Documente Academic
Documente Profesional
Documente Cultură
com
Chap 3 | Control Objectives | May 2012
Safeguarding assets (includes data/information) to maintain data integrity to achieve system eff-eff is a
significant control process.
FACTORS influencing an organization toward “control and audit” of computers and the impact of the
information systems “audit” function on organizations are-
(- Used & Abused Computer creates High Cost Error Only then you understand its Value)
(- Incorrect Decision Data & Privacy lost -)
(- IS Auditor Safeguards Integrity of Eff-Eff Objectives -)
[Diagram involved]
With respect to INTERNAL CONTROLS within an enterprise in a “computerized environment” - the major
“areas of impact” with the “goal of asset safeguarding, data integrity, and system eff.-eff.” are
discussed below-
1. Management supervision and review- Helps deter and detect both errors and fraud
2. Segregation of duties- “Segregation” means that the stages in the processing of a transaction are split
between different people, such that one person cannot process a transaction through from start to
finish. X knowledge of interrelationship between source of data, processing, distribution and use of
output X alter transaction data or applications
3. Personnel- Ensure trustworthy, competent with skills & training
4. Concentration of programs & data- Transaction & master file data + editor programs available at same
place
5. Record keeping- protection and storage of documents for audit trails
6. Access to assets and records- nature and types of control for protecting eData different
7. Authorisation procedures- transactions are approved - written evidence/computerised authorisation
controls
(- Mgmt reviews & Segregates duties of Personnel. And asks them to Concentrate on Keep Records, control Access &
authorization -)
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.1
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
1) Control environment- Elements that establish control context in which accounting systems and control procedures
must operate, how authority-responsibility assigned, how to plan and monitor performance etc.
2) Control activities- Elements that concerns accounting controls (records, checks, authorized), administrative
controls (eff-eff of Obj)
3) Monitoring- Elements that ensure internal controls operate reliably over time
4) Risk Assessment- Elements that identify and analyze the risks
5) Information and Communication- Elements that ensures information is identified, captured and exchanged in a
timely and appropriate form to allow personnel to discharge their responsibilities.
(- Congress EN.ACTS 5 laws for Risk Assessment & Monitoring of Info-Communication like FB, Wiki -)
To cope with new technology (-changes-), Auditor is to be competent to provide independent evaluation as
to whether the business process activities are recorded and reported according to established standards or
criteria. The two basic functions carried out to examine these changes are summarised under as-
• Data retention & Storage- Client’s storage capabilities limits online data retention & it’s ready
accessibility by auditors. Audit trail may only exist in a machine readable form that must be translated
first
• Absence of input documents- Transaction data entered directly without supporting documentation
• Lack of a visible audit trail- NA or available for short time-period “auditing around computer
system” by seeking other sources of evidence
• Lack of visible output- No printed output record directly access “read-only” electronic data
• Audit evidence- Transactions (e.g. depn./interest) generated automatically by computer. No formal
authorization required. Hence, it may be ultra-vires.
• Legal issues- eTrading & EDI e.g. Contracts - legal jurisdiction, time-stamp, law varies across
countries & courts etc.
• System generated transactions- Systems’ ability to initiate, approve and record transactions (e.g. EDI,
automated transaction generation systems) increases processing efficiency However, to audit,
auditors must view application’s programming for authorisation
• Systematic Error- Designed to do processing on consistency basis (repeating), which is both +ve and -ve
Hence, determine reason for the error
∆ EC > Nothing is Stored: No Input - Trail - Output Hence, No Evidence Result: Legal issues
∆ EE > System generated transactions give Systematic Error
[MICS M08: Discuss various factors that render manual audit method ineffective in Information System audit. – Sol:
Electronic evidence, Terminology, Automated processes, New risks and controls, Reliance on controls]
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.2
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
CATEGORIES of IS Audits- IT audits have been categorized in to 5 types ( “An audit to verify that…” ) -
1. Information Processing Facilities (IPF)- … are appropriate, efficient, controlled, secure + eff-eff processing
2. Telecommunications, Intranets, and Extranets- … are controlled, secure
STEPS in IT Audit
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.3
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Based on the objective with which controls are designed or implemented, controls can be
classified as:
Preventive Controls
…are those inputs, which are designed to prevent an error, omission or malicious act from occurring. E.g.
password protection. Characteristics:
• Understanding vulnerabilities of the asset
• Understanding probable threats
• Provision of necessary controls
Controls can be implemented in both manual and computerized environment - implementation methodology
may differ.
Detective Control
Designed to detect errors, omissions or malicious acts that occur and report occurrence. Characteristics:
• Clear understanding of lawful activities & deviation
• Mechanism to refer the reported activities to appropriate person or group
• Surprise checks by supervisor
• Interaction with preventive control
Examples -
• Intrusion detection system
• Hash totals, Duplicate check
• Past reports
• Periodic performance reporting with variances
• Internal audit functions
• Cash counts and bank reconciliation
• Monitoring expenditures against budgeted amount
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.4
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Corrective Controls:
…are designed to reduce the impact or correct an error once it has been detected. E.g. BCP.
