that traffic by 10,000 or more computers, and a Web site can easily be overwhelmed and
cut off from the Internet.
E.g., MyDoom had a rather unsophisticated means of controlling host machines. Once it insinuated itself into an unprotected PC, anyone who knew a not-so-secret five-digit code could commandeer the computer for any
desired purpose As a result, MyDoom-compromised computers were very popular with online criminals for a
while
Botnets
Malware turned an average of 172,009 previously healthy computers into zombies every day during May 2005
CipherTrust, an e-mail security company that tracks botnets
As processing power improves and broadband Internet connections become more widespread, zombie computers will be able to send more spam or hit Web sites harder
and botnets will become more powerful. Also, the ability to shuffle funds
including ransom payments anonymously through convoluted Internet paths using human
mules (in much the same way as in the drug trade) and online payment services
means that criminals can revisit old approaches.
Cops and Robbers Some botnets consist of phalanxes of from 15,000 to 50,000 zombie PCs
that are controlled by groups of people dispersed around the world Christopher Painter, deputy chief of the Computer Crime
section of the U.S. Department of Justice.
Most perpetrators are adults who execute extremely sophisticated assaults. "They don't brag, and they cover their tracks very well," (Painter)
One notorious cybergang, called Shadowcrew, reportedly had 4000 members scattered across the United States, Brazil, Spain, and Russia.
Objectives
Money is these cybergangs' primary motivation The asking price for temporary use of an army of
20,000 zombie PCs today is $2000 to $3000, according to a June posting on SpecialHam.com, an electronic forum for hackers
Marshaling their armies of zombie PCs, online extortionists may threaten to crash a company's Web site unless they are paid off.
Hackers are not shy about asking for $20,000 to $30,000 from companies.
Payoffs
Companies know it's far cheaper to pay the hackers than to get knocked offline and lose hundreds of thousands of dollars in lost business Many extortionists go unreported because businesses are
unwilling to volunteer evidence of their coercion to law enforcement officials, corporations don't want to admit to their customers,
stockholders, and business partners their networks were ever vulnerable to an attack.
only about 20 percent of computer intrusions are ever reported to law enforcement agencies.
The US Secret Service receives between 10 and 15 inquiries per week from businesses owners who believe they may be the target of a cyberattack.
2004 survey conducted by the Computer Security Institute
Client-side Targets
About 60 percent of new vulnerabilities now affect client-side applications like Web browsers and media players And those vulnerabilities are drawing all the wrong sorts of
attention In 2005, unwanted network traffic targeting Symantec Veritas
BackupExec rocketed to 500,000 instances within days of an announced
security hole in the product, up from a previous maximum of about 50,000 instances.
Microsoft Office, Internet Explorer, Firefox, and AOL Instant Messenger also suffered from serious reported vulnerabilities, as did RealPlayer and iTunes
Focus of Client-side Attacks
Attackers now target backup and recovery programs, as well as "the antivirus and other security tools that
most organizations think are keeping them safe SANS Top 20 report for 2005 on the most critical Internet
vulnerabilities
The shift toward finding and exploiting vulnerabilities in programs represents a major change from past years, when Windows and other operating systems and Internet
services like Web and e-mail servers were the preferred targets.
Phishing California has passed an antiphishing law,
the Anti-Phishing Act of 2005 With the passage of the Anti-Phishing Act of 2005, California joins such
states as Texas, New Mexico, and Arizona, all of which adopted antiphishing legislation earlier this year.
Phishing victims are typically sent fraudulent e-mail designed to trick them into revealing personal information, like bank account numbers, user names, and passwords. Under the Anti-Phishing Act, these victims may seek to recover either
the cost of the damages they have suffered or $500,000, whichever is greater; government prosecutors can also seek penalties of up to $2500 per phishing violation.
Phishing attacks have been on the rise. Research firm Gartner estimates that 73 million U.S. Internet users received phishing e-mails during the 12 months ended May 2005, up 28 percent from the previous year.
Malware
The mischief-making hacker of the 1990s gives way to the determined high-tech thief of the 21st century The 2005 E-Crime Watch survey of security and law
enforcement estimated an average loss of $506,670 per organization due to
malware It's gotten so bad that the U.S. Secret Service and Carnegie
Mellon University's Computer Emergency Response Team (CERT)
last year stopped publishing the number of computer crime incidents, saying: "Given the widespread use of automated attack tools, attacks
against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks."
