Week 4: IC in a computerized environment

1
Week 4 IC in a computerized environment

• Some concepts of control do not change
• Objectives
• Framework (COSO)
• Internal Environment
• Implementation will change
• More focus on system (imbedded) controls
• Continuous rather than periodic controls
• Random v. systematic errors
• COBIT augments existing framework

2
Computerized Controls

• Friend or Foe?
• Benefits Decrease human error, restrict access,
  decrease duplication of input, audit trail
• Detriments Confidentiality, system integrity,
  completeness, input errors, audit trail

3
Categories of IC in a computerized environment

• General Controls pervasive, relate to the
  entire system
• Control environment must be managed well to
  enhance effectiveness of application controls
• Application Controls specific, relate to
  individual portions of the systemor types of
  transactions
• Prevent, detect, correct errors in input,
  processing, output

4
General Controls

• System reliability
• Separation of incompatible functions
• Access
• Backup and recovery
• Management of the IS function
• Adopting an IS mindset

5
System Reliability

• System reliability is defined as
• A system that operates without material error,
  fault or failure during a specified time in a
  specified environment.

6
Principles to achieve system reliability

• a. Security- The system is protected against
  unauthorized access (both physical and logical).
• b. Availability- The system is available for
  operation and use as committed or agreed.
• c. Processing integrity- System processing is
  complete, accurate, timely, and authorized.
• d. Confidentiality- Information designated as
  confidential is protected from unauthorized
  disclosure.
• e. Privacy- Personal information obtained as a
  result of e-commerce is collected, used,
  disclosed, and retained as committed or agreed.

7
Criteria for implementing principles of system
reliability

• Policies- The entity has defined and documented
  its security policies relevant to the particular
  principle.
• Communications- The entity has communicated its
  defined policies to authorized users.
• Procedures- The entity uses procedures to achieve
  its objectives in accordance with its defined
  policies.
• Monitoring- The entity monitors the system and
  takes action to maintain compliance with its
  defined policies.
• NOTE Management involvement and support is
  necessary

8
Security

• Security is a management issue, not a technology
  issue
• RedundancyDefense in depth
• Control categoriesapply to manual and computer
• Preventive
• Detective
• Monitoring
• Examples?

9
Availability

• Threats
• Hardware/software failure
• Natural/man-made disasters
• Human error
• Worms/Viruses
• Sabotage

10
Availability

• Controls
• Disaster Recovery Plan (continuity)
• Access Controls physical and automated
• Preventive maintenance
• Surge protectors/uninterruptible power supply
• Training

11
Processing Integrity

• Accurate, timely, authorized transactions and
  completeness
• Types of controls
• Source Data controls
• Data entry controls
• Processing controls
• Output controls

12
Source Data Controls

• Form Design
• Cancellation
• Secure Storage
• Segregation of Duties
• Authorization

13
Data Entry Controls

• Computer field checks
• Range checks
• Completeness checks
• Validity Checks
• Means to achieve
• Error logs
• Batch totals
• Sequence checks

14
Processing Controls

• Data matching
• Batch total recalculation
• Write Protection

15
Output Controls

• Usually manual
• Reconciliations
• Key reconciliation for a system is sub-ledger to
  control account in G/L
• Source documentation verification

16
Confidentiality

• Each organization has its own definition of what
  this means.
• Examples of items usually considered
  confidential
• Business Plans
• Pricing
• Customer Lists
• Contracts

17
Confidentiality

• Controls
• Encryption Storage and Transmission
• Access Controls Read/Write, changes, deletion,
  copy, etc.
• Authentication Unique ID, Passwords,
  Fingerprints

18
Confidentiality

• Threats
• E-mail
• Instant Messaging
• Downloads
• NOTE Monitoring in this area is required as new
  threats are occurring almost daily

19
Privacy

• Focuses on protecting personal information about
  customers and employees
• Vs. confidentiality which deals predominately
  with organization data
• Same controls as those for Confidentiality
  (Encryption, Access, Authentication)
• Federal and some States have regulations around
  customer information privacy
• Identity theft issues

20
Electronization of business

• Redesign of internal processes is often
  implemented to conduct e-business, and is often
  the result of conducting e-business.
• Sometimes is an imperative for survival.
• Does not directly provide a competitive
  advantage.
• Can be used to more effectively implement a basic
  strategy.

21
What makes electronization of business successful

• The degree to which e-business activities fit and
  support the organizations overall business
  strategy (understanding strategy is a method to
  do this)
• The ability to guarantee that e-business
  processes satisfy the three key characteristics
  of any business transaction (encryption is a
  method to do this)
• Validity
• Integrity
• Privacy

22
Characteristics

• Validity
• authenticate identity of other (both) parties, so
  the contract is enforceable
• Integrity
• ensure that the information exchanged has not
  been altered
• Privacy
• ensure that confidentiality is maintained

23
Definitions

• Encryption Transforming normal text (Plaintext)
  into unreadable gibberish (i.e. Ciphertext).
• Decription Transforming Ciphertext into
  Plaintext. Reverses encryption process.
• Hash a short code used to perform encryption
  (i.e. hashing)

24
Encryption

• There are two principal types of encryption
  systems
• Single-key systems Same key is used to encrypt
  and decrypt the message (symmetric)
• Simple, fast, and efficient
• Public Key Infrastructure (PKI) Uses pair of
  keys, one to encrypt and one to decrypt
  (asymmetric)
• Public key is available to all who want it
• Private key is kept secret and known only by the
  owner of that pair of keys.

25
Digital Signatures and Digests

• Digital signature A method of uniquely
  identifying the sender of a message.
• Digital certificate third party verification
  that the owner of a private/public key pair is
  who the signature says it is
• Digest A digital summary. If any individual
  character in the original document changes, the
  value of the digest also changes. It does not
  provide the information, just knowledge that the
  information has/ has not changed

26
IS perspective for Business

• security training
• consciousness of the folks involved
• familiarity breeds slackers
• segregation of duties becomes more difficult
• hard to restrict access
• changing data/programs is common
• development control
• mission critical v. personal uses
• Use of Spreadsheetssee reading for today for
  copious detail

27
Access Control Matrix

• A table listing all authorized users and their
  corresponding abilities within a system. This
  should include type of access as well
• Read
• Change
• Delete
• Powerful SOD tool
• Change management is key to remaining effective
• Type of control?
• Preventive

28
Only Sally can read
SALLY
ERIN
Contract Erin buy from Sally
Contract- Erin buy from Sally
Contract is private
Must be from Erin
Internet or Network
Contract is unaltered
Digital Signature
Erins computer
Sallys computer
29
General Controlsbased on COBIT

• Company level controls
• Monitoring, planning, assessmentDefinition of IT
  roles, Assessment of significant IT activities
  outside the IT function
• Change controls
• Approval, separation of duties, policiesTesting
  QA of changes, authorization of changes,
  separate developers from production environment
• Operations
• Policies, rolesFormal backup policies,
  operational policies and procedures well defined
• Security
• Review, access, data/systemperiodic review of
  access, policies for admitting new users/user
  access, review of exception logs

30
Key application controls

• Batch totals -aid in computer environment, often
  embedded in the process
• Source data controls pre-numbered, turnaround,
  computer-readable
• Online data entry
• preformat
• prompt
• accuracy (completeness)

31
More application controls

• Input validation
• edit program
• sequence checks
• validity check
• File maintenance
• reconcile master with other data
• data security
• Output controls
• user review
• reconcile batch totals
• error logs

32
Goal orientedexplicit

• Tie controls to goals
• Operations
• Information
• Create control plans
• Evaluate the usefulness of controls
• Formal method