Characteristics:
• Minimize threat impact
• Identify cause of problem, remedy
• Modify processing systems to minimize re-occurrences
• Get feedback from preventive and detective controls
Examples -
• Contingency planning, Backup procedure, Treatment procedures
• Investigate budget variance and report violations
Compensatory Controls:
Controls are basically designed to reduce probability of threats, which can exploit the vulnerabilities of an
asset and cause a loss to that asset. While designing the ‘appropriate’ control — cost of the lock should not
be more than the cost of the assets it protects.
Sometimes organizations may not be able to implement appropriate controls. In such a scenario, there should
be adequate compensatory measures which may although not be as efficient as the appropriate control, can
definitely reduce the probability of threats to the assets. Such measures are called compensatory controls.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.5
Advanced Excel
for Finance | Audit | MIS Reporting
A MUST-HAVE SKILL SET FOR EVERY CHARTERED ACCOUNTANT
Rishabh Pugalia,
Pugalia, Founder & Program Director, Excel Next Training Solutions
Qualified Chartered Accountant
Has worked for names like KPMG, J.P. Morgan
Four years of work experience in the area of Investment Banking & Audit
Successfully completed six-weeks Analyst training program of Adkins Matchett & Toy
Trained more than 1,400 participants in Advanced Excel, Advanced PowerPoint since 2010
4 - B Dr. Sarat Banerjee Road. Kolkata – 700029 (Nr. Rashbehari Avenue – Lake Market)
www.excelnext.in | excelnext@gmail.com | (033) 40 660 140 – 141
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
“While reviewing a client’s control system, an information system auditor will identify 3
components of internal control.” State and briefly explain these 3 components.
Aim: Business objectives are achieved and undesired risk events are prevented or detected and corrected.
1. Internal Accounting controls- Intended to safeguard client’s assets & ensure reliability of financial records
2. Operational controls- Deals with the day to day operations, functions and activities to ensure that the operational
activities are contributing to business objectives
3. Administrative controls- Concerned with ensuring efficiency and compliance with management policies, including
the operational controls
These controls are generally defined as the procedures exercised by the system user personnel over source,
or transactions origination, documents before system input.
Exercise control over transactions processing using reports generated by the computer applications to reflect
un-posted items, item counts, transactions settlement and reconciliation etc
3) Documentation: Includes written or typed explanations of actions taken on specific transactions or instructions that
explain the performance of tasks.
4) Sequentially numbered documents: Working documents with preprinted sequential numbers, which enables the
detection of missing documents.
5) Cancellation of documents: This marks a document in such a way to prevent its reuse. E.g. invoices with a “paid”
or “processed” stamp
6) Safekeeping: Physically securing assets, such as computer disks, under lock and key, in a desk drawer, file cabinet
storeroom, or vault.
10) Input/ output verification: Comparing information provided by a computer system to the input documents. This is
an expensive control that tends to be over-recommended by auditors.
(-Authorize Budgets -> Document it, Number it, Cancel it -> Keep it Safe -)
(- Segregate duties -> Dual Control by Supervisor for IO verification -)
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.6
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
BOUNDARY CONTROLS- These are primarily access controls mechanism. The user can provide three classes
of input information for the authentication process and gain access control to his required resources.
The following 3 key access control mechanism are used as boundary controls:
• Identification: Name, account number, address, card number
• Authentication: ID and Password, PIN, Finger Prints
• Authorization: Access rights for access of resources
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.7
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
A cryptographic technique encrypts data (clear text) into cryptograms (cipher text)
and its strength depends on the time and cost to decipher the cipher text by a
cryptanalyst.
1. Cryptography
The three techniques of cryptography are-
1) Transposition (permute/reverse the order of characters within a set of data).
E.g. day vs. yad
2) Substitution (replace text with a key-text) and
3) Product cipher (combination of transposition and substitution)
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.8
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
INPUT CONTROLS- Input controls ensure that input data is valid, accurate and complete. Data codes like
account number etc are used for accurate and efficient data entry. Poorly designed data codes & human
intervention in data input cause recording and keying errors.
RTP Answer:
> Transcription Errors: 1) Addition 2) Truncation 3) Substitution (replacement)
> Transposition Errors: 1) Single Transposition 2) Multiple Transposition
Check Digits: are redundant digits that helps verify the accuracy of other characters in the code that is checked. The
program recalculates the check digits and compares with the check digit in the code when the code is entered to verify if
the code is correct. Check digits may be prefixes or suffixes to the actual data. When the code is entered, a program
recalculates the check digit to determine the accuracy.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.9
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
PROCESSING CONTROLS : Data processing controls perform validation checks to identify errors during
processing of data to ensure completeness & accuracy of data being processed. It is enforced by DBMS &
front end application system.
To verify data that is subject to process through different stages. A specific record
(probably the last record) can be used to maintain the control total.
