Sunteți pe pagina 1din 13

Chapter 7: Control and Accounting Information System

• Any potential adverse occurrence or unwanted event that could be injurious to either the
accounting information system or the organization is referred to as a threat or anevent.

• The potential dollar loss should a particular threat become a reality is referred to as the
exposure or impact of the threat.

• The probability that the threat will happen is the likelihood associated with the threat.

Overview of the Control Concepts

 Internal Control are the processes implemented to provide assurance that the following
objectives are achieved:

▫ Safeguard assets

▫ Maintain sufficient records

▫ Provide accurate and reliable information

▫ Prepare financial reports according to established criteria

▫ Promote and improve operational efficiency

▫ Encourage adherence with management policies

▫ Comply with laws and regulations

- Internal control is a process because it permeates an organization’s operating


activities and is an integral part of the management activities. It provides
reasonable assurance and has inherent limitations, such as susceptibility to
simple mistakes, faulty judgements, management overrides and collusion.
 Functions of Internal Controls
a) Preventive controls
- Deter problems from occurring
b) Detective controls
- Discover problems that are not prevented
c) Corrective controls
- Identify and correct problems; correct and recover from the problems
 Two categories of Internal Controls
a) General Controls
- Make sure the organization’s control environment is stable and well-
managed.
b) Application Controls
- Prevent, detect, and correct transaction errors and fraud in various
application programs. They are concerned with the accuracy, completeness
and validity of the data.
 Four Levels of Control
a) Belief System
- Describes how company creates value, motivate the employees with the
company’s vision, and communicates the core values to the employees.
b) Boundary System
- Setting boundaries on employees’ behaviour. Employees are encouraged to
creatively solve problems while meeting performance standards in the
company.
c) Diagnostic Control System
- Measures and monitors the actual company progress to budgets and
performance goals.
d) Interactive Control System
- Helps managers to focus on the subordinate’s attention on strategic issues
and to be more involved in their decisions.
 Foreign Corrupt Practices Act (FCPA)
- In 1977, the FCPA is passed to prevent companies from bribing foreign
officials to obtain business. It requires corporations to maintain good systems
of internal control.
 Sarbanes-Oxley Act of 2002
- The most important business-oriented legislation in the last 80 years.
- It was designed to prevent financial statement fraud, apply transparency in
the financial reports, protect investors and punish executives who perpetrate
fraud.
- Some of the aspects of SOX are:
 Public Company Accounting Oversight Board (PCAOB)
 New rules for auditors
 New roles for audit committees
 New rules for management
 New internal control requirements
 Three Frameworks that develop internal control Systems
a) COBIT Framework
- Control Objectives for Information and Related Technology
- Provides managers, auditors, and IT users a set of generally accepted
measures, indicators, processes, and best practices to maximize the
benefits of IT and develop appropriate IT governance and control.
- Current framework version is COBIT5
b) COSO’s Internal Control Framework
- Committee of Sponsoring Organizations
- In 1992, COSO issued Internal Control- Internal Framework, which is
widely accepted as the authority on internal control
c) COSO’s Enterprise Risk Management Framework
- Use by the Board of Directors and the management to set strategy,
identify events that may affect management and provide reasonable
assurance for the company achieve its goals.
 Internal Environment
- Influences how organizations establish strategies and objectives and
identify, assess, and respond to risk.
- It consists of the following:
- Management’s philosophy, operating style, and risk appetite
 The more responsible management‘s philosophy and
operating style, and the more clearly they are
communicated, the more likely employees will behave
responsibly.
- Commitment to integrity, ethical values, and competence
 Organizations need a culture that stresses integrity and
commitment to ethical values and competence. As integrity
starts from the top, employees must adopt top
management’s attitudes and respond to risk and controls.
- Internal control oversight by Board of Directors
 SOX require companies to have an audit committee of
outside, independent auditors. They are responsible for
financial reporting, regulatory compliance, overseeing
internal and external auditors who are responsible to report
accounting policies to them.
- Organizing structure
 Provides a framework for planning, executing, controlling,
and monitoring operations.
- Methods of assigning authority and responsibility
 They are assigned and communicated using formal job
description, employee training, operating schedules,
budgets, code of conduct, and written policies.
- Human resource standards
 Hiring
 Compensating, Evaluating, and Promoting
 Training
 Managing Disgruntled Employees
 Discharging
 Vacations and Rotation of Duties
 Confidentiality Agreements and Fidelity Bond Insurance
 Prosecute and Incarcerate Perpetrators
 Objective Setting
a) Strategic objectives
- High-level goals
b) Operations objectives
- Effectiveness and efficiency of operations
c) Reporting objectives
- Improve decision making and monitor performance
d) Compliance objectives
- Compliance with applicable laws and regulations
 Event Identification
- Identifying incidents both external and internal to the organization that
could affect the achievement of the organizations objectives.
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?
 Risk Assessment and Risk Response
- Risk is assessed from two perspectives:
- Likelihood - Probability that the event will occur
- Impact - Estimate potential loss if event occurs
- Types of Risks:
- Inherent - Risk that exists before plans are made to control it.
- Residual - Risk that is left over after you control it
- Risk Response
- Reduce - Implement effective internal control
- Accept - Do nothing, accept likelihood and impact of risk
- Share - Buy insurance, outsource, or hedge
- Avoid - Do not engage in the activity
 Estimate Likelihood and Impact
 Identify Controls
 Estimate Cost and Benefits
 Determine Cost/Benefit Effectiveness
 Implement Control or Accept, Share, or Avoid the Risk
 Control Activities – are policies, procedures, and rules that provide reasonable
assurance that control objectives are met and risk responses are carried out. Categories
are:
a) Proper authorization of transactions and activities
b) Segregation of duties
c) Project development and acquisition controls
d) Change management controls
e) Design and use of documents and records
f) Safeguarding assets, records, and data
g) Independent checks on performance
 Information and Communication
- The purpose of the AIS also includes understanding how
transactions are initiated, data are captured and processed, and
information is reported. These items provide in an audit trail, which
allows transactions to be traced back and forth between their
origination and the financial statements.
- Three principles apply to the information and communication
process:
 Obtain or generate relevant, high quality information to
support internal control
 Internally communicate the info, including objectives and
responsibilities
 Communicate relevant internal control matters to external
parties.
 Monitoring
a) Perform internal control evaluations (e.g., internal audit)
b) Implement effective supervision
c) Use responsibility accounting systems (e.g., budgets)
d) Monitor system activities
e) Track purchased software and mobile devices
f) Conduct periodic audits (e.g., external, internal, network security)
g) Employ computer security officer
h) Engage forensic specialists
i) Install fraud detection software
j) Implement fraud hotline
Chapter 8: Control and Information Security

