Chapter 15
Auditing IT
Controls Part II:
Security and
Access
James A. Hall, Accounting Information Systems, 10th Edition. © 2019
Cengage. All Rights Reserved. May not be scanned, copied or duplicated,
or posted to a publicly accessible website, in whole or in part.
Learning Objectives
• Be able to identify the principal threats to the operating system
and the control techniques used to minimize the possibility of
actual exposures.
• Be familiar with the principal risks associated with electronic
commerce conducted over intranets and the Internet and
understand the control techniques used to reduce these risks.
• Be familiar with the risks to database integrity and the controls
used to mitigate them.
• Recognize the unique exposures that arise in connection with
electronic data interchange and understand how these
exposures can be reduced.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
1
� Controlling the Operating System
• The operating system is the computer’s control program.
• It allows users and their applications to share and access
common computer resources, such as processors, main
memory, databases, and printers.
• If operating system integrity is compromised, controls
within individual accounting applications may also be
circumvented or neutralized.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
OPERATING SYSTEM OBJECTIVES
• Compilers are language translation modules of the
operation system.
• Interpreters are language translation modules of the
operation system that convert one line of logic at a time.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
2
� OPERATING SYSTEM SECURITY
• Operating system security controls the system in an
ever-expanding user community sharing more and more
computer resources.
• Log-On Procedure
• A log-on procedure is the operating system’s first line of
defense against unauthorized access.
• Access Token
• An access token contains key information about the user,
including user ID, password, user group, and privileges granted
to the user.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
OPERATING SYSTEM SECURITY (continued)
• Access Control List
• Access control list (ACL) are lists containing information that
defines the access privileges for all valid users of the resource.
An access control list assigned to each resource controls
access to system resources such as directories, files,
programs, and printers.
• Discretionary Access Privileges
• Discretionary access privileges grant access privileges to
other users. For example, the controller, who is the owner of
the general ledger, may grant read-only privileges to a
manager in the budgeting department.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
3
� THREATS TO OPERATING SYSTEM
INTEGRITY
• Accidental Threats
• Errors in User Application
• Accidental System Failures
• Intentional Threats
• Destructive Programs
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
OPERATING SYSTEM CONTROLS AND
TESTS OF CONTROLS
• Controlling Access Privileges
• AUDIT OBJECTIVES RELATING TO ACCESS PRIVILEGES
• AUDIT PROCEDURES RELATING TO ACCESS PRIVILEGES
• Password Control
• A password is a code, usually kept secret, entered by the user
to gain access to data files.
• A reusable password is a network password that can be used
more than one time.
• The one-time password is a network password that
constantly changes.
• AUDIT OBJECTIVES RELATING TO PASSWORDS
• AUDIT PROCEDURES RELATING TO PASSWORDS
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
4
� OPERATING SYSTEM CONTROLS AND
TESTS OF CONTROLS (continued)
• Controlling Malware
• Audit Objective Relating to Malware
• AUDIT PROCEDURES RELATING TO MALWARE
• System Audit Trail Controls
• System audit trails are logs that record activity at the system,
application, and user levels.
• Keystroke monitoring involves recording both the user’s
keystrokes and the system’s responses.
• Event monitoring summarizes key activities related to system
resources.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
OPERATING SYSTEM CONTROLS AND
TESTS OF CONTROLS (continued)
• Setting Audit Trail Objectives
• DETECTING UNAUTHORIZED ACCESS
• RECONSTRUCTING EVENTS
• PERSONAL ACCOUNTABILITY
• Implementing a System Audit Trail
• AUDIT OBJECTIVES RELATING TO SYSTEM AUDIT TRAILS
• AUDIT PROCEDURES RELATING TO SYSTEM AUDIT
TRAILS
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
10
5
� Controlling Database Management
Systems
• Access controls are controls that ensure that only
authorized personnel have access to the firm’s assets.
• Backup controls ensure that in the event of data loss
due to unauthorized access, equipment failure, or physical
disaster, the organization can recover its files and
databases.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
11
ACCESS CONTROLS
• User Views
• The user view is a set of data that a particular user needs to
achieve his or her assigned tasks.
• Database Authorization Table
• The database authorization table is a table that contains rules
that limit the actions a user can take.
• User-Defined Procedures
• A user-defined procedure allows the user to create a personal
security program. It provides more positive user identification than
a password.
• Data Encryption
• Data encryption is the use of an algorithm to scramble selected
data, making it unreadable to an intruder browsing the database.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
12
6
� Subschema Restricting Access to Database
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
13
Database Authorization Table
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
14
7
� ACCESS CONTROLS (continued)
• Biometric Devices
• Biometric devices are devices that measure various personal
characteristics, such as finger, voice, or retina prints, or other
signature characteristics.
• Audit Objectives Relating to Database Access
• Audit Procedures for Testing Access Controls
• RESPONSIBILITY FOR AUTHORITY TABLES AND
SUBSCHEMAS
• APPROPRIATE ACCESS AUTHORITY
• BIOMETRIC CONTROLS
• ENCRYPTION CONTROLS
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
15
BACKUP CONTROLS
• Database Backup
• Transaction Log (Journal)
• The transaction log is a listing of transactions that provides an
audit trail of all processed events.
• Checkpoint Feature
• The checkpoint feature is a feature that suspends all data
processing while the system reconciles the transaction log and the
database change log against the database.
• Recovery Module
• The recovery module uses the logs and backup files to restart
the system after a failure.
• Audit Objectives Relating to Database Backup
• Audit Procedures for Testing Backup Controls
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
16
8
� Database Backup and Recovery
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
17
Controlling Networks
• Network topologies consist of various configurations of (1)
communications lines, (2) hardware components, and (3)
software.