How to Build a Legal Case: Inference Network Analysis
Legal cases are proved through inferences. These inferences, built in chains, must lead logically from
point A to point B He strength (or weakness) of these inferences determines the
strength of the legal case
E v id en c e P r o o fI n f e r en c e
Chain of Inferences
D ef en d en t Vic timm u r d er
Suppose we want to link the defendant (and ex-football player and aspiring movie star) to the murder of his ex-wife
Initially the evidence is weak (dotted line)
The defendant and victim were divorced, and that may have been motive for the murder, but that is a weak case
D ef en d en t G lo v em u r d er
Vic timD N A
D ef en d an t O w n er s h ipm u r d er
D N AG lo v e Vic tim
Un iq u e
D ef en d an t O w n er s h ip
D N AG lo v e Vic tim
Un iq u eD N A
Analytical and Automated Fraud Auditing Approaches
Looks at the general (qualitative) factors of a company. Based on tangible and measurable factors (quantitative).
Used in conjunction with tests of transactions and substantive tests Analytical techniques provide an important, macro-level,
detective control over fraud and misstatement in financial statements
Goals Such an analysis has for objective to assess the firm's:
performance, for the management to improve it, solvency, so as for a bank or a supplier to grant a credit, potential value to decide an investment or divestment. Then it is called
fundamental analysis and is linked to business valuation and stock valuation
How to: Analytical Techniques Compare financial ratios (of solvency, profitability, growth...)
between several periods (the last 5 years for example) and between similar firms.
Those ratios are calculated by dividing a (group of) account balance(s), taken from the balance sheet and / or the income statement, by another,
for example : Net profit / equity = return on equity Gross profit / balance sheet total = return on assets Stock price / earnings per share = P/E-ratio
Where to find the data Company websites almost every public company has a website or investor relations department.
For the most current quarterly or annual report you might want to check in these places first.
http://www.gm.com/company/investor_information/stockholder_info/
Securities and Exchange Commission (SEC) - The information posted in the "EDGAR" database includes the annual report (known as the 10-K), quarterly report (10-Q), and a myriad of other forms that contain every type of financial data.
http://www.edgar-online.com/products/edgarpro.aspx
Hoovers.com - another source for company analysis (some of the data requires a subscription)
http://www.hoovers.com/free/
Fraud Detection Using Digital Analysis
A growing area of fraud prevention and detection involves the examination of patterns in data – i.e., Digital Analysis
The rationale is that unexpected patterns can be symptoms of fraud. A simple example of the application of this technique is a search for duplicate transactions, such as identical invoice or vendor numbers for the same amount.
A simple digital analysis technique is to search for invoices with even dollar amounts, such as $200.00 or $5,000.00. The existence of particular even amounts may be a symptom of
fraud and should be examined.
Ratio Analysis Another useful fraud detection technique is the calculation of data analysis ratios
for key numeric fields. Like financial ratios that give indications of the financial health of a company,
data analysis ratios report on the fraud health by identifying possible symptoms of fraud.
Three commonly employed ratios are: * the ratio of the highest value to the lowest value (max/min); * the ratio of the highest value to the second highest value (max/max2); and * the ratio of the current year to the previous year.
For example, auditors concerned about prices customers were being charged for products could calculate the ratio of the maximum sales price to the minimum sales price for each product. If the ratio is close to 1.0, they can be sure that there is little variance between the
highest and lowest prices charged to customers. However, if the ratio is large this could indicate that a customer was being charged too
much or too little for the product.
Benford's Law
Benford's Law, developed by Frank Benford in the 1920s, predicts the occurrence of digits in data. Benford's Law concludes that the first digit in a large population of transactions (10,000 plus) will most often be a 1. Less frequently will the first digit be a 2; even less frequently a 3.
An analysis of the frequency distribution of the first or second digits can detect abnormal patterns in the data and may identify possible fraud. An even more focused test can be used to examine the frequency distribution of the first two digits (FTD). The formula for the expected frequencies is:
Expected FTD Frequency = log(1+1/FTD) Therefore, the expected frequency of 13 is log(1+1/13). The expected
frequencies range from 0.041 for 10, to 0.004 for 99. Some audit software programs can be used to determine the frequency
distribution for first digits, first two digits, and second digits.
Note: not all data will have distributions as predicted by Benford's Law. Sometimes there is valid rationale for certain numbers occurring more frequently than expected. For example, if a company sends a large amount of correspondence via courier, and the cost is a standard rate ($6.12) for sending a package of under one pound, then the first digit (6) or the first two digits (61) may occur more often than predicted by Benford's Law.
Practicum:
Burlington Bees
Using Analytical Procedures as Substantive Tests OBJECTIVES
Use analytical procedures to develop expectations for revenue accounts
Recognize factors that lead to precise expectations of account balances
Appreciate the degree of professional judgment involved in evaluating differences between expected and reported account balances
Understand the audit planning implications of using analytical procedures as substantive tests of account balances
Back –Of-envelope calculations for Game attendance
New Challenges from the Internet: Privacy, Piracy, Viruses
Course Wrap-up
Password Cracking
Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer system, typically, by repeatedly verifying guesses for the password
The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk), to gain unauthorized access to a system, or as a preventive measure by the system administrator to check for easily crackable passwords.
