TE AM FL Y Auditing Information Systems Second Edition Jack J Champlain John Wiley & Sons, Inc Auditing Information Systems Second Edition Jack J Champlain John Wiley & Sons, Inc Copyright © 2003 by John Wiley & Sons All rights reserved Published by John Wiley & Sons, Inc., Hoboken, New Jersey Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web at www.copyright.com Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, e-mail: permcoordinator@wiley.com Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose No warranty may be created or extended by sales representatives or written sales materials The advice and strategies contained herein may not be suitable for your situation You should consult with a professional where appropriate Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002 Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books Library of Congress Cataloging-in-Publication Data: Champlain, Jack J Auditing information systems / Jack J Champlain.—2nd ed p cm Includes bibliographical references and index ISBN 0-471-28117-4 (cloth : alk paper) Electronic data processing—Auditing I Title QA76.9.A93 C48 2003 658'.0558—dc21 2002034202 Printed in the United States of America 10 While creativity and innovation are what drive new technology, they are also what must secure it Jack J Champlain List of Registered and Trademarked Names Access ACF2 ACL AFS 2000 Alpha AltaVista Amazon.com AS/400 Baan Black Hole BlackICE BorderWare Checkpoint Firewall-1 Consumer Reports Cookie Cutter Cookie Monster Cop-Only CRYPTOCard Cyber Patrol CyberCash Wallet CyberCop Scanner Cyberguard Firewall DB2 Defender Digimark Diner’s Club EOPACS Excel Experian Explorer Fedline II Fedwire FOCUS GFX Internet Firewall Systems Gummi Bears IDEA Interceptor Internet Scanner J.D Edwards Java Jurassic Park Lawson Lotus 123 Macintosh MareSpider MasterCard Micro-ID Monarch MVS Net Nanny Netbuilder Router Netscape NetWare Norton Utilities ON Guard Option Finder Oracle OS/2 Paradox PC Tools Pentium Pentium II Pentium Pro Pentium MMX PeopleSoft PGPcookie.cutter PICK Pipeline Router PIX Firewall Playboy Portus PowerBook PrivateNet RACF Retina SafeBack Sagent SAINT Secure Network Gateway SecurID Sidewinder Star Trek Star Wars Tiny Turnstyle Firewall System Unix VAX VeriSign Visa VMS WebSense Windows Windows NT Windows 95 Windows 2000 Word WordPerfect ZoneAlarm iv Contents Preface Acknowledgments ix xvii PART ONE CORE CONECEPTS Chapter Basics of Computing Systems Central Processing Unit Operating System Application Programs Database Management Systems Physical Security Controls Logical Security Controls Location of Physical and Logical Security Controls Notes 3 8 9 10 11 13 Chapter Identifying Computer Systems Getting Started Benefits of a Computing Systems Inventory Risk Assessment Note 15 15 17 19 24 PART TWO STANDARD INFORMATION SYSTEMS AUDIT APPROACH 25 Chapter Information Systems Audit Program Other Benefits of Audit Programs Information Systems Audit Program 27 27 28 Chapter Information Systems Security Policies, Standards, and/or Guidelines Information Systems Security Policies Information Systems Security Standards Information Systems Security Guidelines Notes 35 36 43 46 52 Chapter Auditing Service Organization Applications Service Auditor Reports Use of Service Auditor Reports for Internal Audits Report of Independent Auditors Description of Relevant Policies and Procedures and Other Information v 53 55 65 66 74 vi Contents Control Objectives as Specified by Service Organization Management Client Control Considerations Alternatives to SAS 70–Type Audits Notes Chapter Chapter Assessing the Financial Stability of Vendor Organizations, Examining Vendor Organization Contracts, and Examining Accounting Treatment of Computer Equipment and Software Assessing Financial Stability of Vendor Organizations Examining Vendor Organization Contracts Examining Accounting Treatment of Computer Hardware and Software Notes 74 79 79 89 91 91 100 104 106 Physical Security Physical Locks Security Guards Video Surveillance Cameras General Emergency and Detection Controls Heating, Ventilation, and Cooling Systems Insurance Coverage Periodic Backups Emergency Power and Uninterruptible Power Supply Systems Business Resumption Programs Key Aspects of an Information Systems Business Resumption Program Backup System Security Administrator Notes 107 110 120 122 122 123 124 127 Chapter Logical Security Logical Security Design Bringing a New System to Life User IDs and Passwords Remote Access Controls System Security Administration Wire Transfer Fraud Notes 141 141 144 150 150 153 170 183 Chapter Information Systems Operations Computer Operations Business Operations Efficiency and Effectiveness of Information Systems in Business Operations 185 186 192 131 132 134 136 139 202 Contents vii PART THREE Chapter 10 CONTEMPORARY INFORMATION SYSTEMS AUDITING CONCEPTS 209 Control Self-Assessment and an Application in an Information Systems Environment Definition and Overview History Keys to a Successful Program Internal Control Frameworks COSO CoCo Cadbury COBIT SAC and eSAC SASs 55/78/94 Additional Keys to a Successful Program Various Approaches Benefits of a Successful Program Notes 211 211 212 215 216 216 218 220 221 224 227 228 229 232 244 Chapter 11 Encryption and Cryptography Terminology Goal of Cryptographic Controls Encryption Hashing Digital Signatures and Digital Certificates Key Management Political Aspects of Cryptography Notes 247 249 250 251 256 257 259 260 264 Chapter 12 Computer Forensics Investigations Conclusion Notes 265 268 273 276 Chapter 13 Other Contemporary Information Systems Auditing Challenges Computer-Assisted Audit Techniques Computer Viruses Software Piracy Electronic Commerce Internet Security Information Privacy Privacy Laws and Regulations Firewalls Notes 277 277 286 291 293 295 303 307 314 318 