Final Exam Review IS Audit (ISMT 350) Time & Venue: 7 Dec 2006, 10:30 to 11:50 am Note: You will be allowed one A4 sized sheet of paper as a “ Cheat Sheet”

Final Exam ReviewIS Audit (ISMT 350)

Time & Venue: 7 Dec 2006, 10:30 to 11:50 am

Note: You will be allowed one A4 sized sheet of paper as a “ Cheat Sheet” for your reference during the IST300S Final Exam. You can fill out both sides, and there are no limits on handwriting, font, or techniques for the information you place on the page. No other materials will be allowed during the exam

Classes of Things You have Learned

Concepts: Things you need to know These include: Theories and frameworks Facts

‘ Activities and Tasks: Things an auditor needs to

do

Tools: Used to make audit decisioms

Logical Structure of the CourseWith Readings from the Text

I S Au d itin g

C u r r en t an dF u tu r e I s s u es in

I S Au d itin g

I S C o m p o n en tsC h . 1 & 2

Au d it C o m p o n en tsC h 3 & 4

C o n tr o ls o v er I SAs s e ts

C h . 7 & 8

P r o c ed u r a lC o n tr o ls

C h . 9

Au d it S tan d ar d san d P r o c ed u r es

C h . 1 0

F o r en s ic s an dF r au d Au d its

C h . 1 2

E n c r y p tio nC h . 11

Prac·ti·cum (prăk-tĭ-kəm) nounLessons in a specialized field of study designed to give students supervised practical application of previously studied theory

Student Competence Case Study

1 Evaluating IT Benefits and Risks Jacksonville Jaguars

2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey

3 Recognizing Fraud The Anonymous Caller

4 Evaluating a Prospective Audit Client Ocean Manufacturing

5 Inherent Risk and Control Risk Comptronix Corporation

6 Evaluating the Internal Control Environment Easy Clean

7 Fraud Risk and the Internal Control Environment Cendant Corporation

8 IT-based vs. Manual Accounting Systems St James Clothiers

9 Materiality / Tolerable Misstatement Dell Computer

10 Analytical Procedures as Substantive Tests Burlington Bees

11 Information Systems and Audit Evidence Henrico Retail

IS Audit Programs

Chapter 2

What is IS Auditing?Why is it Important? What is the Industry Structure?Attestation and Assurance

Auditing

E x ter n a l R ea lW o r ld E n tit ies

an d E v en ts th a tC r ea te an d

D es tr o y Valu e

Au d it R ep o r t /O p in io n

J o u r n a l E n tr ies

'O w n e d ' A s s e t sa n d Lia b ilit ie s

R ep o r ts :S ta tis t ic s

I n te r n a lO p er a tio n so f th e F ir m

Ac c o u n tin gS y s tem s

Au d itP r o g r am

T r an s ac tio n s

T ra n sa c tio n s

The P hys i c al W o r l d

The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng

L ed g er s :D atab as es

Audi t i ng

C o r p o r a te L aw

Su b

stan

tiv e

Te s

ts

Te st s o f T

ran sa c ti o n s

Attes ta tion

A n a ly tic a l T ests

How Auditors Should Visualize Computer Systems

Bu s in es s Ap p lic a tio nS y s tem s

T r an s ac tio n F lo w s

As s e t L o s s R is k s( I n te r n a l Au d its )

R ep o r tin g R is k s( E x ter n a l Au d it)

C o n tr o l P r o c es s R is k s( I n te r n a l & E x ter n a l

Au d its )

O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th er s p ec ia l s y s tem s )

Har d w ar e P la tf o r m

Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t

A u dit O bje ct iv e s

The IS Auditor’s Challenge

Corporate Accounting is in a constant state of flux Because of advances in Information Technology applied to

Accounting Information that is needed for an Audit is often hidden from

easy access by auditors Making computer knowledge an important prerequisite for

auditing

IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations

The Challenge to Auditing Presented by Computers

Transaction flows are less visible Fraud is easier Computers do exactly what you tell them

To err is human But, to really screw up you need a computer

Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the

auditor) Audits grow bigger and bigger from year to year

And there is more pressure to eat hours Environmental, physical and logical security problems grow

exponentially Externally originated viruses and hacking are the major source of risk

(10 years ago it was employees)

The Challenge to Auditing Presented by The Internet

Transaction flows are External External copies of transactions on many Internet nodes External Service Providers for accounting systems

require giving control to outsiders with different incentives

Audit samples may be impossible to obtain Because they require access to 3rd party databases

Transaction flows are intermingled between companies

Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk

(10 years ago it was employees)

Practicum:

A Day in the Life of Brent Dorsey

A Staff Auditors’ Professional Pressure

Understand some of the pressures faced by young professionals in the workplace

Generate and evaluate alternative courses of action to resolve a difficult workplace issue

Understand more fully the implications of "eating time" and "premature sign-off"

More fully appreciate the need to balance professional and personal demands

Ideas, not Things, have Value … and these ideas are tracked in the computer

0

2

4

6

8

10

12

14

16

Rank order by increasing return

Ass

et In

tens

ity (F

ixed

Ass

ets

/ Sal

es)

-100

0

100

200

300

400

500

600

5-yr

Sha

reho

lder

Ret

urn

%

How Accounting has had to ChangeBecause of Business Automation

M an u f ac tu r in gValu e Ad d ed

C o n s u m er

M ater ia lL ab o r

C ap ita l

5 0 %

3 0 %

2 0 %

1 1 0 %

M an u f ac tu r in gValu e Ad d ed

C o n s u m er

M ater ia lL ab o r

C ap ita l

5 %

5 %

1 0 %Kn o w led g eI n teg r a to r

Kn o w led g eI n teg r a to r



K n o w led g e B as e (u n certainclaim s , co n t rib u t io n s an d

p ro p erty rig h t s )

8 0 %

11 0 %

M an u fac tu ring

S p ec if ica tio n s

F in ished

P ro d u c t 2 0 %

Flowcharting Accounting Systems

Each bubble is associated with a person or entity that is responsible for that processThe same individuals with:

Managerial ControlAccountabilityResponsibility for the process

Should all be responsible for the same bubble


A data flow diagram

Data Flow Diagram Notations


A process transforms incoming data flow into outgoing data flow.


Datastores are repositories of data in the system.

They are sometimes also referred to as databases or files.


Dataflows are pipelines through which transactions (packets of information) flow.

Label the arrows with the name of the data that moves through it.


External entities are entities outside the firm, with which the accounting system communicates E.g., vendors, customers,

advertisers, etc.

External entities are sources and destinations of the transaction input and output


The Context diagram lists all of the external relationships

Flowcharting Accounting Systems …Levels

Context

known as Level 0) data flow diagram. It only contains one process node (process 0) that generalizes the function of the entire system in relationship to external entities.

DFD levels

The first level DFD shows the main processes within the system.

Each of these processes can be broken into further processes until you reach the level at which individual actions on transaction flows take place

If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily nest data flow diagrams in SmartDraw. Draw the high-level diagrams first, then select the process you want to expand, go to the Tools menu, and select Insert Hyperlink. Link the selected process notation to another SmartDraw diagram or a web page.

