Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Published byPiers Lee Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an."— Presentation transcript:

1 Lecture Outline 10 INFORMATION SYSTEMS SECURITY

2 Two types of auditors External auditor: The primary mission of the external auditors is to provide an independent opinion on the organization's financial statements, annually. They are from outside the organization. *MC

3 Two types of auditors Internal auditor: *MC – works inside an organization – Have a broader mandate: – Is the organization fulfilling its mission? Review the reliability and integrity of operating and financial information Are org systems intended to comply with policies, plans and regulations being followed? How are assets safeguarded? Is operational efficiency being promoted?

4 Mandate of an Internal Auditor *MC The main job of an internal auditor is to assess and report on the existence and proper functioning of internal controls in an organization Some of these controls relate to an organization’s information systems

5 Information System Controls *L Controls are implemented to counteract risks General (overall) controls, e.g. passwords, virus protection software, restricted physical access, backups of data files Controls for a specific system: input controls, data storage controls, processing controls, [output controls] – Also: system development controls, system acquisition controls, system modification controls

6 INFORMATION SYSTEMS AUDIT The purpose of an information systems audit is to review and evaluate the internal controls that are part of the information system, that are intended to protect the system. *L

7 IS COMPONENTS AND AUDIT LOCATIONS Objective 5: Source Data Objective 2: Program Development and Acquisition Objective 3: Program Modification Objective 4: Computer Processing Objective 6: Data Files Objective 1: Overall Security Source Data Output Processing Source Data Entry Programs Files

8 Making Sense of This *L There are six areas of risk in an organization’s information systems as identified here: – 1.Overall (General) – 2. System development, acquisition and 3. modification – 4. The working of the programs in the system (processing) – 5. The capture and input of data into the system (source data) – 6. The storage of data that has been input (data files)

9 For each area of risk (1 to 6)*L A.What are some actual risks (e.g., possible error or fraud)? B. What are some controls to counteract these risks?

10 3 Categories of Controls Preventive – don’t allow errors Detective – if an error has been made, find it Corrective – if an error has been found, correct it

11 OVERALL SECURITY 1A General Risks: *L -Break-in to facilities where computer is housed and destruction of data -Theft of data as it is transmitted -Virus infection of system -Computer breakdown

12 OVERALL SECURITY General Controls 1 B Control procedures to minimize general risks: *L – Developing an information security/protection plan. – Restricting physical and logical access. – Encrypting data. – Protecting against viruses. – Implementing firewalls. – Instituting data transmission controls. – Preventing and recovering from system failures or disasters, including: Designing fault-tolerant systems. Preventive maintenance. Backup and recovery procedures. Disaster recovery plans. Adequate insurance.

13 Program development and acquisition 2A. Risks: Types of errors and fraud – Two things can go wrong in program development: Inadvertent errors due to careless programming or misunderstanding specifications; or Deliberate insertion of unauthorized instructions into the programs.

14 PROGRAM DEVELOPMENT AND ACQUISITION 2B Control procedures: – The preceding problems can be controlled by requiring: Management and user authorization and approval Thorough testing Proper documentation – Thorough step-by-step documentation in acquisition of canned software systems

15 PROGRAM MODIFICATION 3A Risks: Errors and fraud - program change implemented incorrectly - program change introduces new errors into existing system - program change not implemented - program change not documented

16 PROGRAM MODIFICATION 3B Control procedures – When a program change is submitted for approval, a list of all required updates should be put together by management and program users. – Changes should be thoroughly tested and documented. – During the change process, the developmental version of the program must be kept separate from the current production version. – When the amended program has received final approval, it should replace the current production version.

17 PROGRAM MODIFICATION 3C2: Auditor check To test for unauthorized program changes, auditors can use a source code comparison program to compare the current version of the program with the original source code.

18 COMPUTER PROCESSING *X 4A Types of errors and fraud – During computer processing, the system may: Fail to detect erroneous input. Improperly correct input errors. Process erroneous input. Improperly distribute or disclose output.