Guessing Not surprisingly, many users choose weak passwords, usually one related to
themselves in some way. It may be: blank the word 'password' the user's name or login name the name of their significant other or another relative their birthplace or date of birth a pet's name automobile licence plate number and so on,
Some users even neglect to change the default password that came with their account on the computer system. And some administrators neglect to change default account passwords provided by
the operating system vendor or hardware supplier.
A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password, and such service accounts often have higher access privileges than a normal user account.
The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information.
Dictionary attack A dictionary attack also exploits the tendency of people to choose weak
passwords,
Password cracking programs usually come equipped with "dictionaries", or word lists, with thousands or even millions of entries of several kinds, including:
words in various languages names of people places commonly used passwords
The cracking program encrypts each word in the dictionary, and simple modifications of each word, and checks whether any match an encrypted password. This is feasible because the attack can be automated and, on inexpensive modern
computers, several thousand possibilities can be tried per second
Guessing, combined with dictionary attacks, have been repeatedly and consistently demonstrated for several decades to be sufficient to crack perhaps as many as 50% of all account passwords on production systems.
Brute force attack Try every possible password up to some size,
This is known as a brute force attack.
As the number of possible passwords increases rapidly as the length of the password increases, this method is unlikely to be successful unless the password is relatively small
How small is too small? A common current recommendation is 8 or more randomly chosen characters combining letters,
numbers, and special (punctuation, etc) characters
Systems which limit passwords to numeric characters only, or upper case only, or, generally, which exclude possible password character choices make such attacks easier.
Using longer passwords in such cases (if possible on a particular system) can compensate for a limited allowable character set.
The real threat may be likely to be from smart brute-force techniques that exploit knowledge about how people tend to choose passwords.
Most commonly used hashes can be implemented using specialized hardware, allowing faster attacks. Large numbers of computers can be harnessed in parallel, each trying a separate portion of the search space. Unused overnight and weekend time on office computers can also be used for this purpose.
Precomputation Precomputation involves hashing each word in the dictionary or any search space of candidate passwords and storing the <plaintext, ciphertext> pairs in a way that enables
lookup on the ciphertext field This way, when a new encrypted password or is obtained, password
recovery is instantaneous
There exist advanced precomputation methods that are even more effective. By applying a time-memory tradeoff, a middle ground can be reached a search space of size N can be turned into an encrypted database of
size O(N2/3) in which searching for an encrypted password takes time O(N2/3).
The theory has recently been refined into a practical technique, and the online implementation at http://passcracking.com/ achieves impressive results on 8 character alphanumeric MD5 hashes.
Salting (a remedy)
The benefits of precomputation and memoization can be nullified by randomizing the hashing process
This is known as salting
When the user sets a password, a short string called the salt is suffixed to the password before
encrypting it; the salt is stored along with the encrypted password so that it can
be used during verification Since the salt is different for each user,
the attacker can no longer use a single encrypted version of each candidate password.
If the salt is long enough, the attacker must repeat the encryption of every guess for each user, and this can only be done after obtaining the encrypted
password record for that user.
Programs for password cracking
John the Ripper John the Ripper is password cracking software. Initially developed
for the UNIX operating system, It currently runs on fifteen different platforms.
It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects, and includes a customisable cracker.
The encrypted password formats which it can be run against include various DES formats, MD4, MD5, Kerberos AFS, and Windows LM hash. Additional modules have extended its ability to include passwords stored in LDAP, MySQL and others.
John is designed to discover weak passwords from the encrypted information in system files. It operates by taking text strings (usually from a file containing words found in a dictionary), encrypting it in the same format as the password being examined, and comparing the output to the encrypted string. It also offers a brute force mode.
Programs for password cracking
L0phtCrack
L0phtCrack is a password auditing and recovery application (now called LC5),
originally produced by L0pht Heavy Industries (later produced by @stake and now by Symantec, which acquired @stake in 2004)
It is used to test password strength and to recover lost Microsoft Windows passwords,
by using dictionary, brute-force, and hybrid attacks. It is one of the crackers' tools of choice
Practicum:
Henrico Retail
Understanding the IT Accounting System and Identifying Audit Evidence for Retail Sales
Outline the audit trail for processing retail sales transactions Develop audit plans for gathering evidence to test the
existence and valuation of retail sales Recognize when audit evidence must be gathered
electronically if a traditional paper trail is absent
Identifying audit trails in preparation for flowcharting accounting cycle processing required for writing an audit program