AIS Chapter 13

Operating System (OS)

Ensure the integrity of the system.

Control the flow of multiprogramming and tasks of scheduling in the computer.

Allocate computer resources to users and applications.

Manage the interfaces with the computer.

Five Fundamental Control Objectives

Protect itself from users

Protect users from each other

Protect users from themselves

Be protected from itself

Be protected from its environment

Database Systems

Data warehouse

a centralized collection of firm-wide data for a relatively long period of time

Operational databases

used for daily operations and often includes data for the current fiscal year onlyDat

Data Mining

the process of searching for patterns in the data in a data warehouse and data analyzing these patterns for decision making

Data governance

the convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in a firm

Local Area Network (LAN)

a group of computers, printers, and other devices connected to the same network that covers a limited geographic range

LAN Hubs

Broadcasts through multiple ports

LAN Switches

provides a path for each pair of connections

Wide Area Network (WAN)

Link different sites together, transmit information across geographically and cover a broad geographic area

WAN uses

to provide remote access to employees or customers

to link two or more sites within the firm

to provide corporate access to the Internet routers and firewalls

Routers

connects different LANs software-based intelligent devices, examines the Internet Protocol (IP) address

Firewalls

a security system comprised of hardware and software that is built using routers, servers, and a variety of software; allows individuals on the corporate network to send/receive a data packet from the Internet

Virtual Private Network (VPN)

Securely connects a firm’s WANs by sending/receiving encrypted packets via virtual connections over the public Internet to distant offices, salespeople, and business partners.

Wireless Network

comprised of two fundamental architectural components

Access Point

Logically connects stations to a firm’s network.

Station

a wireless endpoint device equipped with a wireless Network Interface Card (NIC)

Benefits of using wireless technology

Mobility

Convenient online access without a physical network using cables for connections.

Rapid Deployment

Time saving on implementing networks because of reduction in using physical cables/media.

Flexibility and Scalability

Freely setting up or removing wireless networks at different locations.

Security Objectives for LAN & wireless

Confidentiality

Ensure that communication cannot be read by unauthorized parties.

Integrity

Detect any intentional or unintentional changes to the data during transmission.

Availability

Ensure that devices and individuals can access a network and its resources whenever needed.

Access Control

Restrict the rights of devices or individuals to access a network or resources within a network.

Security Controls in Wireless Network

Management controls

• assigning roles/responsibilities

• creating policies/procedures

• conducting risk assessment on a regular basis

Operational controls

• protecting a firm’s premise and facilities,

• preventing and detecting physical security breaches

• providing security training to employees, contractors, or third party users.

Technical controls

• implemented and executed through mechanisms contained in computing-related equipment, including access-point management and encryption setup (using WPA/WPA2).

Computer-assisted Audit Techniques

imperative tools for auditors to conduct an audit in accordance with heightened auditing standards

Generally Accepted Auditing Standards (GAAS)

broad guidelines regarding an auditor’s professional responsibilities

Information Systems Auditing Standards (ISASs)

provides guidelines for conducting an IS/IT audit (issued by ISACA)

Institute of Internal Auditors’ (IIA) professional practice standard section 1220.A2

internal auditors must consider the use of computer-assisted, technology-based audit tools and other data analysis techniques when conducting internal audits

Black-Box Approach

Auditing around the computer

White-box approach

Auditing through the computer

Steps for Black-Box Approach

First calculating expected results from the transactions entered into the system

Then comparing these calculations to the processing or output results

The advantage of this approach is that the systems will not be interrupted for auditing purposes. The black-box approach could be adequate when automated systems applications are relatively simple.

Process for White-Box Approach

test data technique: uses a set of input data to validate system integrity.

Parallel simulation: attempts to simulate the firm’s key features or processes

(Integrated Test Facility) ITF: approach is an automated technique that enables test data to be continually evaluated during the normal operation of a system

Embedded audit module: a programmed audit module that is added to the system under review

Generalized Audit Software (GAS)

Frequently used to perform substantive tests and is used for testing of controls through transactional-data analysis

Provides auditors an independent means to gain access to data for analysis and the ability to use high-level, problem-solving software to invoke functions to be performed on data files

ACL

Audit Control Language

IDEA

Interactive Data Extraction and Analysis

Continuous Audit

performing audit-related activities on a continuous basis

General Steps for Continuous Audit

1. Evaluate the overall benefit and cost

2. Develop a strategy

3. Plan and design

4. Implement continuous auditing

5. Performance monitoring