Run-to-run totals
E.g. If the current balance of an invoice ledger is Rs.150,000 and the additional
invoices for the period is of total Rs.20,000 then the total sales value should be
Rs.170,000.
Two or more fields can be compared & cross verified to ensure their correctness.
Reasonableness
verification E.g. statutory % of PF can be calculated on the gross pay amount to verify if the PF
contribution deducted is accurate.
Edit checks, similar to the data validation controls, can also be used at the
Edit checks
processing stage to verify accuracy & completeness of data.
Data overflow can occur, if records are constantly added to a table or if fields are
Field initialization added to a record without initializing it, i.e., setting all values to zero before
inserting the field or record.
Existence/Recovery The check-point/restart logs, facility is a short-term backup and recovery control
Controls that enables a system to be recovered if failure is temporary and localized.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.10
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
OUTPUT CONTROLS: ensures that the data delivered to users will be presented, formatted and delivered in
a consistent and secured manner + ensures CIA. Output forms - printed report, database file etc.
1. Storage and logging Pre-printed stationery should be stored securely to prevent unauthorized
of sensitive,
destruction or removal and usage
critical forms
2. Logging of output When programs used for output of data are executed, it should be logged and
program
monitored to protect confidentiality of data
executions
Process to ensure user is able to continue working, even before the print
operation is completed. When a file is to be printed, the OS stores data stream
to be sent to the printer in a temporary file on the hard disk. This file is them
3. Spooling/Queuing
“spooled” to the printer as soon as the printer is ready to accept the data.
4. Controls over Users must be trained to select correct printer and access restrictions may be
printing placed on the workstations that can be used for printing.
Retention controls consider the duration for which outputs should be retained
before being destroyed. Retention control requires that a date should be
determined for each output item produced.
6. Retention controls
Factors affecting retention period - need of & use of output, legislative
requirements, type of storage medium
Needed to recover output in the event that it is lost or destroyed. If the output
7. Existence/Recovery is written to a spool of files or report files and has been kept, then recovering
Controls
and new generation is easy and straight-forward.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.11
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
DATABASE CONTROLS: Protecting the integrity of a database when application software acts as an
interface to interact - between user and database are called the update controls and report controls.
• Standing Data
• Print-Run-to Run control Totals
Report controls
• Print Suspense Account Entries
• Existence/Recovery Controls
1) Sequence Check Synchronization and correct sequence of processing between the master file
Transaction and and transaction file is critical to maintain the integrity of updation, insertion or
Master Files deletion of records in the master file with respect to the transaction records
2) Ensure All
While processing, the end-of-file of transaction file should be mapped with end-
Records on Files
of-file of respective master file.
are processed
3) Process multiple
Multiple transactions can occur based on a single master record (eg. dispatch of a
transactions for a
product to different centers). Here order of transaction processing must be
single record in
done based on a sorted transaction codes.
correct order
Application programs use many internal tables to perform various functions like
pay calculation, interest calculation etc. Maintaining integrity of these internal
1) Standing Data tables is critical as any changes or errors in these tables would have an adverse
effect on the basic functions. Periodic monitoring of these internal tables by
means of manual check or by calculating a control total is mandatory.
2) Print-Run-to Run Helps in identifying errors or irregularities like record dropped erroneously
control Totals from a transaction file, wrong sequence of updating or processing errors.
3) Print Suspense Suspense account entries are to be periodically monitored with respective error
Account Entries file and action taken on time.
The back-up and recovery strategies together encompass the controls required to
4) Existence / restore failure in a database. Backup strategies are implemented using prior
Recovery version and log of transactions or changes to the database. Recovery strategies
Controls involve roll-forward (current state database from a previous version) or the roll-
back (previous state database from the current version) methods.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.12
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Discuss the 3 processes of Access Control Mechanism, when a user requests for resources.
Access control mechanism processes the user request for resources in 3 steps.
• Identification: Name, account number, address, card number
• Authentication: ID and Password, PIN, Finger Prints
• Authorization: Access rights for access of resources
The access control mechanisms operate in the “following sequence” (diagram below):
1. Users have to identify themselves, indicating their intent to request usage of system resources
2. Users must authenticate themselves and the mechanism must authenticate itself
3. Users request for specific resources, need & usage details
The mechanism then verifies this information against user entries & it then permits or denies the request
1) & 2) Identification and Authentication: Users identify themselves by providing information such a name,
account number, finger print, signature etc. his entry is matched process proceeds
3) Authorization: There are two approaches to implementing the authorization module in an access control
mechanism:
• Ticket oriented: Mechanism assigns users a ticket for each resource they are permitted to access.
Details stored in rows in matrix form
o (+) run-time efficiency (fast)
• List oriented: Mechanism associates with each resource a list of users who can access the resource and
action privileges
o (+) efficient administration of capabilities (list-change & control)
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.13
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
• Formal agreement between a customer requiring services and the organization that is responsible for
providing those services.
o Service: A set of deliverables that passes between a provider and a consumer.
o Level: Measurement of services agreed upon and delivered and the gap between the two.
o Agreement: Contract between 2 entities—the one providing the service and the recipient
• Not a legal contract in itself,
• States required performance of the system in terms of its availability to users, response times, and
numbers of transactions processed and any other suitable criteria meaningful to the user
• Monitored
• PIR after a development project is completed - to determine if the anticipated benefits were achieved.