416 Glossary Two organizations make an agreement in which each agrees to allow the other to utilize its information systems resources in the event that one or the other experiences a business interruption repeat dialer A device that repeatedly dials the same number to prevent others from making a connection thereby causing denial of service reviewed financial statements Financial statements for which an independent auditor provides only limited assurance that they are free of material misstatement because the scope of the tests performed was significantly less than would be performed during an audit S/MIME (Secure Multi-purpose Internet Mail Extension) An e-mail specification for formatting non-ASCII messages (graphics, audio, video) so that they can be sent securely over the Internet It utilizes public key encryption technology from RSA Security Corporation SAC (systems auditability and control) A comprehensive tool that provides guidance on internal control and audit of information systems It was the first internal control framework to focus primarily on information technology SAC was originally published by the Institute of Internal Auditors in 1977, with a significant update in 1991 and a further revision in 1994 Safe Harbor Act (SHA) of 2000 A U.S law enacted to conform to the European Union Data Protection Directive (EUDPD) of 1998 SHA governs data transferred to the United States from the European Union As with the Gramm-Leach-Bliley (GLB) Financial Services Modernization Act, compliance was required by July 1, 2001 SANS System Administration, Networking and Security Institute SAS 70 (Statement on Auditing Standards #70) An auditing standard issued by the American Institute of Certified Public Accountants that provides guidance to external auditors in the United States on the preparation of reports on the processing of transactions by service organizations SAS 70 was effective for service auditors’ reports dated after March 31, 1993 SAS 78 (Statement on Auditing Standards #78) An auditing standard issued by the American Institute of Certified Public Accountants that amends SAS # 55 by providing guidance to external auditors in the United States regarding the impact of internal controls on financial statement audits SAS 78 was effective for audits of financial statements for periods beginning on or after January 1, 1997 SAS 80 (Statement on Auditing Standards #80) An auditing standard issued by the American Institute of Certified Public Accountants that amends SAS # 31 by helping external auditors in the United States focus more on electronic evidence SAS 80 was effective for audits of financial statements for periods beginning on or after January 1, 1997 SAS 94 (Statement on Auditing Standards #94) An auditing standard issued by the American Institute of Certified Public Accountants, that amends SAS 55 and SAS 78 to add significant new sections regarding the effect of information technology on internal control SAS 94 was effective for audits of financial statements for periods beginning on or after June 1, 2001 Section 5900 A section of the Canadian Institute of Chartered Accountants Handbook of Auditing that provides guidance to external auditors in Canada on the preparation of reports on the processing of transactions by service organizations Glossary 417 secure sockets layers (SSL) A protocol used in web browsers to establish relatively secure communications between two computers on the Internet segregation of duties Separation of tasks in a process to reduce the risk that one person can perform an action that may expose an organization to significant risks service bureau See service organization service organization An external company that provides business applications and/or data processing resources that would otherwise be too expensive or time consuming to develop and maintain internally The term service organization is synonymous with service bureau and third-party processor SIIA Software & Information Industry Association software piracy The act of copying a copyrighted software program for personal use or for resale to another party, thereby denying rightful owners royalties and any other legal benefits to which they would otherwise be entitled SPAM Unwanted or unsolicited e-mail that costs millions of dollars in time, effort, disk storage space, telecommunications bandwidth usage, and user frustration spoofing A situation whereby one entity misrepresents itself as a different entity SPOOL (simultaneous peripheral operation online) A temporary queue consisting of electronic output files awaiting printing, downloading, or other action specified by the data owners SQL (Structured Query Language) in a database A standard language used to request and process data SSCP (systems security certified practitioner) A professional designation sponsored by the International Information Systems Security Certification Consortium, Inc SSL See secure sockets layer Statement of Position (SOP) 98-1 A statement by the American Institute of Certified Public Accountants entitled “Accounting for Costs of Computer Software Developed or Obtained for Internal Use.” SOP 98-1 specifies various costs that should be capitalized and amortized over the estimated useful life of an internal-use system It was issued on March 4, 1998 storage memory Memory space in which electronic data can be stored on the hard drive of a computer In most computers storage memory is usually measured in gigabytes symmetric algorithm sage An algorithm that uses the same key to encrypt and decrypt a mes- system console A special terminal connected to a central processing unit (CPU) that enables the operator to execute various operating system commands that control the CPU (e.g., to run production jobs, copy and print output, perform backup procedures, etc.) system security administration The process