EDP AUDIT

1
EDP AUDIT THE EFFECTS OF COMPUTER

• PRESENTATION TO MSc. ACCOUNTING FINANCE GROUP
  2004/5
• LEICESTER BUSINESS SCHOOL, GRADUATE CENTRE
• BEDE ISLAND
• 01 MARCH 2005
• Presenters - Bhumika, Oby, Blessing, Fredrick.

2
STRUCTURE OF PRESENATION

• INTRODUCTION
• - Definition of EDP Audit and Computer crime.
• - Literature review / background information of
  EDP Audit and computer crime
• - The need for EDP Audit as a result of computer
  crime
• -The cost of computer crimes
• - DATA COLLECTED ANALYSIS
• - Effects of EDP on auditing, risks presented by
  Electronic Service Delivery, Controls
• - IS auditing Standards and guidelines
• - Methods of computer crime how computer crime
  is done
• - Financial / Economic and Social effects of
  computer crime
• - Regulatory and theoretical framework of
  EDP Audit.
• - Contemporary cases
• CONCLUSION
• - Limitations of the presentation / study
• - Recommendations to Management / IS Auditors
• - Where to? EDP Audit vs. Computer Crime.

3
INTRODUCTION

• EDP Audit EDP auditing is an analysis of an
  organisations computer and information systems in
  order to evaluate the integrity of its production
  systems as well as potential security cracks.
• Computer crime deliberate actions to steal,
  damage, or destroy computer data without
  authorisation, as well as accessing a computer
  system and/or account without authorisation.
• Literature Review Computer Security Institute,
  CSI 2004,
• The cost of computer crimes - The FBI estimates
  that only 1 of all computer crime is detected.

4
DATA COLLECTED ANALYSIS

• EDP/IS Audit function- assess the extent to
  which computer systems can be relied upon to
• - safeguard assets,
• - maintain data integrity
• - achieve organisational goals
• New Audit Objectives?
• New risks Changed levels of existing
  risk
• It is pertinent to note that the auditor is a
  watchdog and not a bloodhound, implying that it
  not his responsibility to implement fraud
  prevention and detection procedures,.
• An awareness of the new risks presented by
  computerization and the implementation of
  appropriate controls to mitigate these risks by
  mgt would provide reasonable assurance to the
  auditor on the legitimacy of transactions and the
  reliability of records. An information systems
  security policy is an essential starting point to
  achieving this
• Effects of EDP on Auditing
• The audit function in an EDP environment would
  seek to evaluate the adequacy and reliability of
  the control environment set up by management to
  protect business information before relying on
  that information to form a professional opinion.
• - adequacy and appropriateness of controls
  will depend on the degree of risk involved in
  particular types of electronic activities,
  example-
• - will entail an understanding/awareness on
  the part of the auditor of IS risks IS controls,
  IS auditing Standards and Procedures/guidelines
  issued by regulating bodies.
• - regularly update and maintain his skills
  in line with changing technology

5
DATA COLLECTED ANALYSIS

• RISK PRESENTED BY ELECTRONIC SERVICE DELIVERY
• Threats to accountability from
  anonymous processing
• Vulnerability to amendment
• Ease of duplication
• Invisible processing
• Remote access
• The non existence of an audit trail
• Reliance on third party service providers
• CONTROLS AND IS AUDIT STANDARDS
• EDP Controls
• Intrusion detection systems
• Electronic/Digital Signatures
• Encryption Technologies
• Firewalls

6
Some Security Problems Are Harder Than Others
Comment Most of the security threats or crimes
go unnoticed for a very long time.
Source http//www.jciac.org/docs/5
7
DATA COLLECTED ANALYSIS

• METHODS OF COMPUTER CRIME
• Old computer crime a) Stealing a PC/Laptop with
  information
• b) Using a computer to commit
  fraud
• New Computer crimes
• 1) Unauthorised use of computers
• passwords,
• changing data,
• file deletion,
• denying service to authorised users
• 2) Malicious computer programmes virus, worms,
  logic bomb, hoax, Trojan horse
• 3) Cyber Banking fraud
• 4) Cyber Laundering fraud via the internet
• 5) Internet Bankruptcy fraud
• 6) Hacking
• 7) Securities or commodities fraud
• 8) Harassment and stalking in cyberspace