• Jointly done by project development team, end users, independent group
• Objectives:
Business objectives within budget and deadline, savings and benefits as expected
What are the issues that should be considered by a system auditor at post-implementation review
(PIR) stage before preparing the audit report? (-___ = confirm/verify-) [NOT Activities]
7. ___ Adequate internal controls have been built documented operated correctly. Underlying
system design weaknesses?
8. ___ Adequate SLA has been drawn up & implemented. Areas where failed
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.14
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
• Important to have formal, appropriate, and proven methodology and Appropriate controls
• Key elements:
Briefly explain the formal change management policies, and procedures to have control
over system and program changes
• Important to have formal, appropriate, and proven methodology and Appropriate controls
• Key elements:
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.15
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Helps assign a level of sensitivity to information degree of protection needed + indicative value of assets
Information
Description
Classification
• Information not approved for general circulation outside the organization where its loss would
Internal Use inconvenience the org/mgmt. Security level = controlled but normal
only • Disclosure unlikely to result in financial loss or serious damage to credibility.
• E.g. internal memos, minutes of meetings, internal project reports
Public • Information in the public domain; annual reports, press statements etc. which has been
Documents approved for public use. Security level = minimal
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.16
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Explain the term “Cryptosystems’. Briefly discuss Data Encryption Standard.
Refers to a suite of algorithms needed to implement a particular form of encryption & decryption. Consists
of following 3 algorithms:
• Key Generation Algorithm
• Encryption Algorithm
• Decryption Algorithm
The pair of algorithms of Encryption & Decryption is referred as Cipher.
Some documentation distinguishes DES from its algorithms. It refers algorithms as DEA (Data Encryption
Algorithm).
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.17
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
When utilizing PKI policies & controls, financial institutions need to consider the following:
• Defining methods of initial verification and controls for issuing digital certificates and key pairs
• Defining certificate validity period, certificate’s revocation conditions
• Updating database
• Protect root key
• Regular independent audits
• Secure audit log, exception reports
• Comply with widely accepted PKI standards
Discuss anti-virus software and its types. (- ArMy HoSpital ke ICU mey Scanner laga hai -)
A program that is used to detect viruses prevents further spread and harm. 3 types:
1. Active Monitor and Heuristic Scanner: Looks for critical interrupt calls & OS functions that resemble
virus action.
2. Integrity Checkers: Can detect any unauthorized changes to files on the system. They perform a “take
stock” of all files stored & compute a binary check data called the Cyclic Redundancy Check (CRC).
When a program is called for execution, the software computes the CRC again and checks with the
parameter stored on the disk.
3. Scanners: Scan for a sequence of bits called virus signatures that are characteristic of virus codes. They
check memory, disk boot sectors, and executables and systems files to find matching bit patterns.
Important to frequently update the scanners
Describe any 3-ways in which a hacker can hack the system (- Net par Ping karo & mp3 File t/f karo -)
NetBIOS: Worst kind since it doesn't require you to have any hidden backdoor program running on PC.
Exploits a bug in Windows 9x. NetBIOS is meant to be used on LAN, so machines on network can share
information. Unfortunately, the bug is that NetBIOS can also be used across the Internet - so a hacker can
access your machine remotely.
ICMP ‘Ping’ (Internet Control Message Protocol): ICMP is one of the main protocols that make the Internet
work. 'Ping' is one of the commands that can be sent to a computer using ICMP. Ordinarily, a computer would
respond to this ping, telling the sender that the computer does exist.
A large number of pings can make a Denial-of-Service attack (DoS), which overloads a computer. Also,
hackers can use pings to see if a computer exists and does not have a firewall (firewalls can block pings). If a
computer responds to a ping, then the hacker could launch a more serious form of attack against a computer.
FTP (File Transfer Protocol): FTP is a standard Internet protocol. Used for file downloads/uploads. FTP
normally requires some form of authentication for access to private files, or for writing to files. FTP
backdoor programs: Doly Trojan, Fore, and Blade Runner - simply turn computer into an FTP server, without
any authentication.
Others: RPC statd, HTTP
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.18
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
A company is engaged in the stores taking data activities. Whenever, input data error
occurs, the entire stock data is to be reprocessed at a cost of Rs. 50,000. The management
has decided to introduce a data validation step that would reduce errors from 12% to 0.5% at
a cost of Rs. 2,000 per stock taking period. The time taken for validation causes an additional
cost of Rs. 200. (i) Evaluate the percentage of cost-benefit effectiveness of the decision taken
by the management and (ii) suggest preventive control measures to avoid errors for
improvement.