through which an information system is protected against unauthorized access and accidental or intentional destruction or alteration system software A collection of computer programs including the operating system and associated utility programs system user ID A user ID with system administration capabilities that a computer system recognizes when it is activated or initialized for the first time 418 Glossary SysTrust A service jointly developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants that enables qualified public accountants with the necessary information systems skills to provide assurance that a client’s system is in fact reliable targeted CSA A variation of control self-assessment (CSA) whereby an internal audit department performs CSA workshops on a limited basis TCP/IP (transmission control protocol/Internet protocol) A protocol that enables computers with different kinds of operating systems to communicate among themselves It is the standard protocol for the Internet Teledesic A corporation whose primary investors are Bill Gates, Craig McCaw, and the Boeing Corporation It plans to mobilize a constellation of about 30 interlinked low– Earth orbit, low-cost satellites to provide global access to a broad range of voice, data, and video communications capabilities telnet An Internet service that enables a user to connect to another computer on the Internet and then use it as if he or she were directly connected to that computer teraflop One teraflop is equivalent to trillion operations per second Currently, only a few supercomputers are capable of operating at these speeds Third-party processor See service organization Trojan horse A program that looks and performs certain functions innocently but contains malicious code such as viruses, bacteria, and logic bombs TruSecure® Corporation A company that helps Internet-connected organizations identify, correct, and continuously mitigate risks to mission-critical systems and information TruSecure was one of the first organizations to offer a website certification service TRUSTe An independent, nonprofit privacy organizations whose mission is to build users’ trust and confidence in the Internet TRUSTe issues two different “trustmarks,” standard privacy and children’s privacy uninterruptible power supply (UPS) system An arrangement of batteries and supporting hardware components that are configured to provide smooth, continuous power to computer equipment The UPS system acts as a buffer between the outside power source, so that power surges and spikes are minimized Also, in the event of primary power loss, a UPS system continues to supply electricity to the computer equipment until the emergency power system can fully activate unqualified opinion An independent auditor’s opinion that financial statements that have been audited present fairly, in all material respects, the financial position, results of operations, and cash flows of an entity in conformity with generally accepted accounting principles URL (uniform or universal resource locator) An alpha-numeric description of the location of an item on the Internet It contains the host name, directory path, and file name usenet An Internet electronic bulletin board service that facilitates public exchange of data and conversations USENIX virus Advanced Computing Systems Association A computer program that has the ability to reproduce by modifying other programs to include a copy of itself VPN (virtual private network) A network that enables secure Internet sessions between Glossary 419 remote computers and the network server A VPN gateway server commonly protects the network server; the remote computer must have the corresponding VPN client application in order to establish a secure channel (sometimes referred to as a “tunnel”) for the purpose of electronic data interchange or exchange W3C World Wide Web Consortium war dialer a device that rapidly dials phone numbers in sequential order to identify those which could be potential hacking targets web bugs Graphics Interchange Format (.gif) images measuring only a single pixel that are similar to cookies in that they track Internet use and are virtually undetectable by most cookie filters WebTrust A family of services jointly developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants that enables qualified public accountants with the necessary information systems skills to provide assurance that client websites that conduct business-to-consumer and business-to-business electronic commerce transactions meet standards for one or more of various principles A client must earn an unqualified opinion letter before it can display the WebTrust seal on its website WITSA World Information Technology and Services Alliance World Wide Web (WWW) An Internet service that enables users to access and exchange various types of information worm A program that searches for and executes itself in available host central processing unit (CPU) processing memory and then continuously copies itself to other computers, usually resulting in denial of service to other users WORM (write-once-read-many) drive A storage device that permanently saves onto compact disks or other permanent storage media Year 2000 problem A problem in which a computer program incorrectly performs mathematical and data calculations or sorts data based only on the last two digits of the year TE AM FL Y Index AARF (Australian Accounting Research Foundation), 58, 336, 384 Abdallah, Abraham, 306 ABN Amro Bank NV, 172 accounting for computer hardware and software, 104–106 ACF2, 68–70 ACFE (Association of Certified Fraud Examiners), 336, 384 ACH (automated clearing house), 19, 117–119, 129, 163, 195–197, 263, 295 ACL, 278 ACUIA (Association of Credit Union Internal Auditors), 213, 325–326, 383–384 adverse opinion, 93 AES (advanced encryption standard), 253–254 AGS 