- Information Security affects Information systems reliabnility. It is the


foundation of information systems reliability which is necessary for
achieving organizational goals.

Five principles that affect Systems Reliability according to the Trust Services Framework

1. Security – data is controlled and restricted only to legitimate users.


2. Confidentiality – sensitive information is protected from unauthorized people.
3. Privacy – personal information abput users is collected, used, protectred , and
maintained oin compliance with the necessary requirements.
4. Processing Integrity – data are processed accurately, in a timely manner and proper
authorization.
5. Availability – the system and information is available to meet operational and contractual
obligations.

Information Security:

• Is the foundation of systems reliability and is necessary for achieving the other
principles.

• Restricts access to authorized users only, protecting the confidentiality of the sensitive
data.

• Preventing the submission of fictitious transactions and unauthorized changes about the
data.

• Ensuring the system is available when needed

Two Fundamental Informaton Security Concepts

1. Security is a management Issue, not just a Technology issue


- involvement of the management with all the phases of the Security life
Cycle is essential point for the success of the organization.
- The phases of security cycle are: (1) asses threats and select risk
response, (2) develop and communicate policy, (3) acquire and
implement solutions, and (4) mlonitor performance.
2. Defense-in-Depth and the Time-based Model of Information Security
- it provides a means for management to identify the most cost effective
approach to improve security by comparing the effects of additional
investments in preventive, detective and corrective controls.
- The idea of defense-in-depth is to employ multiple layers of controls in
order to avoid having a single point of failure. Some entities use multiple
authentication methods like passwords, tokens, and biometrics.
- Time-based model of security is a combination of controls necessary to
protect the assets and to recognize attacks so that the organization can
protect that information.

Formula of Time-Based Model of Information Security

Where the variables are:

P= the time it takes an attacker to break through the organization’s preventive controls

D = the time it takes to detect that an attack is in progress

C = the time it takes to respond to the attack and take corrective action

If P > D + C, then the organization’s security procedures are effective.

Understanding Targeted Attacks

-
Before discussing the preventive, detective and corrective controls, one
must understand first the basic steps the criminals use to attack on the
organization’s information system.
1. Conduct reconnaissance- alarms, number of guards, placements of cameras, etc.
2. Attempt Social engineering - use the information obtained during their initial
reconnaissance to trick the unsuspecting employee into granting them access.

3. Scan and map the target- more detailed reconnaissance to identify the potential points
of remote entry.

4. Research - find known vulnerabilities and learn how to take advantage of the system.

5. Execute the attack - Obtaining an unauthorized access to the target’s information


system

6. Cover the tracks - Creating a backdoor so that they can obtain access if the attack is
discovered.

Preventive Controls

- Organizations commonly useto restrict access to information resources.