(i)
Without validation With validation
S. No. Particulars Procedure Procedure
1 Cost of reprocessing the stock data Rs. 50,000 Rs. 50,000
2 Risk of data errors 12% 0.50%
3 Expected processing cost Rs. 6,000 Rs. 250
4 Cost of validation procedure Nil Rs. 2,000
5 Cost of delay due to validation Nil Rs. 200
6 Total cost involved Rs. 56,000 Rs. 52,450
7 Net expected benefit Rs. 3,550
in % 6.30%
Firewalls
A collection of components (computers, routers, software) that mediate access / act as an access control
point for traffic between security domains. All traffic between security domains must pass through firewall.
Help inspect & block traffic & coordinate activities with network intrusion detection systems (IDSs)
How Firewalls work? Firewalls block or allow traffic based on rules (static or dynamic) configured by the
administrator.
• A static rule set is an unchanging statement to be applied to packet header, such as blocking all
incoming traffic with certain source addresses.
• A dynamic rule set often is the result of coordinating a firewall and an IDS.
When firewalls fail, they typically should fail closed, blocking all traffic, rather than failing open and
allowing all traffic to pass.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.19
Advanced Excel
for Finance | Audit | MIS Reporting
A MUST-HAVE SKILL SET FOR EVERY CHARTERED ACCOUNTANT
Rishabh Pugalia,
Pugalia, Founder & Program Director, Excel Next Training Solutions
Qualified Chartered Accountant
Has worked for names like KPMG, J.P. Morgan
Four years of work experience in the area of Investment Banking & Audit
Successfully completed six-weeks Analyst training program of Adkins Matchett & Toy
Trained more than 1,400 participants in Advanced Excel, Advanced PowerPoint since 2010
4 - B Dr. Sarat Banerjee Road. Kolkata – 700029 (Nr. Rashbehari Avenue – Lake Market)
www.excelnext.in | excelnext@gmail.com | (033) 40 660 140 – 141
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Describe various types of firewalls in brief. They are 4 primary firewall types from which to
choose:
1. Packet Filtering
2. Stateful Inspection
3. Proxy Servers
4. Application-Level Firewalls.
(- State-sponsored Proxy-war mey Packet-Filter bomb Apply karte hain Firewall helps protect that -)
Packet Filtering
• Evaluate headers of each incoming / outgoing packet to ensure it has a valid internal address,
originates from a permitted external address, connects to an authorized protocol or service, and
contains valid basic header instructions.
• If packet does not match pre-defined policy for allowed traffic, then firewall drops the packet. (-no
match, no catch -)
• X analyze the packet contents beyond header information. Many routers contain access control lists
(ACLs) that allow for packet-filtering capabilities
Weaknesses:
• Easy to mis-configure, which allows traffic to pass that should be blocked
• Vulnerable to attacks that take advantage of vulnerabilities in network protocols.
• Limited Logging functionality
• Unable to prevent attacks that exploit application-specific vulnerabilities because packet filter does
not examine packet contents
• X support advanced user authentication schemes
Applicability:
• Offers less security, but faster performance than application-level firewalls
• Appropriate in high-speed environments where logging and user authentication with network resources
are not as important.
• Useful in enforcing security zones at the network level.
• Commonly used in small office/home office (SOHO) systems and default OS firewalls
• Implementing additional firewall components that include application-level screening
• Each TCP session starts with an initial “handshake” communicated through TCP flags in the header
information Connection established firewall adds connection information to a table.
• Firewall can then compare future packets to the connection or state table. This essentially verifies
that inbound traffic is in response to requests initiated from inside the firewall.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.20
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
• Proxy servers act as an intermediary between internal & external IP addresses and block direct
access to the internal network.
• They rewrite packet headers to substitute “IP of the proxy server” for the “IP of the internal machine”
and forward packets to & from the internal and external machines
• Commonly employed behind other firewall devices
• Primary firewall receives all traffic determines which application is being targeted directs traffic
to appropriate proxy server
• Common proxy servers are domain name server (DNS), Web server (HTTP), and mail (SMTP) server.
Application-Level Firewalls
• They perform application-level screening, ( filtering capabilities of packet filter firewalls + additional
validation of the packet content based on the application)
• They capture & compare packets to state information in the connection tables
• It examines each packet after the initial connection is established for specific application Checks
for commands, protocols, packet length, authorization, content, or invalid headers
• Strongest level of security, but are slower and require greater expertise to administer properly
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.21
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Do a comparative analysis on the different types of firewalls that mediate the access
between different domains.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.22
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Designed to protect the organization from unauthorized access or to prevent illegal entry.
• Push-button panel mounted near outside of door Numbered buttons enter 4-digit number
Cipher locks
sequence unlock for sometime
(Combination
• Used in low security situations or when a large number of entrances & exits must be usable all
Door Locks)
the time. More sophisticated and expensive if person’s handprint used
Bolting Door
• Special metal key for access
Locks
• A magnetic or embedded chip-based plastics card key or token may be entered into a sensor
reader to gain access
Electronic Door • (+) Special internal code identify correct individual
Locks • (+) Individuals access can be custom restricted (time, doors)
• (+) Duplication risk reduced
• (+) Can be easily deactivated
• Extremely secure where an individual’s unique body features, such as voice, retina, fingerprint
Biometric Door
or signature, activate these locks.