The Datastore

The Datastore is used to represent Ledgers, Journals

Or more often in the current world Their computer

implemented counterpart Since almost no one keeps

physical records

Flowcharting Accounting Systems …Lower Level with Multiple Processes

Data Flow Diagram Layers Draw data flow diagrams in

several nested layers. A single process node on a

high level diagram can be expanded to show a more detailed data flow diagram

Practicum:

Jacksonville Jaguars

Assurance Services for the Electronic Payments System of a privately held company

Identify benefits, costs and risks to businesses from implementing information technologies

Determine how CPAs can provide assurance about processes designed to reduce risks created when new IT systems are introduced

Understand ways CPAs can identify new assurance services opportunities (i.e., new areas for revenue generation)

Identifying Computer Systems

Chapter 11. Identifying what you are going to audit

2. The Computer Asset Inventory

3. Identification of Transactions, and Risk Levels

4. Audit programs for high risk transactions

Audit Program Audit programs are checklists of the various tests (audit

procedures) that auditors must perform within the scope of their audits to determine whether key controls intended to mitigate significant risks are functioning as designed.

Objective To determine the adequacy of the controls over the particular

accounting processes covered by the audit program This is fundamentally what the assurance and attestation

aspects of the audit are expected to achieve during the ‘tests of transactions’ or mid-year or internal control tests

The objective

The reason for an audit is to write an opinion: Saying stock price is fairly stated (external) Control processes are effective (internal & external) Assets are not at risk of theft or damage (internal)

We only need to identify computer systems where one of more of these objectives is affected

Benefits

The use of audit programs is fairly standard for audit firms, and is considered good business practice. List three (3) benefits to the audit firm of using an audit program The improve resource planning (where to spend money and

employ people on an audit) They promote consistency from year to year when personnel and

situations of an audit change Prior years’ programs are the basis for the current year’s audit

procedures Anything else that seems reasonable

Control assessment

Information systems audit programs should assess the adequacy of controls in four (4) areas.

1. Environmental controls

2. Physical security controls

3. Logical security controls

4. IS operating controls

Computer Assets

Central Processing Unit

MemoryPeripheral Processor

(Video, Bus, Etc.)Network Devices

RAM / ROMOptical &

Magnetic Media

Operating Systems

Specialized O/S

Utilities

Network O/S Database O/SProgramming Languages,

Tools & EnvironmentsUtilities and Services

Applications

The main categories of Computer Applications, and their relative importance

InformationTechnology Market

Annual Expenditures($US billion)

Employees(thousand)

Major Suppliers

Operations & Accounting 500 2000 US, India

Search & Storage 1000 5000 US

Tools 300 300 US, Germany

Embedded 1500 700 US, Japan, Korea, Greater China

Communications 700 2000 US, Germany, Japan, Greater China

Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion)

US GDP ~$10 trillion (Pop: 300 million)

The Risk Assessment Database

Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)

Primary OS OwnerApplication

Asset Value ($000,000 to Owner)*

Transaction Flow Description

Total Annual Transaction Value Flow managed by Asset($000,000)* Risk Description

Probability of Occurrence (# per Year)

Cost of single occurrence ($)

Expected Loss

Win XPReceiving Dock A/P 0.002

RM Received from Vendor 23 Theft 100 100 10000


RM Received from Vendor 23

Obsolescence and spoilage 35 350 12250

Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc



*Whether you list depends on Audit Materiality

Materiality Materiality represents the maximum, combined, financial statement

misstatement or omission that could occur before influencing the decisions of reasonable individuals relying on the financial statements.

The magnitude and nature of financial statement misstatements or omissions will not have the same influence on all financial statement users.

For example, a 5 percent misstatement with current assets may be more relevant for a creditor than a stockholder, whereas a 5 percent misstatement with net income before income taxes may be more relevant for a stockholder than a creditor. Therefore, the primary consideration when determining materiality is the expected users of the financial statements.

The specific amounts established for each financial statement element must be determined by considering the primary users as well as qualitative factors.

For example, if the client is close to violating the minimum current ratio requirement for a loan agreement, a smaller planning materiality amount should be used for current assets and liabilities.

Conversely, if the client is substantially above the minimum current ratio requirement for a loan agreement, it would be reasonable to use a higher planning materiality amount for current assets and current liabilities.

Planning materiality should be based on the smallest amount established from relevant materiality bases to provide reasonable assurance that the financial statements, taken as a whole, are not materially misstated for any user.

Tolerable misstatement

This is essentially materiality for individual financial statement accounts. The amount established for individual accounts is referred to as "tolerable misstatement."

Tolerable misstatement represents the amount an individual financial statement account can differ from its true amount without affecting the fair presentation of the financial statements taken as a whole.

Establishment of tolerable misstatement for individual accounts enables the auditor to design and execute an audit strategy for each audit cycle.

Tolerable misstatement should be established for all balance sheet accounts (except "retained earnings" because it is the residual account).

Practicum:

Dell Computer

This is the case that required you to come up with hard numbers for materiality!

Determine planning materiality for an audit client Allocate planning materiality to financial statement

elements Provide support for your materiality decisions

IS Security

Chapter 3

What is Security?

Security involves: the protection of a person, property or organization from attack. Knowing the types of possible attacks, being aware of the motivations for attacks and your relationship to those

motives. Proper security

makes it difficult to attack, threatens counter-measures, or make a pre-emptive attack on a source of threat.

IS Security is a collection of investments and procedures that: Protect information stored on computers Protect Hardware and Software assets From theft or vandalism by 3rd parties

What is a Lock & Key? Lock is a security system

The key is its password Keys used to be worn visibly around the neck

As a sign of authority (similar to employee badges today)

Newer Technology Badges and electronic keys Biometrics (M-28 fingerprint lock at right) Remote controls (Lexus keys)

‘Keys’ are just another Security Policy

Effective security policy

Security policy defines the organization’s attitude to Assets, and announces internally and externally which assets are mission critical

Which is to be protected from unauthorized access, vandalism and destruction by 3rd parties

Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a company’s

assets An effective security policy also protects people.

Anyone who makes decisions or takes action in a situation where information is a risk incurs personal risk as well.

A security policy allows people to take necessary actions without fear of reprisal.

Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for

employees.

