Week 4: IC in a computerized environment - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Week 4: IC in a computerized environment

Description:

Benefits: Decrease human error, restrict access, decrease ... Encryption: Transforming normal text (Plaintext) into unreadable gibberish (i.e. Ciphertext) ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 33
Provided by: busi219
Category:

less

Transcript and Presenter's Notes

Title: Week 4: IC in a computerized environment


1
Week 4 IC in a computerized environment
  • Some concepts of control do not change
  • Objectives
  • Framework (COSO)
  • Internal Environment
  • Implementation will change
  • More focus on system (imbedded) controls
  • Continuous rather than periodic controls
  • Random v. systematic errors
  • COBIT augments existing framework

2
Computerized Controls
  • Friend or Foe?
  • Benefits Decrease human error, restrict access,
    decrease duplication of input, audit trail
  • Detriments Confidentiality, system integrity,
    completeness, input errors, audit trail

3
Categories of IC in a computerized environment
  • General Controls pervasive, relate to the
    entire system
  • Control environment must be managed well to
    enhance effectiveness of application controls
  • Application Controls specific, relate to
    individual portions of the systemor types of
    transactions
  • Prevent, detect, correct errors in input,
    processing, output

4
General Controls
  • System reliability
  • Separation of incompatible functions
  • Access
  • Backup and recovery
  • Management of the IS function
  • Adopting an IS mindset

5
System Reliability
  • System reliability is defined as
  • A system that operates without material error,
    fault or failure during a specified time in a
    specified environment.

6
Principles to achieve system reliability
  • a. Security- The system is protected against
    unauthorized access (both physical and logical).
  • b. Availability- The system is available for
    operation and use as committed or agreed.
  • c. Processing integrity- System processing is
    complete, accurate, timely, and authorized.
  • d. Confidentiality- Information designated as
    confidential is protected from unauthorized
    disclosure.
  • e. Privacy- Personal information obtained as a
    result of e-commerce is collected, used,
    disclosed, and retained as committed or agreed.

7
Criteria for implementing principles of system
reliability
  • Policies- The entity has defined and documented
    its security policies relevant to the particular
    principle.
  • Communications- The entity has communicated its
    defined policies to authorized users.
  • Procedures- The entity uses procedures to achieve
    its objectives in accordance with its defined
    policies.
  • Monitoring- The entity monitors the system and
    takes action to maintain compliance with its
    defined policies.
  • NOTE Management involvement and support is
    necessary

8
Security
  • Security is a management issue, not a technology
    issue
  • RedundancyDefense in depth
  • Control categoriesapply to manual and computer
  • Preventive
  • Detective
  • Monitoring
  • Examples?

9
Availability
  • Threats
  • Hardware/software failure
  • Natural/man-made disasters
  • Human error
  • Worms/Viruses
  • Sabotage

10
Availability
  • Controls
  • Disaster Recovery Plan (continuity)
  • Access Controls physical and automated
  • Preventive maintenance
  • Surge protectors/uninterruptible power supply
  • Training

11
Processing Integrity
  • Accurate, timely, authorized transactions and
    completeness
  • Types of controls
  • Source Data controls
  • Data entry controls
  • Processing controls
  • Output controls

12
Source Data Controls
  • Form Design
  • Cancellation
  • Secure Storage
  • Segregation of Duties
  • Authorization

13
Data Entry Controls
  • Computer field checks
  • Range checks
  • Completeness checks
  • Validity Checks
  • Means to achieve
  • Error logs
  • Batch totals
  • Sequence checks

14
Processing Controls
  • Data matching
  • Batch total recalculation
  • Write Protection

15
Output Controls
  • Usually manual
  • Reconciliations
  • Key reconciliation for a system is sub-ledger to
    control account in G/L
  • Source documentation verification

16
Confidentiality
  • Each organization has its own definition of what
    this means.
  • Examples of items usually considered
    confidential
  • Business Plans
  • Pricing
  • Customer Lists
  • Contracts

17
Confidentiality
  • Controls
  • Encryption Storage and Transmission
  • Access Controls Read/Write, changes, deletion,
    copy, etc.
  • Authentication Unique ID, Passwords,
    Fingerprints

18
Confidentiality
  • Threats
  • E-mail
  • Instant Messaging
  • Downloads
  • NOTE Monitoring in this area is required as new
    threats are occurring almost daily