• People: Creation of a “Security-Conscious” Culture– top management must not only
communicate the organization’s security policies but also lead by example. Employees
are more likely to comply with the information security policies when they see their
managers do so.

• People: Training (piggybacking)–all employees should be taught why security


measures are important to the organization’s long-0run survival. They need to be trained
to follow practices and policies.

• Process: Users Access Control – it is important to understand that outsiders are not
the only threat source. A certain employee may be disgruntled by some reasons like
being passed over a promotion and seek revenge.

(Authentication and authorization)

• IT Solutions: Antimalware Controls

1. Malicious Software Awareness Education

2. Installation of Antimalware Protection tools

3. Management of patches and updates

4. Regular review of new malware threats

5. Filtering of incoming traffic

6. Training of employees not to shared unapproved software

• IT Solutions: Network Access Controls

(Routers, Firewalls, and Intrusion preventive System)

(Overview of TCP/IP and Ethernet)

(Dial Up Connections)

(Wireless Access)

• IT Solutions: Device and Software Hardening Controls – an organization can


enhance information security by supplementing preventive controls on the network
perimeter with additional preventive controls on the workstations, servers, printers, and
other devices.

• IT Solutions: Encryption – it provides a final layer of defense to prevent unauthorized


access to sensitive information.
• Physical security: Access Controls–it begins with the entry points to the building itself.
Fire codes usually require additional emergency exits. A receptionist and a security
guard should also be stationed to verify the identity of potential employees/visitors.

Detective Controls

• Log Analysis – the process of examining logs to identify evidence of possible attacks.
The goal of log analysis is to determine the reason for the failed log-in attempt.

• Intrusion Detective System – set of sensors and a central monitoring unit that creates
logs of network traffic that was permitted to pass the firewall and analyse those logs for
signs of intrusions.

• Penetration testing – an authorized attempt by either internal audit team or external


consultancy firm to break into the organization’s information system

• Continuous Monitoring–is an important detective control that can timely identify


organization problems so that earlier prevention can be done.

Corrective Controls

• Computer Incident Response Team (CIRT) – it should include noit only technical
specialist but also senior operations management, because some potential responses
have significant economic consequences.

(Recognition, Containment, Recovery, Follow Up)

• Chief Information Security Officer – should be independent of other information


systems functions and should report to either COO or CEO

• Patch Management – a code released by software developers that fixes certain


vulnerability. It is the process of regularly applying patches used by the organization.

Chapter 9: Confidentiality and Privacy controls

- Two other important principles of reliable systems in the Trust services


framework:

1. Confidentiality

2. Privacy

- Certain controls protect that confidentiality o sensitive corporate information.

- One of the basic objectives of information security is the preservation of


confidentiality of organization's property and information.

 Four basic actions in the preservation of Confidentiality


1. Identify and classify Information to be protected - identity where such information
resides and who has access to it. One must undertake a thorough inventory of every
digital and paper store of information, which is time consuming and costly.

- The next step is to classify the value of any information to the organization.
According to COBIT 5, classification is the responsibility of information owners, other
than the information security professionals.

2. Protecting the confidentiality with encryption - encryption is the only way to


protect information in transit over the internet. Though some sensitive information,
particular the "know how" cannot be protected by encryption. it can also protect
information only to specific situations. So strong authentication is also needed.

3. Controlling access to the information - Authentication and authorization is not


enough and is in need of additional digital and physical access controls.

- information rights management provides an additional layer of protection that is


stored in digital format, offering not only to limit access to specific document but also to
specify the actions that individual are granted access.

- Data loss prevention requires controls over outbound communications.. in DLP,


which words like antivirus programs in reverse, blocking outgoing messages that contain
key words associating th sensitive information. It should be supplemented by the
embedding code called digital warehouse.

4. Training - one of the most important controls in information security. Employees must
know what information they can share with outsiders. They also need to be taught how
to protect confidential data and to know how to code reports to reflect the importance of
the information.

 Privacy

- The controls that need to be implemented to protect privacy are the same ones
they use to protect confidentiality.

 Privacy controls

- protecting the privacy of personal information collected from customers to identify


what information the organization possess. Encryption is a fundamental control for
protecting the privacy of personal information that organizations collect. But encryption is
not consistent with its function. It can’t function during processing or when it is displayed
in the monitor. So organizations should run data masking that replace such information
with fake values before sending the data to the testing system.

 Privacy concerns

1. SPAM - unsolicited email that contains either advertising or offensive content. It does
not only reducing the efficiency benefits but is also the source of virus, worms, and other
types of malware. To deal with these problems, the US congress passed “the Controlling
of Assault of non solicited pornography and marketing (CAN SPAM) act of 2003.