IP

There are four types of Intellectual Property (IP) that are protected by law

Copyright Patent Trade secret Trademark

Two aspects of the use of IP are covered by intellectual property laws

Right of publicity Privacy

Almost All Security Controls use the Lock & Key paradigm. Authorization system = Who gets a Key (And Why?) Password, etc. = Key Encryption algorithms, SSL, etc. = Lock

Entry into Computer Crime

This flowchart describes the points at which Control Processes may be created to stop criminals

Controls may: Prevent access to the asset Detect asset access Correct the problems or

losses after an illicit access Remember that criminals

specialize in one type of crime

Personal Background

Learning Skills to Commit Crime

Reaction to Chance Event

Motives

Choose "Best" Option

Decision / Action Matrix

Select Asset

Don't Select

Commit Crime Don't Commit

• Unfamilar • Not enough valueN/A

• Face Penalties • Enjoy Rewards

• Too Hard • Monitored

PremeditatedUn-premeditated

Bringing a computer crime to court

Step Potential Terminal Outcome

Crime committed Not detectedReported Not investigatedInvestigation UnsolvedArrest Released without prosecutionBooking Released without prosecutionPreliminary appearance in court Charges dropped or dismissedBail or detentionAdjudication Arbitration, Settled "Out of Court"Arraignment Charge dismissedTrial AcquittedSentencing AppealSentencing ProbationSentencing Prison

Practicum:

The Anonymous Caller

Recognizing It's a Fraud and Evaluating What to Do

How would you politely and ethically handle a ‘dodgy’ request for help

Appreciate real-world pressures for meeting financial expectations Distinguish financial statement fraud from aggressive accounting Identify alternative actions when confronted with suspected

financial statement fraud Develop arguments to resist or prevent inappropriate accounting

techniques

Utility Computing and IS Service Organizations

Chapter 4

Old and New

Service Organizations like EDS Are in the business of running IS shops Only the transactions are handled by the client

They are being replaced by Utility Computing Which is an outgrowth of software vending business

models Particularly those of Oracle, SAP and Salesforce.com

Why do firms choose Utility computing?

Utility computing offers greater flexibility in the creation of computing

environments when they are needed. It opens up usage-based pricing and reduces users' use of capital.

Utility Computing allows an organization to have the ability to

harness latent computing power and resources, regardless of

application or other physical or organizational boundaries. It allows an organization to virtually repurpose operating systems,

application mix, processing power, and storage to the immediate needs

of the corporation, to meet new demand or to rapidly create computing

environments for projects.

Pervasiveness of Utility Computing Recent moves like

Oracle's acquisition of Siebel, And The growing popularity of software-as-a-service vendors like

Salesforce.com are indicators that the software industry is tilting toward an on-demand

future

Still, on-demand services are likely to account for less than 10 percent of business application use through 2010 (Gartner)

The reason why the on-demand model is not suitable for complex business uses like logistics

support and order handling nor for large complex companies requiring business process support

But the "complexity constraint bar" will rise over time since on-demand vendors can add functionality easily

Consequences: Control of Data and Programs

Copies of data outside the organization Accounting transactions (fraud, loss, alteration) Personnel and customer records (privacy, theft)

Operation of programs may be less well understood since there are no in-house experts This may lead to more audit exceptions

The Risk Assessment Database








Expected Loss









*Whether you list depends on Audit Materiality

Practicum:

Ocean Manufacturing

Deciding whether to accept a new client

Understand the types of information relevant to evaluating a prospective audit client

List some of the steps an auditor should take in deciding whether to accept a prospective client

Identify and evaluate factors important in the decision to accept or reject a pro spective client

Understand the process of making and justifying a recommendation regarding client acceptance

Physical Security Chapter 7 Logical Security Chapter 8

Security Policy

Env ironmenta lCompetitiv e

Interna l Financ ia lIn terna l

Non- f inanc ia l

Prof itab ilityEf f ic ienc y

Grow thSurv iv a l

QuantityQuality

Cos tTime

Manpow erMoney

Mac hinesMethodsMater ia ls

PlanOrganiz eA c tuateContro l

I n fo rm a t io n I n pu ts O u tpu ts O bje ct iv e sM a n a g e r A ct io n

In form ation System

Inform ation System s

Inf ormation Sy s tem

Inform ation System

Strategy Policy

Strategy defines the way that Top Management achieves corporate objectives

Policy is a written set of procedures, guidelines and rules Designed to accomplish a subset of strategic tasks By a particular subgroup of employees

Effective security policy

An effective security policy also protects people. Anyone who makes decisions or takes action in a situation where

information is a risk incurs personal risk as well. A security policy allows people to take necessary actions without

fear of reprisal. Security policy compels the safeguarding of information,

while it eliminates, or at least reduces, personal liability for employees.

Effective information security policy

Information security policy defines the organization’s attitude to information, and announces internally and externally that information is an asset

Which is to be protected from unauthorized access, modification, disclosure, and destruction

Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a

company’s information assets

Why Do You Need Security Policy?

A security policy should Protect people and information Set the rules for expected behavior by users, system

administrators, management, and security personnel Authorize security personnel to monitor, probe, and investigate Define and authorize the consequences of violation

The Three Elements of Policy Implementation

Standards – Standards specify the use of specific technologies in a uniform way. The example the book gives is the standardization of operating procedures

Guidelines – Similar to standards but are recommended actions

Procedures – These are the detailed steps that must be performed for any tasks.

Steps to Creation of IS Security PolicyPolicy Development Lifecycle

1. Senior management buy-in2. Determine a compliance grace period 3. Determine resource involvement . 4. Review existing policy5. Determine research materials (Internet, SANS, white papers, books…)6. Interview parties {Responsible, Accountable, Controlling} assets

1. Define your objectives 2. Control the interview 3. Sum up and confirm

4. Post-interview review

7. Review with additional stakeholders 8. Ensure policy is reflected in “awareness” strategies 9. Review and update 10. Gap Analysis11. Develop communication strategy12. Publish

What’s in a Policy Document

Governing Policy

Should cover Address information security policy at a general level define significant concepts describe why they are important, and detail what your company’s stand is on them

Governing policy will be read by managers and by technical custodians

Level of detail: governing policy should address the “what” in terms of security policy.

Governing Policy Outlinemight typically include

1. Authentication 2. Access Control 3. Authorization 4. Auditing 5. Cryptography 6. System and Network Controls 7. Business Continuity/Disaster Recovery 8. Compliance Measurement

Technical Policies

Used by technical custodians as they carry out their security responsibilities for the system they work with.

Are more detailed than the governing policy and will be system or issue specific, e.g., AS-400 or physical security.

Technical Policy Outline might typically include

1. Authentication 2. Authorization 3. Auditing 4. Network Services 5. Physical Security 6. Operating System 7. Business Continuity/Disaster Recovery 8. Compliance Measurement

User Policies

Cover IS security policy that end-users should ever have to know about, comply with, and implement.

Most of these will address the management of transaction flows and databases associated with applications

Some of these policy statements may overlap with the technical policy

Grouping all end-user policy together means that users will only have to go to one place and read one document in order to learn everything they need to do to ensure compliance with company security

User Policy Outline might typically include 1. User Access 2. User Identification and Accountability 3. Passwords 4. Software 5. System Configuration and Settings 6. Physical 7. Business Continuity Planning 8. Data Classification 9. Encryption 10. Remote Access 11. Wireless Devices/PDAs 12. Email 13. Instant Messaging 14. Web Conferencing 15. Voice Communications 16. Imaging/Output

Practicum:

Comptronix Corporation

Identifying Inherent Risk and Control Risk Factors

* Understand how managers can fraudulently manipulate financial statements

* Recognize key inherent risk factors that increase the potential for financial reporting fraud

* Recognize key control risk factors that increase the potential for financial reporting fraud

* Understand the importance of effective corporate governance for overseeing top executives

IS Operations

Chapter 9

What are ‘Operations’

Development and Test Production Outsourcing and Utility Computing

Also, two sides to one system Business Operations

All the tangible physical things that go on in a corporation Computer Operations

Business & Computer Operations



D es tr o y Valu e

I n te r n a l C o n tr o lM em o

J o u r n al E n tr ies




C o m p u terS y s tem s

Au d itP r o g r am

T r an s ac tio n s

T ra n sa c tio n s

B us i ne s s O pe r at i o ns

The P ar al l e l (L o g i c al )W o r l d o f C o m pute r O pe r at i o ns


Inte r nal C o ntr o l R e vi e wO ve r O pe r at i o ns


Measu rm

en t / P o s tin g

Mea su rem

en t / P o s tin g

Look Familiar?



