Accounting Information Systems, 5 edition James A. Hall

collarlimabeansΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 6 μήνες)

60 εμφανίσεις

Accounting Information Systems,

5
th

edition

James A. Hall

COPYRIGHT © 2007 Thomson South
-
Western, a part of The Thomson Corporation. Thomson, the Star logo,
and South
-
Western are trademarks used herein under license



Threats to the operating system and
internal controls (IC) to minimize them


Threats to database integrity and IC to
minimize them


Risks associated with electronic commerce
and IC to reduce them


Exposures associated with electronic data
interchange (EDI) and IC to reduce them

Operating
System

Data
Management

Systems
Development

Systems
Maintenance

Organizational Structure

Internet

& Intranet

EDI Trading
Partners

Personal Computers

Computer Center Security

Applications

Internet

& Intranet

General Control Framework for CBIS Exposures


Operating system performs three main tasks:


Translates high
-
level languages into machine
-
level
language
.


Allocates computer resources

to user applications.


Manages tasks of
job scheduling and
multiprogramming
.

4

Windows

Unix

Linux


It must


protect
itself

from tampering from users


be able to prevent users from tampering with
programs

of other users


be able to safeguard users’
applications

from
accidental
corruption


be able to safeguard its
own

programs

from
accidental
corruption


be able to protect itself from
power

failures

or
other disasters

5


Log
-
On Procedure



first line of defense
--
user IDs and passwords


Access Token


contains key information about user


Access Control List


defines access privileges of users


Discretionary Access Control



allows User to grant access to another user


6


Formalized
procedures for software
acquisition


Security clearances

of prospective employees


Formal acknowledgment
by users of their
responsibilities to company


Security group
to monitor security violations


Formal policy for taking disciplinary action
against security violators

7


Browsing



looking through memory for sensitive information
(e.g., in printer queue)


Masquerading



pretend to be authorized user by getting ID and
passwords


shoulder
surfing


The most common method to get your password is for
someone to look over your shoulder! Make sure your
password is a combination of upper/lower case letters,
numbers, special characters.


Virus & Worms


foreign programs that spread
through system


virus must attach to another program,
worms are self
-
contained


8


Trojan Horse


foreign program that conceals itself

with another legitimately imported

program


Logic Bomb


foreign programs triggered by specific event


Back Door



alternative entry into system


Intentional (programmers)


Security hole

9

Access Privileges



Audit objectives
:
verify that access
privileges are consistent with separation
of incompatible functions and
organization policies


Audit procedures
: review or verify…


policies for separating incompatible functions


a sample of user privileges, especially access
to data and programs


security clearance checks of privileged
employees


formally acknowledgements to maintain
confidentiality of data


users’ log
-
on times

Password Control



Audit objectives
:
ensure adequacy and
effectiveness password policies for
controlling access to
operating
system


Audit procedures
: review or verify…


passwords required for all users


password instructions for new users


passwords changed regularly


password file for weak passwords


encryption of password file


password standards


account lockout policies

Audit Trail Controls



Audit objectives
: whether used to
(1)
detect unauthorized access, (2) facilitate
event reconstruction, and (3) promote
accountability


Audit procedures
: review or verify…


how long audit trails have been in place


archived log files for key indicators


monitoring and reporting of security violations

Operating
System

Data
Management

Systems
Developmen
t

Systems
Maintenance

Organizational Structure

Internet

& Intranet

EDI Trading
Partners

Personal Computers

Computer Center Security

Applications

Internet

& Intranet

General Control Framework for CBIS Exposures

Two crucial database control issues:

Access controls


Audit objectives
: (1)
those authorized to use
databases are limited to data needed to
perform their duties and (2) unauthorized
individuals are denied access to data

Backup controls


Audit objectives
:
backup controls can
adequately recovery lost, destroyed, or
corrupted data




User views

-

based on subschemas


Database authorization table

-

allows specific
authority rules


Data encryption

-

encoding algorithms


Biometric devices

-

fingerprints, retina prints, or
signature characteristics


15

Resource

User



Employee

Shared

Cash Receipts

AR File


File


Printer

Program


Read data

Change

Add

Delete

No Access

Use

No Access

Read only




Read code


No Access


Use

Modify




Delete

No Access Read only


Use No Access

User 1

User 3

User 2

User 1 works in
A/R Dept. Can
Read, Add, &
Delete data.

Audit procedures
: verify…


Who has responsibility
for authority
tables &
subschemas

(user views)?


Granting
appropriate access authority


Are biometric controls used?


Encryption?