• The technology of network communications are subject to
two general forms of risk:
1. Risks from subversive threats
2. Risks from equipment failure
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
18
9
� CONTROLLING RISKS FROM SUBVERSIVE
THREATS
• Firewalls
• A firewall is software and hardware that provide a focal point
for security by channeling all network connections through a
control gateway.
• Network-level firewalls are systems that provide basic
screening of low-security messages (for example, e-mail) and
routes them to their destinations based on the source and
destination addresses attached.
• Screening router is a firewall that examines the source and
destination addresses attached to incoming message packets.
• Application-level firewalls provide high-level network
security.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
19
Dual-Homed Firewall
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
20
10
� CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Controlling Denial of Service Attacks
• An Intrusion Prevention System (IPS) uses deep packet
inspection (DPI) to determine when an attack is in progress.
• Deep packet inspection (DPI) is a program used to determine
when a DOS attack is in progress through a variety of
analytical and statistical techniques that evaluate the contents
of message packets.
• Encryption
• Encryption is the use of a computer program to transform a
standard message being transmitted into a coded (cipher text)
form.
• Private key is one method of encryption.
• Public key encryption is a technique that uses two encryption
keys: one for encoding the message, the other for decoding it.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
21
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Encryption (continued)
• PRIVATE KEY ENCRYPTION: Advanced encryption
standard (AES) is a 128-bit encryption technique, also known
as Rijndael, a private key (or symmetric key) encryption
technique. Triple-DES encryption is an enhancement to an
older encryption technique for transmitting transactions. EEE3
is encryption that uses three different keys to encrypt the
message three times. EDE3 is encryption that uses one key to
encrypt the message.
• PUBLIC KEY ENCRYPTION: RSA (Rivest-Shamir-Adleman)
is one of the most trusted public key encryption methods. This
method, however, is computationally intensive and much
slower than private key encryption. A digital envelope is an
encryption method in which both DES and RSA are used
together.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
22
11
� The Advanced Encryption Standard
Technique
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
23
EEE3 and EDE3 Encryption
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
24
12
� CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Digital Signatures
• A digital signature is an electronic authentication technique
that ensures the transmitted message originated with the
authorized sender and that it was not tampered with after the
signature was applied.
• A digest is a mathematical value calculated from the text
content of the message.
• Digital Certificate
• A digital certificate is a sender’s public key that has been
digitally signed by trusted third parties.
• A certification authority (CA) is a trusted third party that
issues digital certificates.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
25
Digital Signature
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
26
13
� CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Message Sequence Numbering
• Message sequence numbering is a sequence number
inserted in each message to foil any attempt by an intruder in
the communications channel to delete a message from a
stream of messages, change the order of messages received,
or duplicate a message.
• Message Transaction Log
• A message transaction log is a log in which all incoming and
outgoing messages, as well as attempted (failed) access,
should be recorded.
• Request-Response Technique
• The request-response technique is a technique in which a
control message from the sender and a response from the
sender are sent at periodic synchronized intervals.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
27
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Call-Back Devices
• A call-back device is a hardware component that asks the
caller to enter a password and then breaks the connection to
perform a security check.
• Audit Objectives Relating to Subversive Threats
• Audit Procedures Relating to Subversive Threats
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
28
14
� CONTROLLING RISKS FROM EQUIPMENT
FAILURE
• Line Errors
• A line error is an error caused when the bit structure of the
message is corrupted through noise on the communications
lines.
• The echo check is a technique that involves the receiver of
the message returning the message to the sender.
• The parity check is a technique that incorporates an extra bit
into the structure of a bit string when it is created or
transmitted.
• Audit Objectives Relating to Equipment Failure
• Audit Procedures Relating to Equipment Failure
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
29
Vertical and Horizontal Parity Using Odd
Parity
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
30
15
� Electronic Data Interchange Controls
• Electronic data interchange (EDI) substantially changes
the way companies do business and creates unique
control issues that accountants need to recognize.
• The absence of human intervention in this process
presents a unique twist to traditional control problems,
including ensuring that transactions are authorized and
valid, preventing unauthorized access to data files, and
maintaining an audit trail of transactions.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
31
EDI System
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
32
16
� TRANSACTION AUTHORIZATION AND
VALIDATION
• Both the customer and the supplier must establish that the
transaction being processed is to (or from) a valid trading
partner and is authorized.
• This can be accomplished at three points in the process:
1. Some VANs have the capability of validating passwords and
user ID codes for the vendor by matching these against a valid
customer file.
2. Before being converted, the translation software can validate
the trading partner’s ID and password against a validation file
in the firm’s database.
3. Before processing, the trading partner’s application software
references the valid customer and vendor files to validate the
transaction.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
33
ACCESS CONTROL
• EDI trading partners must permit a degree of access to
private data files that would be forbidden in a traditional
environment.
• The trading partner agreement will determine the degree
of access control in place.
• To guard against unauthorized access, each company
must establish valid vendor and customer files.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
34
17
� EDI AUDIT TRAIL
• Audit Objectives Relating to EDI
• Audit Procedures Relating to EDI
• TESTS OF AUTHORIZATION AND VALIDATION CONTROLS
• TESTS OF ACCESS CONTROLS
• TESTS OF AUDIT TRAIL CONTROLS
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
35
EDI System Using Transaction Control Log
for Audit Trail
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
36
18
� Appendix - Malicious and Destructive
Programs
• Virus
• Worm
• Logic Bomb
• Back Door
• Trojan Horse
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37
37
19