2. Identity theft - it is the unauthorized use of someone's personal info for the benefit of
the perpetrator. Examples are Medical entity, financial theft, and tax identity.
Organization also has a role to play in preventing identity to theft. Therefore, an
organization has its obligations to implement controls that protect personal info.

 Privacy regulations and generally accepted privacy principles

1. Management - assigning responsibility and accountability for implementing those


policies of keeping the information collected from customers and third parties

2. Notice - organization must be able to give notice before collecting personal


information. The notice should be clear on what and how the information will be used.

3. Choice and consent - explaining the choices available to individuals and obtaining
their consent in collecting personal information.

4. Collection - an organization must collect only the information really needed to fulfill
the purposes stated in its privacy policies. One issue concerning this principle is the use
of cookie. It is a text file created by a website and stored on a visitor’s hard disk which
stores information on what users had done the site. the issue with the cookies is that
they contain personal information that may led to identity theft and other privacy threats.

5. Use and retention - the need of retention policies and assign responsibility for
ensuring compliance with the policies.

6. Access - the opportunity given to the individuals to access, review, correct and delete
the information about them.

7. Disclosure to the third parties - disclosure would be done only in situations


described in the organization's policies and to the third parties who provide the same
level of privacy protecting.

8. Security - it is not possible to provide privacy of the information without considering


the information security (chapter8). However, information security is not enough to
provide privacy. Training of the employees is also important to avoid practices that can
result to the breach of privacy.

9. Quality - providing the customers with a certain way to review the information stored
in the organization is one way to achieve this objective. It would ensure the customers
that the information is accurate.

10. Monitoring and enforcement - assigning one or more employees to be responsible


in ensuring compliance and proper enforcement with the stated policies.

 Encryption
- A preventive control use to protect privacy and confidentiality. but it also
strengthens authentication procedures and plays the part of verifying the validity of
business transactions.

- Moreover, in this chapter, encryption is the process of transforming normal content


called plaintext into unreadable gibberish called ciphertext.

 What is decryption?

- reverses the procedure done by encryption, meaning it transforms ciphertext back


to plaintext.

- Both encryption and decryption make use of a key and algorithm. Computers
represent both plaintext and ciphertext as a series of binary digits, usually consisting a
256-key (256 0s and 1s). The algorithm is the formula for using the keys to transform the
plaintext into ciphertext and vice versa.

 Factors that influence Encryption strength

1. Key length - longer keys provide stronger encryption by reducing the number of
repeating blocks. it makes it harder to spot patterns in the ciphertext that reflects
patterns in the plaintext.

2. Encryption algorithm - a strong algorithm is difficult, and the strength of the


encryption is due not to the secrecy of their procedures, but to the fact that they have
been rigorously tested and demonstrated to resist brute-forced guessing attacks.

3. Policies for managing cryptographic keys - it is the most vulnerable aspect of


encryption systems. No matter how strong or how long the encryption is, if the keys has
been stolen, the encryption can be easily broken. Therefore cryptographic keys must be
stored securely and protected with strong access controls.

 Types of encryption systems

1. Symmetric encryption systems - uses the same key both to encrypt and decrypt

2. Asymmetric encryption systems - uses two keys namely public key and private key.
Both can be used to encrypt. But only the other key can decrypt the ciphertext.

- In case of lost or identity theft, organizations must use encryption software that
creates built-in master key. An alternative process is the key escrow, which involves
making copies of all encryption keys used and storing those securely.
 Hashing

- The process that takes plaintext and creates a short code called hash.

 Two important difference of hashing and encryption

1. Encryption always produces ciphertext similar in size to the original plaintext but
hashing produce hash that is of a fixed-short length.

2. Encrypted text can be decrypted, but it is not possible to transform the hash back into
the original plaintext.

 Digital signature

- it is a two step process:

a. The document creator generates a hash of the document and


b. Encrypt that hash using his/her private key.

- The resulting hash is a digital signature that provides assurance that (1) a copy
of a document has not been altered and (2) who created the original version of the
document.

 Digital certificates and Public Key Infrastructure

- A digital certificate is an electronic document that contains an entity's public key


and certifies the identity of the owner. it functions as the equivalent of driver's license.

- They are issued by a certificate authority that contains the signature.

 Public Key Infrastructure (PKI)

- The system for issuing pairs of public and private key and corresponding digital
certificates. It hinges on trusting the certificate authorities that issues the keys and
certificates.

 Virtual private networks (VPNS)

- It is encrypting information while it transverse the internet, creating private


communication channels, often referred as tunnels.

- it also include controls to authenticate the parties exchanging information and to create
an audit trail of the exchange.

S-ar putea să vă placă și