19 COMPUTER PROCESSING 4B Control procedures – Computer data editing routines. – Reconciliation of batch totals. – Effective error correction procedures... – Maintenance of proper environmental conditions in computer facility so computer does not break down. – Trace options to show intermediate steps in the workings of a program

20 COMPUTER PROCESSING 4C The following resources are helpful when preparing test data: – A listing of actual transactions. – The transactions that the programmer used to test the program. – A test data generator program, which automatically prepares test data based on program specifications.

21 COMPUTER PROCESSING 4C2 Analysis of program logic – If an auditor suspects that a particular program contains unauthorized code or serious errors, a detailed analysis of the program logic may be necessary. – Done only as a last resort because: It’s time-consuming Requires programming language proficiency

22 SOURCE DATA - Input 5A Types of errors and fraud – Inaccurate source data – Unauthorized source data

23 SOURCE DATA 5B Control procedures – Effective handling of source data [input documents] input by data entry dept personnel – User authorization of source data input – Logging of the receipt, movement, and disposition of source data input – Effective procedures for correcting and resubmitting erroneous data

24 DATA FILES *L 6A1The sixth objective concerns the accuracy, integrity, and security of data stored in machine-readable files (including relational tables in a database) after this data has been entered Data storage risks include: – Unauthorized modification of data – Destruction of data – Disclosure of data If file controls are seriously deficient, especially with respect to access or backup and recovery, the auditor should strongly recommend they be rectified.

25 DATA FILES 6A2 Types of errors and fraud *L – Destruction of stored data due to: Inadvertent errors Hardware or software malfunctions Intentional acts of sabotage or vandalism – Unauthorized modification or disclosure of stored data

26 DATA FILES 6B Control procedures *L – restrictions on physical access to data files – Logical access (access by program) controls using passwords – Encryption of highly confidential data – Use of virus protection software – Maintenance of backup copies of all data files in an off-site location

27 DATA FILES 6C1 Audit procedures: System review *MC – Review logical access policies and procedures. – Review operating documentation to determine prescribed standards for: Use of write-protection mechanisms. Use of virus protection software. Use of backup storage. System recovery, including checkpoint and rollback procedures.

28 DATA FILES 6C2 *MC Review systems documentation to examine prescribed procedures for: Use of data encryption Control of file conversions Reconciling master file totals with independent control totals – Examine disaster recovery plan. – Discuss data file control procedures with systems managers and operators.

29 Making Sense of This There are six areas of risk in an organization’s information systems as identified here: *L – 1.Overall (General) – 2. System development, acquisition and 3. modification – 4. The working of the programs in the system (processing) – 5. The capture and input of data into the system (source data) – 6. The storage of data that has been input (data files)

30 For each area of risk (1 to 6) A.What are some actual risks (e.g., possible error or fraud)? B. What are some controls to counteract these risks?

31 Data Transmission Controls Encryption Firewalls

32 Public – Private Key Encryption

33 Firewalls There are ~ 5 main types and combinations Prevent specific types of information from moving between the outside, untrusted network (e.g., Internet) and the inside or trusted network E.g., packet filter: a router that inspects incoming data packets and if it finds a packet that matches a restriction programmed into it It will prevent packet’s entry

34 Trust Services Can you trust a business on the Web and in what areas, to what degree? See Supp. Notes 5

Download ppt "Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an."

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Software Quality Assurance Plan

Software Quality Assurance Plan
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
General Ledger and Reporting System

General Ledger and Reporting System
Accounting Information Systems 9th Edition

Accounting Information Systems 9th Edition
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.
AUDITING COMPUTER-BASED INFORMATION SYSTEMS

AUDITING COMPUTER-BASED INFORMATION SYSTEMS
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
The Islamic University of Gaza

The Islamic University of Gaza
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.

4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Similar presentations

Ads by Google