Locks
• Extremely sensitive facilities. E.g. Military
Cryptographic
<Refer earlier details> Transformation of data into meaningless codes
Control
Identification
Special identification badges using color codes, photo
Badges
Logging on utilities
Manual Logging Sign a visitor’s log with details alongwith a valid and acceptable identification
Video Cameras Placed at specific locations and monitored by guards. Recordings retained
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.23
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Controlled Visitor
Employee should escort all visitors
Access
Bonded Personnel All service contract personnel, such as cleaning people etc. should be asked to sign a bond
• A pair of doors – 1st entry door must close and lock, for 2nd door to operate, with the only
Dead man Doors person permitted in the holding area.
• Only 1 person is permitted at a given point of time & reduces risk of piggybacking, when an
unauthorized person follows an authorized person through a secured entry
Non–exposure of No explicit indication such as presence of windows of directional signs hinting the presence of
Sensitive Facilities facilities such as computer rooms. (- No extra dikhaawa -)
Computer
Device to the desk is not turned on or disengaged by unauthorized persons
Terminal Locks
Controlled Single
All incoming personnel can use controlled Single Entry Point. Rest entry points deadlocked
Entry Point
Linking alarm system to inactive entry point motion detectors and the reverse flows of enter or
Alarm System
exit only doors, so as to avoid illegal entry
Control of out-of-
Employees who are out of office for a longer duration during office hours
hours of employee
Secured Report
/ Document Mail carts, must be covered and locked and should always be attended.
Distribution Cart
• Record source and nature of all changes to the database to recreate time series of events
• Action privileges, log-on attempts, Resources, Time etc
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.24
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
ENVIRONMENTAL CONTROLS
“From the perspective of environmental exposures and controls, information systems resources may
be categorized as follows, with the focus primarily on facilities which house”:
• Hardware & Media
• Information Systems Supporting Infrastructure or Facilities
• Documentation
• Supplies
• People
“Environmental Issues and Exposures” includes nature and man-made. E.g. Fire, power failure etc.
9. Water Detectors
15. Prohibitions Against Eating, Drinking and Smoking within the IPF
16. Documented & Tested Emergency Evacuation Plans
Discuss the ROLE of IS auditor with respect to “Environmental controls”. Critical audit considerations
that an IS auditor should take into account while conducting his audit:
Audit planning and assessment- As part of risk assessment:
• Risk profile should include different kinds of environmental risks (natural & man-made) Review &
Update
• Review security policy, Admin procedures, building and wiring plans, IPF
• Interview personnel for awareness, roles
• Controls safeguard are in place
Audit of technical controls- Conduct physical inspections & observe practices. Verify:
• IPF, Construction material
• Water & smoke detectors, power supply arrangements (back-up power), fire-fighting equipments
• AC, heaters etc.
• Emergency procedures, evacuation plans - Mock drill
• Documents for compliance
• Compliant logs and maintenance log
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.25
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Auditing physical access requires the auditor to review the physical access risk and controls to form an
opinion on the effectiveness of the physical access controls. This involves the following:
1. Risk assessment: Covers periodic and timely assessment of all assets, physical access threats,
vulnerabilities of safeguards and exposure there from
2. Controls assessment: Physical access controls are in place and adequate to protect the IS assets
3. Planning for review of physical access controls: Examination of relevant documentation
4. Testing of controls: Tour of facilities, Physical inventory, Interviewing, physical access logs and reports
• Reviewing the relevant documents pertaining to logical facilities and risk assessment and evaluation
techniques and understanding the security risks facing the information processing system.
• The potential access paths into the system must be evaluated by the auditor and documented to assess
their sufficiency.
• Deficiencies or redundancies must be identified and evaluated.
• By supplying appropriate audit techniques, he must be in a position to verify test controls over access
paths to determine its effective functioning.
• He has to evaluate the access control mechanism, analyze the test results and other auditing evidences
and verify whether the control objectives has been achieved.
• The auditor should compare security policies and practices of other organizations with the policies of
their organization and assess its adequacy.
The IS auditor should satisfy not only the effectiveness of various technical controls but that the overall
controls assure safeguarding the business against environmental risks
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.26
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
General questions:
3. Does the project’s quality assurance procedures ensure that project documentation is reviewed against
the organization’s technical standards and policies, and the User Requirements Specification;
4. Do quality reviews follow a defined and acceptable standard?
5. Are quality reviews carried out under the direction of a technically competent person who is
managerially independent from the design team;
6. Are auditors/security staffs invited to comment on the internal control aspects of system designs and
development specifications?
7. Are statistics of defects uncovered during quality reviews and other forms of quality control maintained
and analyzed for trends? Is the outcome of trend analysis fed back into the project to improve the
quality of other deliverables?