D es tr o y Valu e

Au d it R ep o r t /O p in io n

J o u r n a l E n tr ies




Ac c o u n tin gS y s tem s

Au d itP r o g r am

T r an s ac tio n s

T ra n sa c tio n s

The P hys i c al W o r l d

The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng


Audi t i ng


Su b

stan

tiv e

Te s

ts

Te st s o f T

ran sa c ti o n s

Attes ta tion

A n a ly tic a l T ests

Computer Operations

Only a subset of business operations are computerized (automated)

Computers do the following well: High-speed arithmetic operations Storage and search of massive quantities of data Standardization of repetitive procedures

All other Business Operations require human intervention Even computer operations require human intervention at some level

E.g., turning the computer on and off

In both business and computer operations Human interventions demand the most auditing

Automation & Operations Objectives

Operations should be about following predetermined procedures The appeal rests largely on the ability to reduce or alter the role of

people in the process The intent is to take people out of the loop entirely, Or to increase the likelihood that people will do what they are

supposed to do, and that they do it accurately People are flexible and clever We sometimes don’t want to take people out of the loop on a lot of

systems The problem is when a lot of things break at the same time.

There’ll probably be a few things that are hard to fix, a cascade of effects

Fully automated (computerized) procedures Can be audited once with a small data set And these results can be considered to hold over time

Operations ObjectivesWhat to look for in an audit

Production jobs are completed in time Output (information) are distributed on time Backup and recovery procedures are adequate

(requires risk analysis) Maintenance procedures adequately protect

computer hardware and software Logs are kept of all changes to HW & SW

Backup and Recovery Objectives Best Practices

Determination of appropriate recovery and resumption objectives for activities in support of critical markets. Core organizations should develop the capacity to recover and resume activities within

the business day on which the disruption occurs. The overall goal is to resume operations within two hours

Maintenance of sufficient geographic dispersion of resources to meet recovery and resumption objectives. back-up sites should not rely on the same infrastructure components used by the

primary site, and back-up operations should not be impaired by a wide-scale evacuation or

inaccessibility of staff that services the primary site

Routine use or testing of recovery and resumption arrangements. Testing should not only cover back-up facilities of the firm,

but connections with the markets, third party service providers and customers

Connectivity, functionality and volume capacity should be covered.

How Does Backup & Recovery Fit into your Risk Assessment Framework?

Your Toolkit: Computer Inventory, Risk Assessment Matrix, Dataflow Diagrams and Systems Components Hierarchy








Expected Loss






Bu s in es s Ap p lic a t io nS y s tem s

T r an s ac tio n F lo w s

As s e t L o s s R is k s( I n te r n a l Au d its )

R ep o r t in g R is k s( E x te r n a l Au d it)

C o n tr o l P r o c es s R is k s( I n te r n a l & E x te r n a l

Au d its )

O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th e r s p ec ia l s y s tem s )

Har d w ar e P la tf o r m

Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t

A u dit O bje ct iv e s

Prioritizing Backup & Recovery Tasks

Find the critical transactions (High value; High volume)

Identify the critical applications for processing these transactions

Identify the critical personnel including those you may not have hired or defined jobs for Who are essential to processing these transactions

Practicum:

Easy Clean

Evaluation of Internal Control Environment

Evaluate a new audit client's control environment. Provide an initial evaluation of certain components of

the client's control environment Appreciate the judgment involved in evaluating the

overall internal control environment based on interview data

Provide support for your internal control assessments

Controls Self Assessment

Chapter 10

What is ‘Control Self-Assessment’?

DEFINITION Control Self-assessment (CSA) is a leading edge process

in which auditors facilitate a group of staff members

who have expertise in a specific process,

with the objective of identifying opportunities for internal control enhancement pertaining to critical operating areas designated by management

Originally a way of measuring ‘soft controls' which traditional auditing found difficult to measure, e.g.

Management integrity, honesty, trust Willingness of employees to circumvent controls Employee morale

The tone and ethics of a firm are set by top management And this is a way of eliciting these

It’s become especially important post Sarbanes-Oxley

Why is CSA Important? Without commitment to good internal control

And inherent honest and ethical behavior of employees throughout the organization

Internal control systems (preventive, detective and corrective) Would quickly become the single most expensive part of the firm’s

accounting systems Internal and external audits would become prohibitively expensive Financial statements would lose their value to outside investors

Causing stock price to fall Bank borrowing interest rates to rise And firm operations to cease being competitive

This happened in some of Arthur Andersen’s clients Where financial statements came to be known as: Andersen’s Fairy Tales

COSO Framework

COSO (Committee of Sponsoring Organizations of the Treadway Commission) Founded in aftermath of the 1977 Lockheed Scandal

Internal Control was supposed to insure:Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations

COCO Framework

CoCo (Criteria of Control Board) Founded by Canadian Institute of Chartered Accountants

The world’s premier group in setting internal auditing standards

Internal Control was supposed to insure:Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations & internal policies

Cadbury Framework

Committee of the Financial Aspects of Corporate Governance of the Institute of Chartered Accountants in England and Wales (Cadbury Committee … you can see why they adopted the latter name) Contemporaneous with CoCo

Internal Control was supposed to insure: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets against unauthorized use of disposition Maintenance of proper accounting records and the reliability of

financial information used with in the business or for publication

COBIT Framework

COBIT (Control Objectives for Information and Related Technology) Contemporaneous with CoCo and Cadbury

Internal Control was supposed to insure: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets against unauthorized use of disposition Maintenance of proper accounting records and the reliability of

financial information used with in the business or for publication

An important difference as COBIT was directed specifically towards Information Technology

SAC / eSAC Framework SAC (Systems Auditability and Control report)

Originally published in 1977, but updated in 1991-4 contemporaneous with CoCo and Cadbury

Internal Control insure the same things as CoCo and Cadbury But provide an extensive module-based framework

Audit & control Environment IT in Auditing Managing computer resources Managing Information and Developing System Business Systems End user and Departmental Computing Telecommunications Security Contingency Planning Emerging tech

An important difference as SAC / eSAC was directed specifically towards Information Technology, and provides more detailed direction for IT audits

SASs 55, 78 & 94

Extensions to the COSO Framework that are essentially summarized in SAS 94 (2001)

Specific IT related Internal Control risks are targeted: Reliance on IT that is inaccurately processing data Unauthorized access to data, destruction, inaccurate recording, privacy

breach Unauthorized changes to systems Failure to make needed changes to systems Inappropriate manual intervention Potential loss of data

SAS 94 also emphasizes the importance of specialized IT Auditing skills (important for this class)

Prisoner's dilemma Two suspects A, B are arrested by the police. The police have insufficient evidence for a conviction, and having separated both

prisoners, visit each of them and offer the same deal: If one testifies for the prosecution (turns King's Evidence) against the other and the other

remains silent, the silent accomplice receives the full 10-year sentence and the betrayer goes free.