19
Privacy
  • Focuses on protecting personal information about
    customers and employees
  • Vs. confidentiality which deals predominately
    with organization data
  • Same controls as those for Confidentiality
    (Encryption, Access, Authentication)
  • Federal and some States have regulations around
    customer information privacy
  • Identity theft issues

20
Electronization of business
  • Redesign of internal processes is often
    implemented to conduct e-business, and is often
    the result of conducting e-business.
  • Sometimes is an imperative for survival.
  • Does not directly provide a competitive
    advantage.
  • Can be used to more effectively implement a basic
    strategy.

21
What makes electronization of business successful
  • The degree to which e-business activities fit and
    support the organizations overall business
    strategy (understanding strategy is a method to
    do this)
  • The ability to guarantee that e-business
    processes satisfy the three key characteristics
    of any business transaction (encryption is a
    method to do this)
  • Validity
  • Integrity
  • Privacy

22
Characteristics
  • Validity
  • authenticate identity of other (both) parties, so
    the contract is enforceable
  • Integrity
  • ensure that the information exchanged has not
    been altered
  • Privacy
  • ensure that confidentiality is maintained

23
Definitions
  • Encryption Transforming normal text (Plaintext)
    into unreadable gibberish (i.e. Ciphertext).
  • Decription Transforming Ciphertext into
    Plaintext. Reverses encryption process.
  • Hash a short code used to perform encryption
    (i.e. hashing)

24
Encryption
  • There are two principal types of encryption
    systems
  • Single-key systems Same key is used to encrypt
    and decrypt the message (symmetric)
  • Simple, fast, and efficient
  • Public Key Infrastructure (PKI) Uses pair of
    keys, one to encrypt and one to decrypt
    (asymmetric)
  • Public key is available to all who want it
  • Private key is kept secret and known only by the
    owner of that pair of keys.

25
Digital Signatures and Digests
  • Digital signature A method of uniquely
    identifying the sender of a message.
  • Digital certificate third party verification
    that the owner of a private/public key pair is
    who the signature says it is
  • Digest A digital summary. If any individual
    character in the original document changes, the
    value of the digest also changes. It does not
    provide the information, just knowledge that the
    information has/ has not changed

26
IS perspective for Business
  • security training
  • consciousness of the folks involved
  • familiarity breeds slackers
  • segregation of duties becomes more difficult
  • hard to restrict access
  • changing data/programs is common
  • development control
  • mission critical v. personal uses
  • Use of Spreadsheetssee reading for today for
    copious detail

27
Access Control Matrix
  • A table listing all authorized users and their
    corresponding abilities within a system. This
    should include type of access as well
  • Read
  • Change
  • Delete
  • Powerful SOD tool
  • Change management is key to remaining effective
  • Type of control?
  • Preventive

28
Only Sally can read
SALLY
ERIN
Contract Erin buy from Sally
Contract- Erin buy from Sally
Contract is private
Must be from Erin
Internet or Network
Contract is unaltered
Digital Signature
Erins computer
Sallys computer
29
General Controlsbased on COBIT
  • Company level controls
  • Monitoring, planning, assessmentDefinition of IT
    roles, Assessment of significant IT activities
    outside the IT function
  • Change controls
  • Approval, separation of duties, policiesTesting
    QA of changes, authorization of changes,
    separate developers from production environment
  • Operations
  • Policies, rolesFormal backup policies,
    operational policies and procedures well defined
  • Security
  • Review, access, data/systemperiodic review of
    access, policies for admitting new users/user
    access, review of exception logs

30
Key application controls
  • Batch totals -aid in computer environment, often
    embedded in the process
  • Source data controls pre-numbered, turnaround,
    computer-readable
  • Online data entry
  • preformat
  • prompt
  • accuracy (completeness)

31
More application controls
  • Input validation
  • edit program
  • sequence checks
  • validity check
  • File maintenance
  • reconcile master with other data
  • data security
  • Output controls
  • user review
  • reconcile batch totals
  • error logs

32
Goal orientedexplicit
  • Tie controls to goals
  • Operations
  • Information
  • Create control plans
  • Evaluate the usefulness of controls
  • Formal method
Write a Comment
User Comments (0)
About PowerShow.com