accounting test 1

Controls for Information Security

Protecting Information Assets

  • Key Concept: Ensuring the safety and integrity of information resources within accounting systems.

Module 1: Accounting Systems, Transaction Processing and Internal Control

  • Overview: The module discusses control mechanisms within accounting systems to ensure transaction accuracy and integrity.

Trust Services Framework

Security

  • Access Control: Restriction of access to systems and data strictly to legitimate users.

Confidentiality

  • Sensitive Data Protection: Systems established to ensure sensitive organizational data is adequately protected from unauthorized access.

Privacy

  • Personal Information Security: Safeguarding personal information of customers, trading partners, investors, and employees.

Processing Integrity

  • Data Accuracy: Ensuring data is processed accurately, completely, in a timely manner, and with proper authorization.

Availability

  • System Access: Ensuring systems and information are readily available to authorized users whenever necessary.

Security and Systems Reliability

Management Issue Not a Technology Issue

  • Legislation Reference: S286 Corporations Act 2001 outlines requirements for financial statements, emphasizing the reliability of information systems.

    • Accuracy in financial statements is directly linked to the reliability of information systems used.

Security Approach

Defense-in-Depth

  • Concept: Involves multiple layers of control to create redundancy and overlap in security measures.

Time-Based Model of Information Security

Formula Explanation

  • P > D + C

    • P: Time to break through preventive controls.

    • D: Time to detect that an attack is in progress.

    • C: Time to respond to an attack.

  • Examples of Controls:

    • Increasing P through firewalls, passwords, tokens, and biometrics.

    • Reducing D via intrusion detection systems.

    • Decreasing C through sophisticated response methods.

Mitigating Risk of Attack

Information Security Controls

  • Control Types:

    • Preventive: User access security, physical access controls, encryption.

    • Detective: Log analysis, intrusion detection systems.

    • Corrective: Computer incident response teams (CIRT), patch management.

Preventive Controls Detailed

  • Security Culture: Creating an organization-wide “security-aware” culture.

  • Training: Ongoing training for employees in security practices.

  • Access Controls:

    • User Access Control Types:

    1. Authentication: Verifies identity through:

      • Something known (passwords, PINs)

      • Something held (smart cards, ID cards)

      • Biometric identifiers (fingerprints, iris)

    2. Authorization: Determining what a user can access (files, applications).

  • Access Control Matrix:

    • Code Explanation:

    • 0: No Access

    • 1: Read/Display Only

    • 2: Read/Display and Update

    • 3: Full Access (read, update, create, delete)

Network Access Control (Perimeter Defense)

Firewalls

  • Definition: Software or hardware filtering information to prevent unauthorized access.

Demilitarized Zone (DMZ)

  • Function: Provides controlled access from the Internet to specific resources.

Intrusion Prevention Systems (IPS)

  • Operational Mechanism: Monitors traffic patterns instead of isolating single packets to detect and block attacks automatically.

Device and Software Hardening (Internal Defense)

End-Point Configuration

  • Security Measures:

    • Disable unnecessary features on servers, printers, workstations.

    • Use vulnerability scanners to identify potential threats.

User Account Management

  • Development Practices: Train programmers to treat all input from external sources as untrustworthy.

Detecting Attacks: Detective Controls

Log Analysis

  • Process: Examination of logs to spot evidence of potential attacks.

Intrusion Detection Sensors

  • Function: Monitors network traffic, logs data for later analysis, identifying signs of intrusions.

Security Testing

  • Examples: Penetration testing, which is an authorized attempt to compromise information systems for security evaluation.

Responding to Attacks: Corrective Controls

Computer Incident Response Team (CIRT)

  • Responsibilities: Problem recognition, containment, recovery, and follow-up of security incidents.

Chief Information Security Officer (CISO)

  • Role: Holds independent responsibility for the organization’s information security protocols at a senior management level.

Patch Management

  • Process: Installation of updates to address known vulnerabilities in software systems.

Control and AIS

Key Control Concepts

Overview of Control Concepts

  • Systems designed to provide assurance that objectives such as:

    • Safeguarding assets

    • Accurate and reliable information

    • Compliance with laws and regulations

Functions of Internal Control

  • Preventive Controls: Deter issues, such as managing physical access.