If both stay silent, the police can only give both prisoners 6 months for a minor charge. If both betray each other, they receive a 2-year sentence each.

This can be summarized:

Prisoner A Stays Silent Prisoner A Betrays

Prisoner B Stays Silent Bother Serve 6 months

Prisoner B serves ten years; Prisoner A goes free

Prisoner B Betrays

Prisoner A serves ten years; Prisoner B goes free Both serve two years

The Dilemma Each prisoner has two options:

to cooperate with his accomplice and stay quiet, or to betray his accomplice and give evidence.

The outcome of each choice depends on the choice of the accomplice. However, neither prisoner knows the choice of his accomplice.

The optimal solution would be for both prisoners to cooperate with each other, as this would reduce the total jail time served by the group to one year total. Any other decision would be worse for the two prisoners considered together.

However by each following their individual interests, the two prisoners each receive a lengthy sentence

The optimal multiperiod prisoner’s dilemma strategy is called ‘Tit-for-Tat’ Cooperate by default If your opponent defects, you defect the next time, and then go back to cooperating if

they opponent cooperates on that next play Be nice, but disciplined (tough love)

Prisoner's dilemma (Corporate Setting) Two officers of the corporation – the CEO and the Comptroller are arrested for Financial

Reporting fraud The police have insufficient evidence for a conviction (they didn’t take my course) and

having separated both prisoners, visit each of them and offer the same deal: If one testifies for the prosecution against the other and the other remains silent, the silent

accomplice receives the full 10-year sentence and the betrayer goes free. If both stay silent, the police can only give both prisoners 6 months for a minor charge. If both betray each other, they receive a 2-year sentence each.

This can be summarized:

Comptroller Cooperates Comptroller Betrays

CEO Cooperates -.5,-.5 0,-10

CEO Betrays -10,0 -2,-2

The Deal (another view)

Or stated differently Here is how the deal will look to the CEO and the

Comptroller


CEO Cooperates Win-win Win much – lose much

CEO Betrays Lose much – win much Lose - lose

The Deal

Or stated differently Here is how the deal will look to the CEO and the

Comptroller


CEO Cooperates Cooperation, 6 months eachComptroller Temptation to Defect

payoff of zero years

CEO BetraysCEO Temptation to Defect payoff

of zero years Sucker’s Payoff (two years each)

Why Ethics are Important! The prisoner's dilemma is a type of non-zero-sum game

it is assumed that each individual player ("prisoner") is trying to maximize his own advantage, without concern for the well-being of the other players.

In Econo-speak: The Nash equilibrium for this type of game does not lead to Pareto optimums (jointly optimum solutions)

Each side has an individual incentive to cheat even after promising to cooperate. This is the heart of the dilemma.

In the iterated prisoner's dilemma the game is played repeatedly. Thus each player has an opportunity to "punish" the other player for previous non-

cooperative play. Cooperation may then arise as an equilibrium outcome. The incentive to cheat may then be overcome by the threat of punishment, leading to

the possibility of a superior, cooperative outcome.

As the number of iterations approach infinity, the Nash equilibrium tends to the Pareto Optimum, because when you face eternity the threat of grudges is a grave one indeed

Practicum:

Cendant Corporation Evaluating Risk of Financial Statement Fraud and Assessing the

Control Environment

Describe the auditor's responsibility for considering a client's internal controls

Describe the auditor's responsibility to detect material misstatements due to fraud

Identify red flags present during the audits of CUC International, Inc.'s financial statements, which suggest weaknesses in the company's control environment (CUC was the predecessor company to Cendant Corporation)

Identify red flags present during the audits of CUC's financial statements suggesting a higher likelihood of financial statement fraud

Identify management assertions violated as a result of the misstatements included in CUC's 1995 through 1997 financial statements (prior to its merger with HFS, Inc.)

Identify audit procedures that could have been performed to detect misstatements that occurred

Encryption and Cryptography

Chapter 11

Goal of Encryption

To reasonable ensure the Confidentiality Integrity and Authenticity

Of electronic storage and transmission of data System components:

Encryption Hashing Digital Signatures

Uses of Encryption The most obvious application of a public key encryption system is

confidentiality a message which a sender encrypts using the recipient's public key can only be decrypted by the recipient's paired private key

Public-key digital signature algorithms can be used for sender authentication For instance, a user can encrypt a message with his own private key and

send it If another user can successfully decrypt it using the corresponding public

key, this provides assurance that the first user (and no other) sent it

These characteristics are useful for many other applications digital cash, password-authenticated key agreement, multi-party key agreement

Types of Encryption Public key cryptography is a form of cryptography which generally allows users to

communicate securely without having prior access to a shared secret key, by using a pair of cryptographic keys, designated as public key and private key, which are related mathematically.

The term asymmetric key cryptography is a synonym for public key cryptography. In public key cryptography, the private key is generally kept secret, while the public key

may be widely distributed. In a sense, one key "locks" a lock; while the other is required to unlock it. It should not be possible to deduce the private key of a pair given the public key.

There are many forms of public key cryptography, including: public key encryption — keeping a message secret from anyone that does not possess a

specific private key. public key digital signature — allowing anyone to verify that a message was created with

a specific private key. key agreement — generally, allowing two parties that may not initially share a secret key

to agree on one. Typically, public key techniques are much more computationally intensive than purely

symmetric algorithms, but the judicious use of these techniques enables a wide variety of applications.

Applying the Keys

Asymmetric or Public Key Encryption

Privacy: Single Key Encryption

Encryption: scramble a message rendering it readable only to the intended recipient

Single-key encryption: Sender supplies a "key" to encrypt the message Receiver uses the same key to decrypt it. At least

that's how it works e.g., Federal Data Encryption Standard (DES) Not usable over insecure channels (if you have a

secure channel for exchanging keys, why do you need cryptography in the first place?)

Public Key Encryption

Two related complementary keys a publicly revealed key and a secret key (called a private key) Each key unlocks the code that the other key

makes.

Anyone can use a recipient's public key to encrypt a message to that person

That recipient uses her own corresponding secret key to decrypt that message

Digital Signature

Sender's secret key can be used to encrypt a message, thereby "signing" it.

This creates a digital signature which the recipient can check by using the sender's

public key to decrypt it. Proving that the sender was the true originator of the

message Proving that the message has not been subsequently

altered by anyone else Forgery of a signed message is infeasible The sender cannot later disavow his signature.

These two processes can be combined

Asymmetric or Public Key Encryption

PGP (Pretty Good Privacy)

What is PGP? Pretty Good Privacy (PGP) is strong encryption software that

enables you to protect your email and files by scrambling them so others cannot read them.