1026 (Australia), 58–61 AICPA (see American Institute of Certified Public Accountants) AITP (Association of Technology Professionals), 336, 384 algorithm, 250 AMD (Advanced Micro Devices) and Athlon chips, 3, American Express, 108 American Institute of Certified Public Accountants, 8, 29, 84–85, 92, 216, 217, 218, 221, 322–323, 334, 339, 383 Anderson, Michael R., 266, 270 ANSI (American National Standards Institute), 256, 383 APF (Authorized Program Facility), 69 Apple iMac, Macintosh, and PowerBook, 3–5 application programs, 11–12 ARPANET, 298 Arthur Andersen, LLP, 213, 215 ASCI White-Pacific computer, ASCII, xvii, 205, 280–281 ASIS (American Society for Industrial Security), 336, 383 asymmetric algorithms, 254–256 ATM (automated teller machine), 19, 53 audit programs, benefits of, 27 audit programs, information systems, 28–32 audit trails, 180, 276 authenticity, 251 automatic dial-back, 151 Baan ERP system, backlog of programming requests, Case Study 5.1, 55 backup and recovery, 110, 125, 127–131, 186, 190 backup media, failure to perform test restore, Case Study 7.9, 128 backup system security administrator, 30, 110, 136–137 backup system security administrator, carefully select, Case Study 7.16, 137–138 backup system security administrators lacking, Case Study 7.17, 138–139 backup wasn’t really a backup, Case Study 7.10, 128–129 backup, critical data and software wasn’t, Case Study 7.11, 129–130 backup, record storage and retrieval system wasn’t, Case Study 7.12, 130–131 bacteria, 286 Bank of America, 198 batch program, 149 BBBOnline, 29, 84, 86–87, 368, 384 BECU (Boeing Employees’ Credit Union), 213, 214, 234–235, 358 Bemer, Robert, xvii Bernets-Lee, Tim, xvii Betts, Bill, 271 Bigler, Mark, 271 biometrics, 109, 115–117, 376–377 BlackICE firewall, 301, 315 Blosser, Aaron, 379 Boeing Corporation, 376 bringing a new system to life, 144–150 brute force attacks, 255 BSA (Business Software Alliance), 291–292, 384–385 business operations controls, 192–202 business resumption plan, failure to consider a service organization’s BRP, 136 business resumption plan, failure to update, Case Study 7.14, 135–136 business resumption plans (BRP), 30, 45, 110, 132–137, 190 CA (Chartered Accountant), 336 CAD (computer assisted design), 269 421 422 Index Cadbury Committee, 59, 215, 220–221 capacity utilization, CPU and data storage, Exhibit CS9.1, 188 CAPM (certified associate in project management), 361 CCSA (certification in control self assessment), 215, 228, 336 CDP (certificate in data processing), 336 Central Point Software, 266 CERN, xvii, 296 CERT (computer emergency response team), 302, 385–386 certificate authority (CA), 86, 250, 258–259, 294 CFE (certified fraud examiner), 336 CFSA (certified financial services auditor), 336 CGAP (certified government auditing professional), 336 change controls, change controls, 361 CHIPS (Clearinghouse Interbank Payment System), 168 CIA (certified internal auditor), 333–334 CIAC (Computer Incident Advisory Capability), 386 CIAO (Critical Infrastructure Assurance Office), 386 CICA (Canadian Institute of Chartered Accountants), 8, 57, 84–85, 218, 220–221, 335, 385 cipher locks, 109, 115, 117 CIS (Cerberus Internet Scanner), 301 CISA (certified information systems auditor), 328, 332–333 Cisco Corporation and routers, 20 CISO (Chief Information Security Officer), 51 CISSP (certified information systems security professional), 335 Citibank, 108, 171 City of Seattle, 357 client control considerations for a credit card processing service organization, Exhibit 5.5, 80 client control considerations for a payroll processing service organization, Exhibit 5.6, 80–81 client control considerations for a service organization that provides multipurpose applications for financial institutions, Exhibit 5.8, 82–83 client control considerations for an ATM network service organization, Exhibit 5.7, 81–82 cluster, 269 CMA (certified management accountant), 336 COBIT, 23, 215, 221–224, 327 COBIT, control objectives summary table, Exhibit 10.5, 223 COBIT, processes defined within the four domains, Exhibit 10.4, 222 COBOL, xvii CoCo, 23, 59, 215, 218–222 CoCo, criteria of control regrouped into COSO components, Exhibit 10.3, 219 Cohen, Fred, xvii, 274 cold site, 134–135 combination locks, 109, 115, 117 CommerceNet Consortium, 88 Common Criteria, 263, 395–399 Compaq Alpha, 3–4, 252 Compaq Corporation, Compaq VMS, 8, 20 computer assisted audit techniques (CAAT), 277–285 computer forensics software products and services, Exhibit 12.1, 274–276 computer forensics, 7, 265–276 computer forensics, e-crime steps, 272–273 Computer Forensics, Inc., 269 computer hardware, computer operations controls, 186–192 computer pioneers, xvii computing systems inventory, 15–18 computing systems inventory, Exhibit 2.1, 20– 22 computing systems inventory, preparing and using, Case Study 2.2, 18–19 concurrent sign on session controls, 28, 149 confidentiality of information, 251 Conley, Bill, 379 contracts (see vendor contracts) control and risk self assessment (CRSA), 214 control objectives for a credit card processing service organization, Exhibit 5.1, 75–76 control objectives for a payroll processing service organization, Exhibit 5.2, 77 control objectives for a service organization that provides multipurpose applications for financial institutions, Exhibit 5.4, 78–79 control objectives for an ATM network service organization, Exhibit 5.3, 77–78 control self assessment, 233–245, 324, 340, 344–345 control self assessment, benefits, 232–234 control self assessment, centralized, 231 control self assessment, definition, 211–212 control self assessment, development at BECU, Case Study 10.1, 234–235 control self assessment, early adopters, Exhibit 10.1, 214 control self assessment, history, 212–215 Index 423 control self assessment, hybrid, 232 control self assessment, keys to success, 215, 