  • Detective Controls: Discover discrepancies (e.g., double-checking calculations).

  • Corrective Controls: Correct problems (e.g., rectify data entry errors).

Sarbanes-Oxley (2002)

Purpose and Response

  • Response to Corporate Fraud: Sparked by scandals like Enron, it aims to strengthen internal controls and protect investors.

  • Requirements: Management is accountable for establishing and maintaining adequate internal controls.

Section 404 of SOX

  • Requirements: Management must assess the effectiveness of internal controls and disclose material weaknesses.

Components of COSO Framework

Main Components

  1. Control Environment

  2. Risk Assessment

  3. Control Activities

  4. Information and Communication

  5. Monitoring

Risk Management Processes

Risk Assessment Process

Identifying Risks

  • Likelihood Assessment Categories: Certain, likely, possible, unlikely, rare.

  • Impact Assessment Categories: Catastrophic to insignificant.

Types of Risk:

  • Inherent Risk: Exists prior to controls.

  • Residual Risk: Remains after preventive measures are applied.

Risk Response Options

  • Reduce: Implement strong internal controls.

  • Accept: Acknowledge the presence of risk without action.

  • Share: Transfer the risk through mechanisms such as insurance.

  • Avoid: Refrain from actions that create risks.

Control Activities

Objective

  • Define policies to ensure internal control objectives are met:

    • Proper authorization of transactions.

    • Segregation of duties.

Separation of Accounting Duties

Roles Defined

  • Custodial Functions: Asset management (cash handling).

  • Recording Functions: Data entry and maintenance.

  • Authorization Functions: Final approval of transactions.

Information and Communication

  • Objective: Ensure communication of internal control policies and procedures throughout the organization.

Monitoring

Evaluation of Control Effectiveness

  • Methods: Conduct audits (both internal and external), implement supervision, track system activities.

Fraud, Errors, and Computer Fraud

Computer Attacks and Abuse

  • Definitions:

    • Hacking: Unauthorized system access or modification.

    • Social Engineering: Psychological manipulation to obtain sensitive information.

    • Malware: Harmful software that compromises systems or data.

Social Engineering Techniques

  • Example Techniques: Identity theft, phishing, pretexting, typosquatting, shoulder surfing, etc.

Malware Types

  • Spyware: Monitors user activity.

  • Ransomware: Blocks access to the system until a ransom is paid.

  • Computer Virus: Self-replicating code that damages systems.

The Fraud Triangle

Description of Factors Leading to Fraud

  1. Pressure: Motivating factors leading to fraudulent behavior.

  2. Opportunity: Conditions allowing fraud to be committed and concealed.

  3. Rationalization: Justifications perpetrators use to justify their actions.

Prevention of Fraud

  • Strategies: Design a culture of integrity, develop strong internal controls, regular audits, and reduce fraud opportunities through monitoring.

AIS Threats and Fraud

Common Threats to AIS

  • Types of Threats: Natural disasters, software errors, unintentional human errors, intentional computer crimes.

Understanding Fraud

  • Definitions: Any illegal act in which technology knowledge is vital for the act's perpetration.

Forms of Fraud in AIS

  • Asset Misappropriation: Theft of organizational resources.

  • Financial Reporting Fraud: Intentional falsification of financial data to deceive stakeholders.

ERP Systems Overview

Definition and Integration

  • Enterprise Resource Planning (ERP): Systems that integrate all facets of an organization's data and processes.

Advantages of ERP

  • Benefits: Improved data visibility, standardization of processes, enhanced customer service.

Disadvantages of ERP

  • Challenges: High initial costs, resistance to changes in established processes.

Data Processing Cycle

Components of Data Processing

  • Phases: Input, processing, storage, and output.

Data Input Considerations

  • Source Documents: Paper-based and automation methods for accuracy and efficiency in data capture.

Importance of System Documentation

Rationale for Documentation

  • Objectives: Understand the internal control processes for creating valuable assessments and improvements.

Business Process Diagrams

  • Characteristics: Visual representation of business processes using standard notation for clear understanding among stakeholders.

Conclusion

  • Summary: Understanding the interplay between accounting systems, internal controls, risks, fraud, and the necessity for comprehensive documentation are critical for organizational integrity and compliance.