It also allows you to digitally "sign" your messages in a way that allows others to verify that a message was actually sent by you. PGP is available in freeware and commercial versions all over the world.

PGP was first released in 1991 as a DOS program that earned a reputation for being difficult.

In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP 5.x included plugins for several popular email programs.

http://www.pgp.com/

Hashing

Uses one way ‘hash-function’ (i.e., you can’t determine the original message from the MAC)

And a block of data called the ‘message digest’ When both

Electronic message, and Cryptographic key

Are processed through a one-way hash function The resulting block of data is called

a message authentication code (MAC) If it doesn’t match the message, discard the transmission

Two common one-way hash functions are: Message Digest 5 (MD-5） Secure Hash Algorithm 1 (SHA-1)

‘Keys’ are just another Security Policy A security policy

establishes what must be done to protect information stored on computers

Keys are physical manifestations of “Authorization” Issuance and control of keys are just part of the authorization scheme.

Security policy defines the organization’s attitude to Assets, and announces internally and externally which assets are mission critical

Which is to be protected from unauthorized access, vandalism and destruction by 3rd parties

Effective information security policies Will turn staff into participants in the company’s security The process of developing these policies will help to define a company’s assets

Anyone who makes decisions or takes action in a situation where information is a risk incurs personal risk as well.

A security policy allows people to take necessary actions without fear of reprisal. Security policy compels the safeguarding of information,

while it eliminates, or at least reduces, personal liability for employees.

Who can revoke a key?

Obviously, a malicious (or erroneously) revocation of some (or all!) of the keys in the system will most likely be a system-wide failure

It is impossible to arrange things so that this can not happen (if keys can be revoked at all)

Because the principal having authority to revoke keys is very powerful, the mechanisms used to control it should involve as many

participants as possible to guard against malicious attacks, while at the same time as few as possible to ensure that a key

can be revoked without delay

How to distribute a new key

After a key has been revoked, a new key must be distributed in some pre-determined manner.

Assume that Carol's key has been revoked. Until a new key has been disseminated, Carol is effectively silenced. No one will be able to send her data without violating system security,

and data coming from her will be discarded for the same reason. Or, in other words, the part of the system controlled by Carol is

disconnected and so unavailable. The need for security was deemed higher than the need for availability in

this design. One could lump together the authority to create new keys (and

certify them) with the authority to revoke keys, but there is no need to do so. In fact, for reasons of security, this likely a bad idea.

How to spread the revocation

The notification that a key has been revoked and should not be used again must be spread to all those that potentially hold the key, and as rapidly as possible.

There are two means of spreading information (e.g., a key revocation here) in a distributed system: either the information is pushed to users from a central point(s), or it is pulled from a central point(s) to end users.

Pushing the information is the simplest solution in that a message is sent to all participants. However, there is no way of knowing that all participants actually receive the message, and, pushing is not very securable nor very reliable.

The alternative to pushing is pulling. In this setup, all keys are included within a certificate that requires the one using them to verify that the key is valid.

Recovery from a leaked key

If loss of secrecy and/or authenticity is a system-wide failure, a strategy for recovery must be in place.

This strategy will determine who has authority to revoke the key, how to spread the revocation, also how to deal with all messages encrypted with the key

since the leak is recognized This recovery procedure can be extremely

complicated, and while it is in progress the system might be very vulnerable to Denial of Service attacks

Practicum:

St James Clothiers

Evaluation of Manual & IT-Based Sales Accounting System Risks

Recognize risks in a manual-based accounting sales system Explain how an information technology-based accounting

system can reduce manual system risks Identify new risks potentially arising from the use of an

information technology (IT)-based accounting system Recognize issues associated with the process of converting

from a manual to an IT-based accounting system Prepare a formal business memorandum

Forensics and Ethics

Chapter 12

Why ‘Computer’ Crime?

‘Because that's where the money is‘ (c. 2005)

Money is no longer held in physical form

How much money is being handled daily by computer exchange systems in 2005? Foreign exchange $2 trillion daily Derivatives markets $5 trillion daily Outstanding derivatives positions $200 trillion NYSE daily activity $1.6 trillion daily

Types of Computer Crime:

Business as a Victim Employee Thefts Payroll Fraud Fraudulent Billing Schemes Fraud Committed by outsiders Management Thefts Corporate Thefts

Business as a Vehicle Organized Crime Money laundering Theft from Minority Shareholders Other Stock Market Fraud Bankruptcy Fraud

Crime’s new venue

The Internet (With an estimated 1 billion people ) is now in a golden age of criminal invention. It's a "dot-con" boom, in which electronic crime runs rampant in a frantic search for business

models. Even encryption, supposedly a defensive measure, has become a tool for extortion

witness the weird new crime of breaking into a computer, encrypting its contents, and then demanding a payoff to supply a password to the victim's own data.

The crime's so new, it doesn't even have a name yet. All the classic scams and rackets that city sharpies push on rubes can be digitized once there were a few relatively uncomplicated viruses, now there are torrents of fast-

evolving, multifaceted viruses. Where once there was just small-time credit-card fraud, now there is international credit-card

racketeering. Computer-network password theft has turned into sophisticated ID fraud that robs patrons of

banks and online auction sites. Spam, once an occasional rude violation of "netiquette," now arrives by the ton (12.9 billion

pieces a day worldwide last May, according to the e-mail security firm IronPort) Then there are the newer electronic crimes, proliferating so fast that even experts have

trouble keeping up with the jargon. Phishing. Spear phishing. Pharming. DDOS. DDOS protection rackets. Spyware. Scumware. Web site defacement. Botnets. Keylogging.

Hotspots for Internet crime

Brazil, Bulgaria, China, Estonia, Hungary, Indonesia, Japan, Latvia, Malaysia, North Korea, Romania, Russia, and the United States are major centers for organized hacking

Why are certain areas hotspots? Places where there's a significant amount of activity usually have

a technically advanced population and a large population of computer users.

You also have a poor economy, so you have people with the technical skills to do good work, but they can't find a job that will provide for them,

so they may have to resort to doing things that are against the law

These hotspots (other than the United States and Japan) also tend to be countries where laws and law enforcement lag hackers will find the weakest link, the country with no laws

Denial-of-service (DoS attack)

A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include 1. attempts to "flood" a network, thereby preventing legitimate

network traffic

2. attempts to disrupt connections between two machines, thereby preventing access to a service

3. attempts to prevent a particular individual from accessing a service

4. attempts to disrupt service to a specific system or person Details are at

http://www.cert.org/tech_tips/denial_of_service.html

Zombies Zombies do a lot of the heavy lifting

malware-infected computers that an online puppet master controls Set to work in thousands or even tens of thousands, the machines in a zombie network or "botnet"

attempt to carry out the high-tech money grab. Botnets are popular because of their increasing sophistication and multiple uses.

versatile zombie armies pull in cash for their controllers in a variety of ways. Sending spam (a big money-maker)is one common use.

Zombie networks can also steal personal information for purposes of identity theft.

When botnets are used to launch a DDoS attack, the ringleader instructs each zombie computer to send a flood of data to a particular Web site. By itself, the data from a single PC can't hurt a site. But multiply that traffic by 10,000 or more computers, and a Web site can easily be overwhelmed and

cut off from the Internet.