227–229 control self assessment, management report, telecommunications process, Exhibit CS10.1, 235–242 control self assessment, pure, 230–231 control self assessment, targeted, 231–232 control self assessment, why it should not be considered a substitute for tests of key internal controls, Case Study 10.2, 243–244 Control Self-Assessment: Experience, Current Thinking, and Best Practices, 215 conventional key locks, 109–110, 117 cookies, 303–304 Coopers & Lybrand, LLP, 213 Cop-Only, 267 COPPA (Children’s Online Privacy Protection Act), 309–310, 313 COSO relationship between objectives and components of internal control, Exhibit 10.2, 217 COSO, 23, 59, 216–218, 221, 225, 334, 344, 356 CPA (certified public accountant), 92, 334–335 CPAA (Certified Practising Accountants of Australia), 335–336, 385 CPE (continuing professional education) credits, 331 CPP (certified protection professional), 336 CPU (central processing unit), 3–8, 11–12, 188–189 Cray computers, 248 Cray, Seymore, xvii credit report, unauthorized, Case Study 2.3, 22, 24 Credit Union Times, 172 CRSA (see control and risk self assessment) cryptanalysis, 250 CRYPTOCard, 22, 32, 152 cryptography, 250 cryptography, political aspects, 260 cryptology, 250 CSA (see control self assessment) CSA Sentinel, 213–214 CSI (Computer Security Institute), 286, 378, 386 CUIAA (Credit Union Internal Auditors Association), 386 CyberCash Wallet, 295 CyberCop Scanner, 301 DARPA, 298 data encryption algorithm (DEA), 251 data warehouses, 279 database management systems (DBMS), 9, 11– 12, 141 Datapro Information Services Group, 35 Datawatch Corporation, 280 deadman entries, 117 dedicated leased lines, 151 Deep Crack computer, 252 Defender, 152 Deloitte & Touche, LLP, 217, 329 Department of Commerce, 311, 362 Department of Defense, 247 Department of Energy, Department of Health and Human Services, 311 Department of Justice, 306, 385 DES (data encryption standard), 251–254, 263 digital certificates, 257–259 Digital Millennium Copyright Act (DMCA), 291 digital signatures, 250–251, 257–258 digital watermarks, 293 Diner’s Club, 108 DISA (Defense Information Systems Agency), 386 disaster recovery (see business resumption plan) disclaimer of opinion, 94 DOS, 8, 20 dot-com bust, x-xii DRII (Disaster Recovery Institute International), 386–387 EDI (electronic data interchange), 249 edit and reasonableness checks, 193 efficiency and effectiveness controls, 194 efficiency and effectiveness in business operations, 202–208 efficiency and effectiveness, debit card issuance, Case Study 9.11, 206 efficiency and effectiveness, documentation and testing of FOCUS extract database, Case Study 9.13, 207–208 efficiency and effectiveness, extract database not balanced, Case Study 9.12, 206–207 efficiency and effectiveness, IRA operations, Case Study 9.10, 204–205 efficiency and effectiveness, online banking application, Case Study 9.9, 203–204 efficiency and effectiveness, wire transfer automation, Case Study 9.8, 203 electronic access badge locks, 109, 111–115, 117 electronic access badge system with two halves, Case Study 7.3, 112–115 electronic commerce, 83, 293–295 424 Index Electronic Communications Privacy Act, 312 Electronic Frontier Foundation (EFF), 88, 252, 311, 387 electronic mail system unknown, Case Study 2.1, 16–17 electronic mail, 296 emergency and detection controls, 109, 122– 123 emergency power and UPS systems, Case Study 7.13, 131–132 emergency response team (ERT), 272 EnCase Pro, 274 encryption and cryptography, 247–264 encryption, 28, 31, 44, 46, 145, 164–165, 249, 251 encryption, asymmetric with hashing and digital signatures, Exhibit 11.4, 258 encryption, asymmetric with hashing, Exhibit 11.3, 257 encryption, asymmetric, Exhibit 11.2, 256 encryption, key management, 259–260 encryption, secure electronic messages, Exhibit 11.1, 250 encryption, weak password, Case Study 11.1, 262–263 encryption, wire transfer system, Case Study 11.2, 263 Enron, x-xi environmental controls, 32, 250 Epicor Software Corporation, 268 Ernst & Young, LLP, 213, 270 ERP (enterprise resource planning) applications, 9, 366 errors and inefficiencies, ACH posting, Case Study 9.3, 195–197 errors and inefficiencies, credit bureau updates, Case Study 9.5, 199–200 errors and inefficiencies, loan/ATM fraud, Case Study 9.6, 200–201 errors and inefficiencies, merger oversights, Case Study 9.4, 197–199 errors and inefficiencies, unsupported application, Case Study 9.7, 201–202 eSAC model, 230 eSAC, 215, 224–226 escrow agreements for software source code, 30, 45–46 eTrue Corporation, 377 European Union Data Protection Directive (EUDPD), 308–309 external contractor risks, 369–370 extract databases, 194–195 FedCIRC (Federal Computer Incident Response Center), 387 Federal Register, 254 Federal Reserve, 19, 168, 251, 263, 308 Federal Trade Commission (FTC), 305, 308, 310–311 Feldman, Joan, 269 FFIEC (Federal Financial Institution Examination Council), 368–369, 387 file allocation table, 266 file slack, 266, 270 financial incentives for auditors, 342–348 financial incentives, develop CSA program, Exhibit 14.2, 344–345 financial incentives, efficiency and effectiveness recommendations, Exhibit, 14.1, 344 financial incentives, internal customer satisfaction, Exhibit 14.6, 348 financial incentives, meet budgeted audit hours, Exhibit 14.4, 346–347 financial incentives, organization-wide system implementation, Exhibit 14.5, 347–348 financial incentives, risk exposure reduction and productivity increases, Exhibit 14.3, 345 financial statement risks of projects, 370–371 financial statements (audited, reviewed, compiled, internally prepared), 29, 92–93 financial statements missing, Case Study 6.4, 99 finger, 316 fingerprints, fake, 116 FIPS (Federal Information Processing Standard), 251, 256 firewall, credit card payment via Internet home banking software, Exhibit 13.1, 317 firewalls, 