8
DATA COLLECTED ANALYSIS
4
Comment Picture 4 shows us hacking at its best.
A young lad busy, most probably during the night,
hacking information on the internet.
Source http//www.jciac.org/docs/5
9
DATA COLLECTED ANALYSIS
Dollar Amount of Losses by Type
269 out of 494 respondents. Total Losses 142m.
Computer Security Institute. CSI/FBI 2004
Computer Crime and Security Survey
10
DATA COLLECTED ANALYSIS
Australia 2004 Annual Losses by Type
137 respondents / 57 estimated dollar losses.
Source Australian Computer Crime and Security
Survey
11
DATA COLLECTED ANALYSIS

• OTHER STATISTICS ON COMPUTER CRIME
• Computer crime cost businesses in the UK over
  121m in 2003. This was made up of financial
  losses, clear up costs and the lost of customer
  confidence. Theft of data itself cost 6.6m.
  Virus attacks cost 27.8m to clear up UK Home
  Office Junior Minister Caroline Flint
• There is now in excess of 60,000 computer
  viruses. Just one - Love Bug - remains the most
  financially damaging, costing 8.7bn (5.6bn)
  productivity and clean up costs. Dept of Trade
  and Commerce, Australia.
• In 1999, global information losses totalled more
  than 45bn (Pounds 31.2bn). - PwC's Internet
  Security and Business Risks Survey.
• The Federal Trade Commission in the US estimated
  financial loss due to computer information and ID
  theft to be around 48billion in 2002 ID Theft
  Resource Centre, 2003
• 68 of computer crime is related to virus attacks
  and malicious computer programmes - Ernst
  Young, Global Information Security Survey 2004

12
DATA COLLECTED ANALYSIS

• SOCIAL EFFECTS OF COMPUTER CRIME
• Security of the nation is compromised, eg.,
  250,000 hacks hit the US Defense Dept in 1999 -
• Cyber terrorism use of information technology
  by terrorist groups and individuals to further
  their agenda. This can include use of information
  technology to organize and execute attacks
  against networks, computer systems and
  telecommunications infrastructures, or for
  exchanging information or making threats
  electronically. Examples are hacking into
  computer systems, introducing viruses to
  vulnerable networks, web site defacing,
  denial-of-service attacks, or terroristic threats
  made via electronic communication
• Child porno increase in cases on the internet
• Corporate organisations suffer - Loss of
  customers, market share
• - Corporate embarrassment
• - Litigation costs can be high
• - Fall in share prices
• Loss of confidence among business partners
  could lead to loss of entire business, and
  employment.

13
DATA COLLECTED ANALYSIS

• CASE STUDIES
• Fake HSBC website developed in Hong Kong
• Bank Manager confesses to defrauding New Zealand
  Bank of 19million.
• Video excerpt - Credit / Debit Card Fraud
• - Nigeria 419 e-mail scam

14
CONCLUSION

• Limitations of the presentation / study
• The topic is so wide and there is need
  for further research to determine the extent of
  the damage as a result of computer crime. No
  central databases for statistics.
• Recommendations to Management / IS Auditors
• Audit committees should oversee managements
  implementation and maintenance of an adequate
  system of internal control.
• Formal codes of conduct that includes policies
  related to computer resources should be adopted.
• Internal Auditors should have the knowledge and
  capability to review and evaluate the adequacy of
  internal controls over computerized systems.
• Training and development of staff
• Professional auditing standards should clarify
  the minimum procedures to be performed by
  independent auditors
• Educational institutions should embrace more
  Information Systems / EDP Audit concepts.
• Where to? EDP Audit vs. Computer Crime.
• New Levels and New Devils

15

• THANK YOU FOR YOUR ATTENTION.
• INVITE QUESTIONS FROM THE AUDIENCE