E.g., MyDoom had a rather unsophisticated means of controlling host machines. Once it insinuated itself into an unprotected PC, anyone who knew a not-so-secret five-digit code could commandeer the computer for any

desired purpose As a result, MyDoom-compromised computers were very popular with online criminals for a

while

Botnets

Malware turned an average of 172,009 previously healthy computers into zombies every day during May 2005

CipherTrust, an e-mail security company that tracks botnets

As processing power improves and broadband Internet connections become more widespread, zombie computers will be able to send more spam or hit Web sites harder

and botnets will become more powerful. Also, the ability to shuffle funds

including ransom payments anonymously through convoluted Internet paths using human

mules (in much the same way as in the drug trade) and online payment services

means that criminals can revisit old approaches.

Cops and Robbers Some botnets consist of phalanxes of from 15,000 to 50,000 zombie PCs

that are controlled by groups of people dispersed around the world Christopher Painter, deputy chief of the Computer Crime

section of the U.S. Department of Justice.

Most perpetrators are adults who execute extremely sophisticated assaults. "They don't brag, and they cover their tracks very well," (Painter)

One notorious cybergang, called Shadowcrew, reportedly had 4000 members scattered across the United States, Brazil, Spain, and Russia.

Objectives

Money is these cybergangs' primary motivation The asking price for temporary use of an army of

20,000 zombie PCs today is $2000 to $3000, according to a June posting on SpecialHam.com, an electronic forum for hackers

Marshaling their armies of zombie PCs, online extortionists may threaten to crash a company's Web site unless they are paid off.

Hackers are not shy about asking for $20,000 to $30,000 from companies.

Payoffs

Companies know it's far cheaper to pay the hackers than to get knocked offline and lose hundreds of thousands of dollars in lost business Many extortionists go unreported because businesses are

unwilling to volunteer evidence of their coercion to law enforcement officials, corporations don't want to admit to their customers,

stockholders, and business partners their networks were ever vulnerable to an attack.

only about 20 percent of computer intrusions are ever reported to law enforcement agencies.

The US Secret Service receives between 10 and 15 inquiries per week from businesses owners who believe they may be the target of a cyberattack.

2004 survey conducted by the Computer Security Institute

Client-side Targets

About 60 percent of new vulnerabilities now affect client-side applications like Web browsers and media players And those vulnerabilities are drawing all the wrong sorts of

attention In 2005, unwanted network traffic targeting Symantec Veritas

BackupExec rocketed to 500,000 instances within days of an announced

security hole in the product, up from a previous maximum of about 50,000 instances.

Microsoft Office, Internet Explorer, Firefox, and AOL Instant Messenger also suffered from serious reported vulnerabilities, as did RealPlayer and iTunes

Focus of Client-side Attacks

Attackers now target backup and recovery programs, as well as "the antivirus and other security tools that

most organizations think are keeping them safe SANS Top 20 report for 2005 on the most critical Internet

vulnerabilities

The shift toward finding and exploiting vulnerabilities in programs represents a major change from past years, when Windows and other operating systems and Internet

services like Web and e-mail servers were the preferred targets.

Phishing California has passed an antiphishing law,

the Anti-Phishing Act of 2005 With the passage of the Anti-Phishing Act of 2005, California joins such

states as Texas, New Mexico, and Arizona, all of which adopted antiphishing legislation earlier this year.

Phishing victims are typically sent fraudulent e-mail designed to trick them into revealing personal information, like bank account numbers, user names, and passwords. Under the Anti-Phishing Act, these victims may seek to recover either

the cost of the damages they have suffered or $500,000, whichever is greater; government prosecutors can also seek penalties of up to $2500 per phishing violation.

Phishing attacks have been on the rise. Research firm Gartner estimates that 73 million U.S. Internet users received phishing e-mails during the 12 months ended May 2005, up 28 percent from the previous year.

Malware

The mischief-making hacker of the 1990s gives way to the determined high-tech thief of the 21st century The 2005 E-Crime Watch survey of security and law

enforcement estimated an average loss of $506,670 per organization due to

malware It's gotten so bad that the U.S. Secret Service and Carnegie

Mellon University's Computer Emergency Response Team (CERT)

last year stopped publishing the number of computer crime incidents, saying: "Given the widespread use of automated attack tools, attacks

against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks."

How to Build a Legal Case: Inference Network Analysis

Legal cases are proved through inferences. These inferences, built in chains, must lead logically from

point A to point B He strength (or weakness) of these inferences determines the

strength of the legal case

E v id en c e P r o o fI n f e r en c e

Chain of Inferences

D ef en d en t Vic timm u r d er

Suppose we want to link the defendant (and ex-football player and aspiring movie star) to the murder of his ex-wife

Initially the evidence is weak (dotted line)

The defendant and victim were divorced, and that may have been motive for the murder, but that is a weak case

D ef en d en t G lo v em u r d er

Vic timD N A

D ef en d an t O w n er s h ipm u r d er

D N AG lo v e Vic tim

Un iq u e

D ef en d an t O w n er s h ip

D N AG lo v e Vic tim

Un iq u eD N A

Analytical and Automated Fraud Auditing Approaches

Looks at the general (qualitative) factors of a company. Based on tangible and measurable factors (quantitative).

Used in conjunction with tests of transactions and substantive tests Analytical techniques provide an important, macro-level,

detective control over fraud and misstatement in financial statements

Goals Such an analysis has for objective to assess the firm's:

performance, for the management to improve it, solvency, so as for a bank or a supplier to grant a credit, potential value to decide an investment or divestment. Then it is called

fundamental analysis and is linked to business valuation and stock valuation

How to: Analytical Techniques Compare financial ratios (of solvency, profitability, growth...)

between several periods (the last 5 years for example) and between similar firms.

Those ratios are calculated by dividing a (group of) account balance(s), taken from the balance sheet and / or the income statement, by another,

for example : Net profit / equity = return on equity Gross profit / balance sheet total = return on assets Stock price / earnings per share = P/E-ratio

Where to find the data Company websites almost every public company has a website or investor relations department.

For the most current quarterly or annual report you might want to check in these places first.

http://www.gm.com/company/investor_information/stockholder_info/

Securities and Exchange Commission (SEC) - The information posted in the "EDGAR" database includes the annual report (known as the 10-K), quarterly report (10-Q), and a myriad of other forms that contain every type of financial data.

http://www.edgar-online.com/products/edgarpro.aspx

Hoovers.com - another source for company analysis (some of the data requires a subscription)

http://www.hoovers.com/free/

Fraud Detection Using Digital Analysis

A growing area of fraud prevention and detection involves the examination of patterns in data – i.e., Digital Analysis

The rationale is that unexpected patterns can be symptoms of fraud. A simple example of the application of this technique is a search for duplicate transactions, such as identical invoice or vendor numbers for the same amount.

A simple digital analysis technique is to search for invoices with even dollar amounts, such as $200.00 or $5,000.00. The existence of particular even amounts may be a symptom of

fraud and should be examined.