314–317 firmware, 11–13 FIT 1/94 (Faculty of Information Technology, England & Wales) 57–59, 61 fixed assets inventories, 125–126 fixed disk or fixed drive, FOCUS database, 207–208, 283–285 forensics (see computer forensics) ForensiX, 274 Foundstone, Inc., 387 FRAG 21/94 (Financial Reporting and Auditing Group, England & Wales) 57–58, 60–61 Frankel, Martin, 379 ftp (file transfer protocol), 296, 315 Fair Credit Reporting Act, 181 FDIC (Federal Deposit Insurance Corporation), 308, 311 GAAP (generally accepted accounting principles), 92–93 GAO (General Accounting Office), 221, 247 Index 425 Gates, Bill, 376 General Motors Corporation, 269 GIAC (global information assurance certification), 336 gigahertz, going concern, 95 Goldberg, Ian, 247, 255 gopher, 296, 315 graffiti, 299–300 Gramm-Leach-Bliley (GLB) Act, 50, 307–308 granularity, 148 Gruttadauria, Frank, 379 GUI (graphical user interface), 114 Gulf Canada Resources, 212 Gummi Bears, 116 hacking, 300–303 halon, 123 Hanssen, Robert, 378 hard disk or drive, hardware (see computer hardware) hash totals, 193–194 hashing, 250, 256–257 Hawking, Stephen, 377 help desk, 191 Hewlett Packard, HIPPA (Health Insurance Portability and Accountability Act), 310–311, 313 Hitachi Corporation, Holberton, Frances, xvii hot site, 134 HTCIA (High Tech Crime Investigators Association), 387–388 HTML (hypertext markup language), 297, 302 HTTP (hyper text transfer protocol), 296, 299, 315 humanistic skills for successful auditing, 339– 341 HVAC (heating, ventilation, and cooling) systems, 109, 123–124 IANA (Internet Assigned Numbers Authority), 315 IBM “Blue Gene” computer, IBM AS/402 and OS/402, 3, 21, 120, 156 IBM Corporation, 3–4, 253, 294 IBM DB2, IBM MVS operating system, 69–70, 327 IBM OS/2, 8, 21 IBM System 392 and OS/392, 3, 8, 20, 322, 392 ICAA (Institute of Chartered Accountants in Australia), 335, 388 ICAEW (Institute of Chartered Accountants in England and Wales), 57, 335, 389 ICANN (Internet Corporation for Assigned Names and Numbers), 297, 390 IDEA, 278 identity theft, 305–306 IEEE (Institute of Electrical and Electronics Engineers), 389 IETF (Internet Engineering Task Force), 152, 390 IFAC (International Federation of Accountants), 390 IIA (see Institute of Internal Auditors) IIARF (Institute of Internal Auditors Research Foundation), 224–226 IMA (Institute of Management Accountants), 336 improper removal of computer equipment from fixed assets, Case Study 7.7, 125–126 information privacy (see privacy) information protection program development, Case Study 4.2, 48–50 Information Security Magazine, 35, 338 Information Systems Audit and Control Association (ISACA), 213, 221, 228, 323– 324, 326–330, 332, 338, 388 information systems operations controls, 32– 33, 185–208 information systems project management audits, 355–373 information systems project management methodology, 358–359, Exhibit 15.1 information systems project well managed, Case Study 15.2, 365 information systems project, security weaknesses, Case Study 15.3, 371–372 information systems projects, organizational vs low risk, 365 information systems projects, poorly managed development department, Case Study 15.4, 372–373 information systems projects, rapid implementation, Exhibit 15.3, 366 information systems projects, vendor goes out of business, 367–368 information systems security guidelines, 46– 47, 51 information systems security policy, 35–43, 51, 250 information systems security policy, Exhibit 4.1, 37–40 information systems security policy, government organization lacking, Case Study 4.3, 50–51 information systems security standards, 43–46, 51 information systems security standards, Exhibit 4.2, 43–46 information systems security standards, inadequate, Case Study 4.1, 47 426 Index Infoseek Corporation, 269 Institute of Internal Auditors (IIA), 213, 215, 221, 228, 291, 323–324, 328–329, 333– 334, 336, 338, 389 insurance, 30, 45, 109, 124–125, 191 insurance, noncompliance with requirements, Case Study 7.8, 127 integrity and completeness checks, 193 integrity of information, 251 Intel Corporation Pentium family of computer chips, 3–5, 248 Interagency Operations Security Support (IOSS), 389 Internal Auditor Journal, 338 internal database balancing and monitoring, 194–195 Internet and Internet security, 83, 248, 277, 295–317 Internet Engineering Task Force (IETF), 298 Internet Scanner, 301 Internet Society (ISOC), 298, 391 Internet Week Magazine, 35 Internet, excessive employee use, Case Study 13.6, 313–314 Internet, inadequate web disclosures, Case Study 13.5, 311–312 Interpol, 389 IPL (initial program load), 301 IPSec (Internet Protocol Security), 152–153 Iridian Technologies, 377 IS Audit and Control Journal, 338 ISACA (see Information Systems Audit and Control Association) ISACF (Information Systems Audit and Control Foundation), 224 ISC2 (International Information Systems Security Certification Consortium), 335– 336, 390 ISO and ISO-OSI (open systems interconnect) model, 11–12, 221, 390, 395, 401–402 ISSA (Information Systems Security Association), 388 ITAA (Information Technology Association of America), 388 J D Edwards ERP system, job creativity, 341–342 job scheduling and monitoring, 186–189 job scheduling software, lack of, Case Study 9.1, 187–189 Journal of Accountancy, 339 jukeboxes, Julian, David, 269 Jurassic Park, 136–137 King County, Washington, 357 KPMG, LLP, 213 Kroll and Associates, 269 L0PHTCRACK, 268 LAN (local area network), 175–178 laptop computer stolen, Case Study 7.1, 108– 109 laptop computers stolen, 108 Lawrence Livermore National Laboratory, Lawson ERP system, Legal Disk Imager, 275 Lloyd, Timothy, 379 locks (conventional key, electronic, cipher, combination, biometric), 109 logging, 31, 45, 142–144, 167, 173 logging, deceptive action identified by, Case Study 8.1, 143–144 logic bombs, 286 logical security controls, 10–11, 31–33, 