Chapter 3 Lesson 5

Security Part I: PC- Based

Accounting System
Auditing
Operating
Systems and
Networks
Information
Technology Auditing
By James Hall
 Objectives
• Recognize the unique exposures that arise in
connection with electronic data interchange
(EDI) and understand how these exposures
can be reduced.
• Be familiar with the risks associated with
personal computing systems.
 Outline
Lesson 1 - Auditing OS Lesson 3 - Controlling Networks
• OS Objectives • Firewalls
• Encryption
• OS Security • Message control techniques
• Threats to OS Integrity
• OS Controls and Audit Tests • Lesson 4 – Auditing EDI
• EDI Standards
• Benefits of EDI
• Financial EDI
• EDI Controls
• Access Control
Lesson 2 - Auditing Networks • Lesson 5 – Auditing PC-Based
• Intranet Risks Accounting Systems

• Internet Risks • PC Systems Risks and Controls

 PC-BASED vs. MAINFRAME & CLIENT-
SERVER SYSTEMS
PC-based accounting systems Mainframe and client-server systems
• Can be found in the software market. • are frequently custom-
• allows software vendors to mass-
designed to meet specific
produce low-cost and error-free
standard products. user requirements
• tend to be general-purpose systems
– that serve a wide range of needs.
• are popular with smaller firms,
– which use them to automate and replace
manual systems and thus become more
efficient and competitive.
• have also made inroads (penetration)
with larger companies that have
decentralized operations.
 PC-BASED ACCOUNTING SYSTEMS
Most PC systems are modular in design Fully Integrated Modules
• Flexibility in tailoring • Commercial systems usually
systems to their specific have fully integrated modules.
needs. – This means that data transfers
between modules occur
• Market niche: target automatically.
products to the unique – For example, an integrated
needs of specific industries, system will ensure that all
– such as health care, transactions captured by the
various modules have been
transportation, and food
balanced and posted to
services. subsidiary and GL accounts
before the GL module produces
In software, a module is a part of a program. Programs are composed of one
the financial reports.
or more independently developed modules until the program is linked. A single module can contain one or
several routines. Modular programming is the process of subdividing a computer program into separate sub-
programs.
 PC-BASED ACCOUNTING SYSTEMS
Typical business modules include Control Program & User
• sales order processing and AR • Central control program
– provides the user interface to the system.
• purchases and AP
• User
• cash receipts, cash disbursements, – makes menu selections to invoke application modules as
general ledger and financial reporting needed.
• For example:
• inventory control – By selecting the sales module, the user can enter customer
• Payroll orders in real time.
– At the end of the day, in batch mode, the user can enter cash
receipts, purchases, and payroll transactions.
 PC Systems Risks and Controls
PC accounting systems Risk of physical loss
• Create unique control problems for • Laptops, etc. can “walk off”
accountants that arise from inherent
weaknesses in their OSs and the general PC
environment.
 In general:
 Relatively simple to operate and Risk of data loss
program
 Controlled and operated by end users • Easy for multiple users to
 Commercial applications vs. custom
 Often used to access data on access data
mainframe or network • End user can steal, destroy,
 Allows users to develop their own
applications manipulate
 Operating Systems: • Inadequate backup
 Are located on the PC (decentralized)
 O/S family dictates applications (e.g., procedures
Windows)
 6 PC Systems Risks and Controls
• Some of the more significant risks and
possible control techniques are outlined:
– OS Weaknesses
– Weak Access Control
– Inadequate Segregation of Duties
– Multilevel Password Control
– Risk of Theft
– Weak Backup Procedures
– Risk of Virus Infection
 Operating System Weaknesses
Personal Computer Risks
• INHERENT WEAKNESSES: • The data stored on
PCs were designed to be microcomputers that are shared
by multiple users are exposed to
easy to use, single-user
unauthorized access,
systems, facilitate access – manipulation, and destruction.
not restrict it. • Once a computer criminal gains
• Controlling PCs rests heavily access to the user’s PC, there
on physical security controls may be little or nothing in the
& need for effective access way of control to prevent him or
her from stealing or manipulating
control system
the data stored on the internal
hard drive.
 Weak Access Control
Logon Procedures Risks
• Security software that • Logon procedures become active
provides logon procedures only when the computer is booted
from the hard drive.
is available for PCs.
• Boot from a CD-ROM,
• WEAK ACCESS CONTROL: – whereby an uncontrolled OS can be
• Booting from floppy or hard loaded into the computer’s memory.
• Unrestricted access to data and
drive or CD-ROM to invoke
programs
logon security procedures. – Having bypassed the computer’s
stored OS and security package, the
criminal may have unrestricted access
to data and programs on the hard
disk drive.
 Inadequate Segregation of Duties
Multiple Applications Constitute
Incompatible tasks Risks
• Employees in PC environments, • This degree of authority would be
particularly those of small similar, in a manual system, to assigning
companies, may have access to AR, AP, cash receipts, cash
disbursement, and GL responsibility to
multiple applications that
the same person.
constitute incompatible tasks.
• The exposure is compounded when the
– For example, a single individual may
operator is also responsible for the
be responsible for entering all
development (programming) of the
transaction data, including sales
orders, cash receipts, invoices, and
applications that he or she runs.
disbursements. • In small-company operations, there may
• Typically, the GL and subsidiary be little that can be done to eliminate
these inherent conflicts of duties.
accounts are updated automatically
• However, multilevel password control,
from these input sources discussed next, can reduce the risks.
 Inadequate Segregation of Duties:
Multilevel Password Control
• Multilevel password control
– is used to restrict employees who are sharing the same computers
to specific directories, programs, and data files.
– different passwords are used to access different functions.
• each employee is required to enter a password to access his or her
applications and data.
– uses stored authorization tables
• to further limit an individual’s access to read-only, data input, data
modification, and data deletion capability.
– can greatly enhance the small organization’s control environment.
• Although not a substitute for all manual control techniques, such as
employee supervision and management reports that detail transactions
and their effects on account balances.
 Risk of Theft
Risks Controls
• Because of their size, PCs • Formal policies should be in
are objects of theft and the place to restrict financial and
other sensitive data to desktop
portability of laptops places
PCs only.
them at the highest risk.
• Provide employee training about
appropriate computer usage.
– This should include stated penalties
for stealing or destroying data.
• Antitheft security locks can be
effective for preventing
opportunistic theft, but they will
not deter the dedicate thief.
 Weak Backup Procedures
Risk Controls
• formal backup procedures
• Computer failure, usually – In mainframe and network environments, backup is
disk failure, is the primary controlled automatically by the OS, using specialized
software and hardware.
cause of data loss in PC • inexpensive automated backup systems for PCs
are available.
environments. – 1) backup may be directed to an external hard drive at
the user location.
• If the hard drive of a PC – 2) contract with an online backup service that encrypts
and copies the PC-housed data to a secure location.
fails, recovering the data • The backup is performed automatically whenever the PC
is connected to the Internet.
stored on it may be • End User
impossible. – The responsibility for providing backup in the PC
environment
– because of lack of computer experience and training,
users fail to appreciate the importance of backup
procedures until it is too late.
 Risk of Virus Infection
Risk Controls
• Virus infection is one of • Policy of obtaining software
most common threats to PC • Policy for use of anti-virus
integrity and system software
availability. – effective antivirus software is
installed on the PCs and kept
up-to-date.
 Audit Objectives:
Associated with PC Security
• Audit objectives for assessing controls in the PC environment include the
following:
• Verify that
– controls are in place
• to protect data, programs, and computers from unauthorized access, manipulation,
destruction, and theft.
– adequate supervision and operating procedures exist
• to compensate for lack of segregation between the duties of users, programmers, and
operators.
– backup procedures are in place
• to prevent data and program loss due to system failures, errors, and so on.
– systems selection and acquisition procedures produce applications that are high
quality, and protected from unauthorized changes.
– the system is free from viruses and adequately protected
• to minimize the risk of becoming infected with a virus or similar object.
 Audit Procedures:
Associated with PC Security
• Verify that microcomputers and • Determine that multilevel password
their files are physically controlled. control or multifaceted access control is
• Verify from organizational charts, used to limit access to data and
job descriptions, and observation applications, where applicable.
that the programmers or • Verify that
applications performing financially – The drives are removed and stored in a secure
significant functions do not also location when not in use, where applicable.
– Backup procedures are being followed.
operate those systems.
– Application source code is physically secured
• Confirm that reports of processed (such as in a locked safe) and that only the
transactions, listings of updated compiled version is stored on the micro-
accounts, and controls totals are computer.