8. Are defects uncovered during quality reviews always corrected?
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.27
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
QB 39 - 11
(- Initial Setting-up agar achche se Execute + Maintain kiya jaaye, to no question of Failure and need for Correction -)
Case Study (determining Cost-Benefit effectiveness): At one MNC, data errors occasionally required the entire
payroll to be reprocessed, at a cost of Rs. 10,000. Management determined that a data validation step would reduce error
risk from 15% to 1%, at a cost of Rs.600 per pay period. The cost-benefit analysis that management used to determine if
the validation step should be employed is shown:
If the proposed payroll validation procedure is not utilised, then the expected loss to the company is Rs.1,500. Because the
expected loss with the validation step is Rs.100, the control provides an expected benefit of Rs.1,400. After deducting the
control costs of Rs.600, the validation step provides a net benefit of Rs.800 and clearly should be implemented.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.28
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
The controls to consider when reviewing the organisation and management controls in an IS
shall include:
An IS auditor is responsible to evaluate the following when reviewing the adequacy of data
security controls:
• If the IS system is outsourced, what security controls and protection mechanism does the vendor have in
place to secure and protect data?
• Contractually, what penalties or remedies are in place to protect the tangible and intangible values of
the information?
• The disclosure of sensitive information is a serious concern and is mandatory on the auditor’s list of
priorities.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.29
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
SHORT NOTES:
• Dry-Pipe sprinkling systems (sprinkler systems): These pipes remain dry and upon activation by
electronic fire alarm water is sent through the pipe. (+) Any failure in the pipe will not result in water
leaking into sensitive equipment.
• Water based systems also function similar to the sprinkler systems. Effective but unpopular because
they damage equipment and property.
• Halon systems contain pressurized halon gases that remove oxygen from the air. (+) Halon is inert and
does not damage equipment like water does. There should be an audible alarm and brief delay before
discharge to permit personnel time to evacuate the area or to override and disconnect the system. (-)
Halon adversely affects the ozone layer.
> Hacking: Act of penetrating computer systems to gain knowledge about the system and how it works.
Technically, a hacker is someone who is enthusiastic about computer programming and all things relating to
the technical workings of a computer.
> Crackers are people who try to gain unauthorized access to computers. Normally done through the use of a
'backdoor' program installed on the machine. A lot of crackers also try to gain access to resources through the
use of password cracking software
> Data diddling involves the change of data before or as they are entered into the system. A limited
technical knowledge is required to data diddle and the worst part with this is that it occurs before computer
security can protect data.
> Bomb is a piece of bad code deliberately planted by an insider or supplier of a program. An event, which is
logical, triggers a bomb or time based. The bombs explode when the conditions of explosion get fulfilled
causing the damage immediately. However, these programs cannot infect other programs. Since these
programs do not circulate by infecting other programs, chances of a widespread epidemic are relatively slim.
Two types:
• Time Bomb: Name because of mechanism of activation. A physical time bomb explodes at the time
it is set for (unless somebody forces it to explode early), likewise the computer time bomb causes a
perverse activity, such as, disruption of computer system, modifications, or destructions of stored
information etc. on a particular date and time for which it has been developed. The computer clock
initiates it.
• Logic Bomb: They resemble time bombs in their destruction activity. Logic bombs are activated by
combination of events. For example, a code like; “If a file named DELETENOT is deleted then
destroy the memory contents by writing ones.” This code segment, on execution, may cause
destruction of the contents of the memory on deleting a file named DELETENOT. These bombs can
be set to go off at a future time or event.
> Trojan Horse: Malicious programs that are hidden under any authorized program. Typically, a Trojan horse
is an illicit coding contained in a legitimate program, and causes an illegitimate action. The concept of
Trojan is similar to bombs but a computer clock or particular circumstances do not necessarily activate it. A
Trojan-may
o Change or steal the password or
o May modify records in protected files or
o May allow illicit users to use the systems.
Trojan Horses hide in a host and generally do not damage the host program. Trojans cannot copy themselves
to other software in the same or other systems. The Trojans may get activated only if the illicit program is
called explicitly. It can be transferred to other system only if an unsuspecting user copies the Trojan
program. E.g. “Christmas Card” Trojan
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.30
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
> Piggybacking: This is the act of following an authorized person through a secured door or electronically
attaching to an authorized telecommunication link that intercepts and alters transmissions. This involves
intercepting communication between the operating system and the user and modifying them or substituting
new messages. A special terminal is tapped into the communication for this purpose.
> Worms : A worm does not require a host program like a Trojan to relocate itself. Thus, a Worm program
copies itself to another machine on the network. Since worms are stand-alone programs they can be
detected easily. Worms can help to sabotage systems yet they can also be used to perform some useful tasks.
For example, worms can be used in the installation of a network. A worm can be inserted in a network and we can check
for its presence at each node. A node, which does not indicate the presence of the worm for quite some time, can be
assumed as not connected to the network. Examples of worms are Existential Worm, Alarm clock Worm etc. The Alarm
Clock worm places wake-up calls on a list of users. It passes through the network to an outgoing terminal while the sole
purpose of existential worm is to remain alive. Existential worm does not cause damage to the system, but only copies
itself to several places in a computer network.