250 logical security weaknesses, ACH users share passwords, Case Study 8.10, 163 logical security weaknesses, ATM parameter settings, Case Study 8.6, 160 logical security weaknesses, ATM vendor applications, Case Study 8.19, 182–183 logical security weaknesses, check processing system, Case Study 8.2, 156–157 logical security weaknesses, credit bureau audit trails, Case Study 8.17, 180–181 logical security weaknesses, credit card processing, Case Study 8.4, 158–159 logical security weaknesses, deposit and loan system design flaws, Case Study 8.11, 164– 167 logical security weaknesses, e-mail system design, Case Study 8.14, 174–175 logical security weaknesses, incoming wire transfer settings, Case Study 8.7, 160–162 logical security weaknesses, inquiry access, Case Study 8.18, 181–182 logical security weaknesses, multi-state LAN, Case Study 8.15, 175–178 logical security weaknesses, payroll application design, Case Study 8.13, 173– 174 logical security weaknesses, remote vendor terminal, Case Study 8.9, 162–163 logical security weaknesses, teller fraud, Case Study 8.5, 159–160 logical security weaknesses, temporary employees, Case Study 8.3, 157–158 logical security weaknesses, travelers’ check system, Case Study 8.8, 162 Index 427 logical security weaknesses, variety of applications, Case Study 8.16, 178–180 logical security weaknesses, wire transfer system, Case Study 8.12, 167–170 Lotus 1–2–3, Lucent Technologies, 379 MAC (message authentication code), 256 Macintosh Corporation and OS X, 8, 21, 289– 290 maiden password, 28, 31, 44, 144–145, 154 maintenance procedures, 191 Makosz, Paul, 212 malware, 290–291 MAPCO, Inc., 212–214 MarcSpider, 293 MARS, 253 MasterCard, 108, 294 Matsumoto, Tsumtomu, 116 McCaw, Craig, 376 McCuaig, Bruce, 212 MD–5, 256 megahertz, Micro Law, Inc., 267 Micro-ID, 267 Microsoft Access, 9, 278 Microsoft Corporation, 260, 292, 294, 376 Microsoft Excel, 9, 278 Microsoft SQL Server, Microsoft Windows 2000, 21 Microsoft Windows NT, 268, 289–290, 327 Microsoft Windows, Microsoft Word, MIS Training Institute, 324, 391 Mitsubishi Corporation, Monarch, 278, 280–283 Moore’s Law, 4, Morris, Mark, 271–272 Morris, Robert T., 302 motivation of auditors, 341–348 Motorola Corporation, Mount Saint Helens, 107 multifactor authentication, 151 NACHA (National Automated Clearinghouse Association), 196 nanoscience, 377–378 National Centers for Environmental Prediction, National Commission on Fraudulent Financial Reporting, 216 National Science Foundation, 298 Nations Bank, 198 Naughton, Patrick, 269 Naval Weapons Credit Union, 116 NCUA (National Credit Union Administration), 172, 308 NEC Earth Simulator computer, NEC, 3, negotiation of audit recommendations, Case Study 14.1, 349 Nessus, 301 Netscape, 255, 260, 294 network address translation (NAT), 315 Network Solutions, Inc., 297 networking, 329–330 NIA (National Institute of Accountants), 336, 391 NIPC (National Infrastructure Protection Center), 391 Nisqually Earthquake (February 28, 2001), 134 NIST (National Institute of Standards and Technology, 251, 253, 391 nmap, 301 NNTP (network news/bulletin boards), 316 nonrepudiation, 251 Nordstrom Corporation, 379 Northwest Computer Support, 269 Norton firewall, 315 Norton Ghost 2000, 275 Norton Utilities, 266 Novell NetWare 5, 8, 21, 327 NSA (National Security Agency), 261, 302, 391–392 NSI (National Security Institute), 392 NTI (New Technologies, Inc.), 266, 275, 392 OCC (Office of the Comptroller of the Currency), 308 octet, 300 OFAC (Office of Foreign Assets Control), 392 Official Gazette, 362 Oklahoma City Federal Building, 107 Online Privacy Alliance, 311 operating systems, 8, 11–12 Oracle Corporation and database management system, 9, 371 output media distribution, 189–190 oversight groups, information systems projects, 360 Paradox, passphrase, 145 password catchers, 286–287 password controls, 28–29, 31, 44–46, 144–146, 148, 150 password masking, 28, 31, 44, 145 Patent and Trademark Office, 362–363 428 Index payroll processor on the rebound, Case Study 6.3, 98 PC Tools, 266 PDA (personal digital assistant), 150 penetration tests, 301 Pentagon, 107 PeopleSoft, 9, 371 period of inactivity before sign off, 146 peripheral devices, physical security controls inadequate for a wire transfer/ACH CPU, Case Study 7.4, 117– 119 physical security controls inadequate for audio response CPUs, Case Study 7.5, 119 physical security controls inadequate for system console, Case Study 7.6, 119–120 physical security controls, 9–11, 30–31, 33, 107–140, 250 piggybacking, 116–117 Playboy Magazine, 293 PMI (Project Management Institute), 360–361 PMI, Exhibit 15.2, 392 PMP (project management professional), 361 ports, 315–316 practical experience, 339 Price Waterhouse, LLP, 213 Privacy Foundation, 311 privacy laws and regulations, 307–313 privacy of information, 303–312 problem management, 191–192 processing memory, professional associations, 325–329 public/private keys (see asymmetric algorithms) qualified opinion of a credit card service organization, Case Study 5.4, 67–71 qualified opinion of an ATM network service organization, Case Study 5.3, 66–67 qualified opinion, 93 RACF, 68 RAM (random access memory), 6, 13, 119 RC6, 253 RCW (Revised Code of Washington), 100 reading, 338–339, 403–404 reciprocal site, 135 Regulation Z, 352 remote access controls, 150, 180 repeat dialers, 286–287 Retina, 301 RICO (Racketeering Influenced Corrupt Organizations) Act, 379 Rijndael, 253 risk assessment matrix, network audit, Exhibit 2.2, 23 risk assessment/analysis, xii, 15, 19, 141, 266, 355 Roman Empire, 250 RSA (Rivest, Shamir, Adelman) and RSA Data Security, Inc., 152, 247–248, 252–253, 261, 393 Rusnak, John, 378 SAC, 215, 224–226 SAC, overview of the report, Exhibit 10.6, 225 Safe Harbor Act, 308–309, 311, 313 SafeBack, 267, 275–276 Sagent, 279 SAINT, 301 SAM files, 268 San Antonio City Employees’ Federal Credit Union, 116 Sandia Laboratories, 4, 274 SANS (System Administration, Networking, and Security) Institute, 393 SAP ERP system, SARA Amsterdam Academic Computer Center, 248 SAS 31 (see Statement on Auditing Standards #31) SAS 44 (see Statement on Auditing Standards #44) SAS 55 (see Statement on Auditing Standards #55) SAS 70 (see Statement on Auditing Standards #70) SAS 78 (see Statement on Auditing Standards #78) SAS 80 (see Statement on Auditing Standards #80) SAS 94 (see Statement on Auditing Standards #94) Schneier, Bruce, 253 Schwartau, Winn, 262 Seattle Pacific University, 329 Seattle University, 329 SEC (Securities and Exchange Commission), 308 Section 5900 (Canada), 57, 59 Secure Computing, 339 SecurID, 32, 152 security guards, 109, 120–123 Security Services Federal Credit Union, 116 segregation of duties, 194, 200–201 September 11, 2001, ix-xi, 107, 116, 133–134 Serpent, 253 service auditor reports, 55–65 service bureaus (see service organizations) service organization application, significant risk, Case Study 5.2, 61–64 Index 429 service organization without a SAS 70, Case Study 5.5, 71–73 service organization, a problem, Case Study 6.1, 95–97 service organizations, auditing, 53–55 SET (secure electronic transaction), 294, 314 SHA–1, 256 Shannon, Claude, xvii SIIA (Software and Information Industry Association), 291, 293, 393 smart cards, 295 SMF (System Management Facility), 69 Social Security Administration, 118 software not licensed, Case Study 6.9, 103– 104 software piracy, 103–104, 291–293 Someron, Nicko von, 248 SOP 98–1 (AICPA Statement of Position 98– 1), 30, 370 spam, 304–305 SPL (System Parameter Library), 69 spoofing, 302–303 SPOOL (simultaneous peripheral operation online), 189–190, 280, 282 SPOOL file, unprotected, Case Study 9.2, 190 SSCP (systems security certified practitioner), 336 SSL (secure sockets layer), 32, 150–152, 248, 294–295, 299, 314, 316 Star Trek, Star Wars, Statement on Auditing Standards #31 (SAS 31), 322 Statement on Auditing Standards #44 (SAS 44), 56 Statement on Auditing Standards #55 (SAS 55), 227–228 Statement on Auditing Standards #70 (SAS 70), 29, 56–57, 59, 61, 71–72, 79, 83, 85, 367 Statement on Auditing Standards #78 (SAS 78), 227–228 Statement on Auditing Standards #80 (SAS 80), 322 Statement on Auditing Standards #94 (SAS 94), 227–228 storage memory, Sun Microsystems, 3, 5, 248 support of end-user applications, 195 swap files, 270 Sydex Corporation, 267, 275 Symantec Corporation, 152, 266, 275 symmetric algorithms, 251, 255 system security administration, 153–155 system software, system user ID, 144–145, 147 SysTrust, 29, 84–85, 368 Tandem, 20 TCP/IP, 296 Teledesic, 376 teleporting, telnet, 296, 315 temporary memory, teraflops, 3–5 termination of grand master key holder, Case Study 7.2, 110–111 testing requirements met with resistance, Case Study 14.2, 350–351 third-party-processors (see service organizations) time-of-day/day-of-week sign on, 46, 146–147 Tiny firewall, 301, 315 token devices, 32 Tomlinson, Ray, xvii trademark searches, 361–364 trademark snafu, Case Study 15.1, 362–364 training, 323–325 training, information systems projects, 360– 361 trapdoors, 286–287 Treadway Commission, 220 triple-DES, 255 Trojan horses, 286–287 TruSecure Corporation and certification, 29, 84, 368, 393 TRUSTe, 29, 84, 87–89, 311, 368, 393–394 two-factor authentication, 151 Twofish, 253 UCC (Uniform Commercial Code), 100 underaccrual of hardware lease costs, 105–106 Unisys Corporation, xviii UNIVAC, xviii University of California, Berkeley, 247 University of Washington, 329 Unix, 8, 268, 372 unqualified opinion, 93 UPS (uninterruptible power supply) systems, 110, 131–132 URL (uniform/universal resource locator), 297, 299, 302–303, 312 usenet, 296, 315 USENIX (Advanced Computing Systems Association), 394 UUCP (Unix to Unix communication protocol), 316 vendor application but no contract, Case Study 6.5, 102 430 Index web bugs, 304 websites, 297 WebTrust, 29, 84–86, 368 Western Union 306 Whisker, 301 whistle-blowing, 351–354 WinfingerPrint, 301 WinWhatWhere Investigator, 275 wire transfer fraud, 170–173 wire transfer systems, 19, 117–119, 137–138, 160–162, 167–170, 179–180, 203, 251, 263 WITSA (World Information Technology and Services Alliance), 394 WordPerfect, World Trade Center, 107 World Wide Web (WWW), xvii, 296, 315 World Wide Web Consortium (W3C), 394 WORM (write-once-read-many) drives, 142 worms, 286–287,290–291 Xephon, 35 AM FL Y vendor contract missing for 12 years, Case Study 6.6, 102 vendor contract, no software support, Case Study 6.7, 102–103 vendor contracts, 30, 100–104, 368 vendor organizations, assessing financial stability, 91–100 vendor processing site, 135 vendor software license agreement outdated, Case Study 6.8, 103 vendor with compiled financial statements, Case Study 6.2, 97–98 VeriSign Corporation, 294, 394 video surveillance cameras, 109, 122 viruses, Macintosh, Case Study 13.4, 289–290 viruses, two examples, Case Study 13.3, 288– 289 viruses, xiv, 6–7, 286–291 VISA International, 108, 294 Vogon International, 275 Volkswagen, 269 VPN (virtual private network), 32, 151–153 TE WAN (wide area network), 22, 185, 295, 299 war dialers, 286–287 Year 2000 problem, xi, 327–328 ZoneAlarm firewall, 301, 315 .. .Auditing Information Systems Second Edition Jack J Champlain John Wiley & Sons, Inc Auditing Information Systems Second Edition Jack J Champlain John Wiley & Sons, Inc Copyright © 2003 by John. .. Audit Programs Information Systems Audit Program 27 27 28 Chapter Information Systems Security Policies, Standards, and/or Guidelines Information Systems Security Policies Information Systems Security... Computer Systems Getting Started Benefits of a Computing Systems Inventory Risk Assessment Note 15 15 17 19 24 PART TWO STANDARD INFORMATION SYSTEMS AUDIT APPROACH 25 Chapter Information Systems