Đang tải... (xem toàn văn)
Chapter 12 - Monitoring and auditing AIS. After completing this chapter, students will be able to: Understand the risks involved with computer hardware and software, understand and apply computer-assisted audit techniques, explain continuous auditing in AIS.
Chapter 12 Monitoring and Auditing AIS Copyrightâ2014McGrawưHillEducation.Allrightsreserved.NoreproductionordistributionwithoutthepriorwrittenconsentofMcGrawưHillEducation Learning Objectives • • LO#1 Understand the risks involved with computer hardware and software LO#2 Understand and apply computer-assisted audit techniques LO#3 Explain continuous auditing in AIS 12-2 LO# Computer hardware and Software • Operating System (OS) (the most important system software) • Database Systems • Local Networks (LANs) • Wide Area Networks (WANs) • Virtual Private Networks (VPNs) • Wireless Networks • Remote Access 12-3 LO# Operating System (OS) • • • • To ensure the integrity of the system To control the flow of multiprogramming and tasks of scheduling in the computer To allocate computer resources to users and applications To manage the interfaces with the computer 12-4 LO# Operating System (OS) (Contd.) Five fundamental control objectives: • Protect itself from users • Protect users from each other • Protect users from themselves • Be protected from itself • Be protected from its environment Operating system security should be included as part of IT governance in establishing proper policies and procedures for IT controls 12-5 LO# Database Systems • • • A database is a shared collection of logically related data which meets the information needs of a firm A data warehouse is a centralized collection of firm-wide data for a relatively long period of time Operational databases is for daily operations and often includes data for the current fiscal year only 12-6 LO# LANs • • A local area network (LAN): a group of computers, printers, and other devices connected to the same network that covers a limited geographic range LAN devices include hubs and switches hubs (broadcasts through multiple ports) switches (provides a path for each pair of connections) 12-7 LO# WANs • Wide area networks (WANs) link different sites together, transmit information across geographically and cover a broad geographic area to provide remote access to employees or customers to link two or more sites within the firm to provide corporate access to the Internet routers and firewalls 12-8 LO# WANs (Contd.) • • • Routers: connects different LANs, softwarebased intelligent devices, examines the Internet Protocol (IP) address Firewalls: a security system comprised of hardware and software that is built using routers, servers, and a variety of software; allows individuals on the corporate network to send/receive a data packet from the Internet Virtual Private Network (VPN) 12-9 LO# Wireless Networks • • • A Wireless Network is comprised of two fundamental architectural components: access points and stations An access point logically connects stations to a firm’s network A station is a wireless endpoint device equipped with a wireless Network Interface Card (NIC) 12-10 LO# Wireless Networks (Contd.) Benefits of using wireless technology: Mobility Rapid deployment Flexibility and Scalability Confidentiality Integrity Availability Access Control Eavesdropping Man-in-the-Middle Masquerading Message Modification Misappropriation Rogue Access Point Message Replay Traffic Analysis 12-11 LO# Security Controls in Wireless Networks • • • Management Controls management of risk and information system security Operational Controls protecting a firm’s premise and facilities, preventing and detecting physical security breaches, and providing security training to employees, contractors, or third party users Technical Controls primarily implemented and executed through mechanisms contained in computing related equipments 12-12 LO# Computer-assisted Audit Techniques (CAATs) • • • • CAATs are imperative tools for auditors to conduct an audit in accordance with heightened auditing standards Generally Accepted Auditing Standards (GAAS) are broad guidelines regarding an auditor’s professional responsibilities Information Systems Auditing Standards (ISASs) provides guidelines for conducting an IS/IT audit (issued by ISACA) According to the Institute of Internal Auditors’ 12-13 (IIA) professional practice standard section LO# Use CAATs in Auditing Systems • Test of details of transactions and balances • Analytical review procedures • • • • Compliance tests of IT general and application controls Operating system and network vulnerability assessments Application security testing and source code security scans Penetration Testing Two approaches: 12-14 LO# Auditing around the computer (the black-box approach) • • • First calculating expected results from the transactions entered into the system Then comparing these calculations to the processing or output results The advantage of this approach is that the systems will not be interrupted for auditing purposes The black-box approach could be adequate when automated systems applications are relatively simple 12-15 LO# • Auditing through the computer (the white-box approach) The white-box approach requires auditors to understand the internal logic of the system/application being tested • The auditing through the computer approach embraces a variety of techniques: test data technique, parallel simulation, integrated test facility (ITF), and embedded audit module 12-16 LO# • • • Generalized Audit Software (GAS) Frequently used to perform substantive tests and is used for testing of controls through transactional-data analysis Directly read and access data from various database platforms provides auditors an independent means to gain access to data for analysis and the ability to use high-level, problem-solving software to invoke functions to be performed on data files Audit Control Language (ACL) 12-17 Interactive Date Extraction and Analysis LO# Continuous Audit 12-18 LO# Fraud Schemes and Corresponding Proposed Alarms under Continuous Audits 12-19 LO# Implementation of Continuous Auditing • • Extensible Markup Language (XML) Extensible Business Reporting Language (XBRL) • Database management systems • Transaction logging and query tools • Data warehouses • Data mining or computer-assisted audit techniques (CAATs) 12-20 LO# Implementation of Continuous Auditing (Contd.) • • Non-technical barriers and technical challenges exist A general template that a steering team or the internal audit function can use: Evaluate the overall benefit and cost Develop a strategy Plan and design how to implement continuous auditing 12-21 Implement continuous auditing ... high-level, problem-solving software to invoke functions to be performed on data files Audit Control Language (ACL) 1 2- 17 Interactive Date Extraction and Analysis LO# Continuous Audit 1 2- 18... purposes The black-box approach could be adequate when automated systems applications are relatively simple 1 2- 15 LO# • Auditing through the computer (the white-box approach) The white-box approach... Access Control Eavesdropping Man-in-the-Middle Masquerading Message Modification Misappropriation Rogue Access Point Message Replay Traffic Analysis 1 2- 11 LO# Security Controls in Wireless