Database backup



automatic periodic copy
of data


Transaction log



list of transactions which
provides an audit trail


Checkpoint features



suspends data during
system reconciliation


Recovery module



restarts
system
after a
failure


Grandparent
-
parent
-
child backup


the
number of generations to backup is up to
company policy


Direct access file backup

-

back
-
up master
-
file at pre
-
determined intervals


Off
-
site storage

-

guard against
disasters and/or physical destruction

20


Audit procedures
: verify…


that production databases are
copied at regular intervals


backup copies of the database are
stored off site to support disaster
recovery




Communications is a unique aspect of
the computer networks:


different than processing (applications) or
data storage (databases)


Network topologies


configurations of:


communications lines (twisted
-
pair wires,
coaxial cable, microwaves, fiber optics)


hardware components (modems, multiplexers,
servers, front
-
end processors)


software (protocols, network control systems)

Internal and external subversive activities

Audit objectives
:

1.
prevent and detect illegal internal and Internet
network access

2.
render useless any data captured by a
perpetrator (usually encryption)

3.
preserve the integrity and physical security of
data connected to the network

Equipment failure

Audit objective
:
determine

integrity
of
e
-
commerce
transactions: are
controls
in
place to detect
and correct message loss due to equipment
failure


Include:



unauthorized interception of a
message


gaining unauthorized access to an
organization’s network


denial
-
of
-
service (DOS) attack
from
remote
location


Firewalls
provide security by channeling all
network connections through a control
gateway.


Network level firewalls


Low cost and low security access control



Do not explicitly authenticate outside users


Filter junk or improperly routed messages


Experienced hackers can easily penetrate
system


Application level firewalls


Customizable network security, but expensive


Sophisticated functions such as logging or user
authentication


Denial
-
of
-
service (DOS) attacks


Security software searches for
connections which have been
half
-
open for
period
of time.


Encryption



Computer program transforms a
clear message into a coded
(cipher) text form using an
algorithm.

Sender

Receiver

Step 1: SYN messages

Step 2: SYN/ACK

Step 3: ACK packet code

In a DOS Attack, the sender sends hundreds of messages, receives the

SYN/ACK packet, but does not response with an ACK packet. This leaves the

receiver with clogged transmission ports, and legitimate messages cannot be

received.

Encryption

Program

Encryption

Program

Communication

System

Communication

System

Key

Key

Cleartext

Message

Cleartext

Message

Ciphertext

Ciphertext


Digital signature


electronic authentication
technique to ensure that…


transmitted message originated with
authorized
sender


message was not tampered with after
signature
was applied


Digital certificate


like an electronic
identification card used with a public key
encryption system


Verifies
authenticity
of
message
sender


Message sequence numbering


sequence
number used to detect missing messages


Message transaction log


listing of all
incoming and outgoing messages to
detect
efforts
of hackers


Request
-
response technique


random
control messages are sent from
sender
to
ensure messages are received


Call
-
back devices


receiver calls
sender
back at a pre
-
authorized phone number
before transmission is completed


Review firewall effectiveness in terms of
flexibility, proxy services, filtering,
segregation of systems, audit tools, and
probing for weaknesses.


Review data encryption security procedures


Verify encryption by testing


Review message transaction logs


Test procedures for preventing
unauthorized calls


Line errors are data errors from
communications
noise (static).


Two techniques to detect and correct such
data
errors:


echo check
-

receiver
returns
message
to
sender


parity checks
-

an extra bit is added onto each byte
of
data,
similar to check digits


Using
sample of
messages from
transaction
log:


examine them for garbled contents
caused by line
noise (static)


verify that all corrupted messages
were successfully retransmitted


Electronic data interchange (EDI) uses
computer
-
to
-
computer communications
technologies to automate B2B
purchases.


Audit objectives:

1.
Transactions are authorized, validated,
in
compliance with
trading
partner agreement.

2.
No
unauthorized

organizations can gain
access to database

3.
Authorized trading partners have access
only to approved data.

4.
Adequate controls are in place to ensure
complete
audit trail.


Authorization


automated and absence of human intervention


Access


need to access EDI partner’s files


Audit trail


paperless and transparent (automatic)
transactions



Authorization


use of passwords and value added networks
(VAN) to ensure valid partner


Access


software to specify what can be accessed and at
what level


Audit trail


control log records
transaction’s
flow through
each phase of
transaction
processing

EDI System without Controls

Purchases

System

EDI

Translation

Software

EDI

Translation

Software

Communications

Software

Communications

Software

Sales Order

System

Application

Software

Application

Software

Direct Connection

Company A

Company B (Vendor)

Purchases

System

EDI

Translation

Software

EDI

Translation

Software

Communications

Software

Communications

Software

Other

Mailbox

Other

Mailbox

Company

A’s mailbox

Company

B’s mailbox

Sales Order

System

Application

Software

Application

Software

VAN

Company A

Company B (Vendor)

Audit trail of

transactions between

trading partners

EDI System with Controls

Use of VAN to
enforce use of
passwords and
valid partners

Software limits
vendor’s
(Company B)
access to
company A’s
database

Transaction


Log

Transaction


Log


Tests of Authorization and Validation Controls


Review procedures for verifying trading partner
identification codes


Review agreements with VAN


Review trading partner files


Tests of Access Controls


Verify limited access to vendor and customer files


Verify limited access of vendors to database


Test EDI controls by simulation


Tests of Audit Trail Controls


Verify exists of transaction logs are key points


Review a sample of transactions

41