> Virus is a program (usually destructive) that attaches itself to a legitimate program to penetrate the OS.
The virus destroys application programs, data files, and operating systems in a number of ways. One common
technique is for the virus to simply replicate itself over and over within the main memory, thus destroying
whatever data or programs are resident. One of the most dangerous aspects of a virus is its ability to spread
throughout the system and to other systems before perpetrating its destructive acts. Typically, a virus will
have a built-in counter that will inhibit its destructive role until the virus has copied itself a specified number
of times to other programs and systems. The virus thus grows geometrically, which makes tracing its origin
extremely difficult.
> Check Digits: are redundant digits that helps verify the accuracy of other characters in the code that is
checked. The program recalculates the check digits and compares with the check digit in the code when the
code is entered to verify if the code is correct. Check digits may be prefixes or suffixes to the actual data.
e.g. MasterCard has 16-digits with 51-55 as prefix.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.31
Advanced Excel
for Finance | Audit | MIS Reporting
A MUST-HAVE SKILL SET FOR EVERY CHARTERED ACCOUNTANT
Rishabh Pugalia,
Pugalia, Founder & Program Director, Excel Next Training Solutions
Qualified Chartered Accountant
Has worked for names like KPMG, J.P. Morgan
Four years of work experience in the area of Investment Banking & Audit
Successfully completed six-weeks Analyst training program of Adkins Matchett & Toy
Trained more than 1,400 participants in Advanced Excel, Advanced PowerPoint since 2010
4 - B Dr. Sarat Banerjee Road. Kolkata – 700029 (Nr. Rashbehari Avenue – Lake Market)
www.excelnext.in | excelnext@gmail.com | (033) 40 660 140 – 141
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
> Unauthorised Intrusion: The intruder physically may enter the installation to steal assets or carry out
sabotage. Alternatively, the intruder may eavesdrop on the installation by wire -tapping, installing an
electronic bug or using a receiver that picks up electro-magnetic signals. [3.80]
> Biometric Devices: The ultimate in user authentication procedures is the use of biometric devices, which
measure various personal characteristics, such as fingerprints, voice prints, retina prints, or signature
characteristics. These user characteristics are digitized and stored permanently in a database security file or
on an identification card that the user carries.
> Spooling/Queuing (“Simultaneous Peripherals Operations Online”): A process used to ensure that the
user is able to continue working, even before the print operation is completed. When a file is to be printed,
OS stores the data stream to be sent to the printer in a temporary file on the hard disk. This file is them
“spooled” to the printer as soon as the printer is ready to accept the data. This intermediate storage of
output could lead to unauthorized disclosure and/or modification. A queue is the list of documents waiting
to be printed on a particular printer. This queue should not be subject to unauthorized modifications
• Input controls that identify all data entering the processing cycle;
• Processing control information that includes edits, error handling, audit trails and master file changes;
• Output controls that define how to verify the correctness of the reports;
• Separation of duties between preparing the input and balancing the output
To provide the user with the tools to achieve their responsibilities, the user instruction
manual should include:
• A copy of each input document + List of approvals required on each input document
• A copy of any batch control forms
• Reconciliation reports
• A copy of each report produced by the system with a description of its purpose, the number of copies,
distribution and instructions for balancing output to original input
• A list of retention periods for docs/reports
• A system recovery section including user responsibilities for assisting in the restoration of the system.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.32
CA. Rishabh Pugalia | www.iscanotes.com
Chap 3 | Control Objectives | May 2012
Audit trails - Logs to record activity at the system, application, and user level.
• Chronological record of all events
• Provide an important detective control
• Many OS allow management to help select which events will be recorded in the log. An effective audit
policy will capture all significant events without cluttering the log with trivial activity.
1) Detecting unauthorized access- Real-time detection protects system. A real-time audit trail can also be
used to report on changes in system performance due to virus. However, real-time detection & logging
can degrade system performance. After-the-fact detection logs can be stored electronically and
reviewed periodically.
2) Personal Accountability- Audit trails can be used to monitor user activity at the lowest level of detail.
This capability is a preventive control that can be used to influence behavior. Individual are likely to
violate an organization’s security policy if they know that their actions are recorded in an audit log.
3) Reconstructing events- Audit analysis can be used to reconstruct the steps that led to events such as
system failures, security violations by individuals, or application processing errors. Such knowledge of
conditions can be used to assign responsibility and to avoid similar situations in the future. Audit trail
analysis aids in accounting control.
Implementing an Audit Trail : The information contained in audit logs is useful to accountants in measuring
the potential damage and financial loss associated with application errors, abuse of authority, or
unauthorized access by outside intruders.
Logs also provide valuable evidence or assessing both the adequacies of controls in place and the need for
additional controls. They generate data in overwhelming detail. Important information can easily get lost
among the superfluous detail of daily operation. Thus, poorly designed logs can actually be dysfunctional.
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.33