prepared, distributed, and • Review

reconciled by appropriate – Systems selection and acquisition controls
– Virus control techniques
management at regular and timely
intervals. • Verify no unauthorized software on PCs.
 Summary
• The discussion turned to EDI, where firms are faced
with a variety of exposures that arise in connection
with an environment void of human intermediaries
to authorize or review transactions.
• Controls in an EDI environment are achieved
primarily through programmed procedures to
authorize transactions, limit access to data files, and
ensure that transactions the system processes are
valid.
• The chapter concluded with the risks and controls
associated with the PC environment.
• Three of the most serious exposures are
– (1) the lack of properly segregated duties
– (2) PC-operating systems that do not have the
sophistication of mainframes and expose data to
unauthorized access
– (3) computer failures and inadequate backup procedures
that rely too heavily on human intervention and thus
threaten the security of accounting records
 Section A: Internet Technologies
• Packet Switching
• Virtual Private Networks
• Extranets
• World Wide Web
• Internet Addresses - E-mail Address; URL
Address; IP Address
 Protocols
• What Functions Do Protocols Perform?
• The Layered Approach to Network Protocol
 Internet Protocols
• File Transfer Protocols
• Mail Protocols
• Security Protocols
• Network News Transfer Protocol
• HTTP and HTTP-NG
• HTML
 Section B: Intranet Technologies
NETWORK TOPOLOGIES NETWORK CONTROL
• Local Area Networks and • Data Collision – Polling;
Wide Area Networks Token Passing; Carrier
• Network Interface Cards Sensing;
• Servers
• Star Topology
• Hierarchical Topology
• Ring Topology
• Bus Topology
• Client-Server Topology