Ratio Analysis Another useful fraud detection technique is the calculation of data analysis ratios

for key numeric fields. Like financial ratios that give indications of the financial health of a company,

data analysis ratios report on the fraud health by identifying possible symptoms of fraud.

Three commonly employed ratios are: * the ratio of the highest value to the lowest value (max/min); * the ratio of the highest value to the second highest value (max/max2); and * the ratio of the current year to the previous year.

For example, auditors concerned about prices customers were being charged for products could calculate the ratio of the maximum sales price to the minimum sales price for each product. If the ratio is close to 1.0, they can be sure that there is little variance between the

highest and lowest prices charged to customers. However, if the ratio is large this could indicate that a customer was being charged too

much or too little for the product.

Benford's Law

Benford's Law, developed by Frank Benford in the 1920s, predicts the occurrence of digits in data. Benford's Law concludes that the first digit in a large population of transactions (10,000 plus) will most often be a 1. Less frequently will the first digit be a 2; even less frequently a 3.

An analysis of the frequency distribution of the first or second digits can detect abnormal patterns in the data and may identify possible fraud. An even more focused test can be used to examine the frequency distribution of the first two digits (FTD). The formula for the expected frequencies is:

Expected FTD Frequency = log(1+1/FTD) Therefore, the expected frequency of 13 is log(1+1/13). The expected

frequencies range from 0.041 for 10, to 0.004 for 99. Some audit software programs can be used to determine the frequency

distribution for first digits, first two digits, and second digits.

Note: not all data will have distributions as predicted by Benford's Law. Sometimes there is valid rationale for certain numbers occurring more frequently than expected. For example, if a company sends a large amount of correspondence via courier, and the cost is a standard rate ($6.12) for sending a package of under one pound, then the first digit (6) or the first two digits (61) may occur more often than predicted by Benford's Law.

Practicum:

Burlington Bees

Using Analytical Procedures as Substantive Tests OBJECTIVES

Use analytical procedures to develop expectations for revenue accounts

Recognize factors that lead to precise expectations of account balances

Appreciate the degree of professional judgment involved in evaluating differences between expected and reported account balances

Understand the audit planning implications of using analytical procedures as substantive tests of account balances

Back –Of-envelope calculations for Game attendance

New Challenges from the Internet: Privacy, Piracy, Viruses

Course Wrap-up

Password Cracking

Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer system, typically, by repeatedly verifying guesses for the password

The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk), to gain unauthorized access to a system, or as a preventive measure by the system administrator to check for easily crackable passwords.

Guessing Not surprisingly, many users choose weak passwords, usually one related to

themselves in some way. It may be: blank the word 'password' the user's name or login name the name of their significant other or another relative their birthplace or date of birth a pet's name automobile licence plate number and so on,

Some users even neglect to change the default password that came with their account on the computer system. And some administrators neglect to change default account passwords provided by

the operating system vendor or hardware supplier.

A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password, and such service accounts often have higher access privileges than a normal user account.

The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information.

Dictionary attack A dictionary attack also exploits the tendency of people to choose weak

passwords,

Password cracking programs usually come equipped with "dictionaries", or word lists, with thousands or even millions of entries of several kinds, including:

words in various languages names of people places commonly used passwords

The cracking program encrypts each word in the dictionary, and simple modifications of each word, and checks whether any match an encrypted password. This is feasible because the attack can be automated and, on inexpensive modern

computers, several thousand possibilities can be tried per second

Guessing, combined with dictionary attacks, have been repeatedly and consistently demonstrated for several decades to be sufficient to crack perhaps as many as 50% of all account passwords on production systems.

Brute force attack Try every possible password up to some size,

This is known as a brute force attack.

As the number of possible passwords increases rapidly as the length of the password increases, this method is unlikely to be successful unless the password is relatively small

How small is too small? A common current recommendation is 8 or more randomly chosen characters combining letters,

numbers, and special (punctuation, etc) characters

Systems which limit passwords to numeric characters only, or upper case only, or, generally, which exclude possible password character choices make such attacks easier.

Using longer passwords in such cases (if possible on a particular system) can compensate for a limited allowable character set.

The real threat may be likely to be from smart brute-force techniques that exploit knowledge about how people tend to choose passwords.

Most commonly used hashes can be implemented using specialized hardware, allowing faster attacks. Large numbers of computers can be harnessed in parallel, each trying a separate portion of the search space. Unused overnight and weekend time on office computers can also be used for this purpose.

Precomputation Precomputation involves hashing each word in the dictionary or any search space of candidate passwords and storing the <plaintext, ciphertext> pairs in a way that enables

lookup on the ciphertext field This way, when a new encrypted password or is obtained, password

recovery is instantaneous

There exist advanced precomputation methods that are even more effective. By applying a time-memory tradeoff, a middle ground can be reached a search space of size N can be turned into an encrypted database of

size O(N2/3) in which searching for an encrypted password takes time O(N2/3).

The theory has recently been refined into a practical technique, and the online implementation at http://passcracking.com/ achieves impressive results on 8 character alphanumeric MD5 hashes.

Salting (a remedy)

The benefits of precomputation and memoization can be nullified by randomizing the hashing process

This is known as salting

When the user sets a password, a short string called the salt is suffixed to the password before

encrypting it; the salt is stored along with the encrypted password so that it can

be used during verification Since the salt is different for each user,

the attacker can no longer use a single encrypted version of each candidate password.

If the salt is long enough, the attacker must repeat the encryption of every guess for each user, and this can only be done after obtaining the encrypted

password record for that user.

Programs for password cracking

John the Ripper John the Ripper is password cracking software. Initially developed

for the UNIX operating system, It currently runs on fifteen different platforms.

It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects, and includes a customisable cracker.

The encrypted password formats which it can be run against include various DES formats, MD4, MD5, Kerberos AFS, and Windows LM hash. Additional modules have extended its ability to include passwords stored in LDAP, MySQL and others.

John is designed to discover weak passwords from the encrypted information in system files. It operates by taking text strings (usually from a file containing words found in a dictionary), encrypting it in the same format as the password being examined, and comparing the output to the encrypted string. It also offers a brute force mode.

Programs for password cracking

L0phtCrack

L0phtCrack is a password auditing and recovery application (now called LC5),

originally produced by L0pht Heavy Industries (later produced by @stake and now by Symantec, which acquired @stake in 2004)

It is used to test password strength and to recover lost Microsoft Windows passwords,

by using dictionary, brute-force, and hybrid attacks. It is one of the crackers' tools of choice

Practicum:

Henrico Retail

Understanding the IT Accounting System and Identifying Audit Evidence for Retail Sales

Outline the audit trail for processing retail sales transactions Develop audit plans for gathering evidence to test the

existence and valuation of retail sales Recognize when audit evidence must be gathered

electronically if a traditional paper trail is absent

Identifying audit trails in preparation for flowcharting accounting cycle processing required for writing an audit program

Documents

Final Exam Review IS Audit (ISMT 350) Time & Venue: 7 Dec 2006, 10:30 to 11:50 am Note: You will be allowed one A4 sized sheet of paper as a “ Cheat Sheet”