Вы находитесь на странице: 1из 17

SECTION 1 - CHAPTER 4 INTERNAL CONTROLS A. Definition and Objectives of Internal Control .............................................................................................. B. Components of Internal Control:................................................................................................................... 1.

Control Activities ............................................................................................................................................. 2. Risk Assessment ............................................................................................................................................. 3. Information and Communication ................................................................................................................... 4) Monitoring ....................................................................................................................................... 5) Control Environment:........................................................................................................................ C. Inherent Limitations:...................................................................................................................................... 1. Human Error ............................................................................................................................................. 3. Cost-Benefit Judgment ............................................................................................................................. 4. Collusion .................................................................................................................................................. 5. Management Override .............................................................................................................................. 6. Control Environment ................................................................................................................................ 7. Time Period .............................................................................................................................................. D. References of Control Activities in Specific Accounting Areas ............................................................... E. Foreign Corrupt Practices Act .................................................................................................................. 1. Provisions ................................................................................................................................................ 2. Assurance ................................................................................................................................................

II INTERNAL AUDITING A. Purposes ....................................................................................................................................................... B. Attribute Standards for Internal Auditing ..................................................................................................... C. Internal Audit Process ................................................................................................................................... D. Fraud Detection and Investigation ................................................................................................................ E. Types of Internal Audit Engagements ................................................................................................................

III. SYSTEMS CONTROLS AND SECURITY MEASURES A. Roles and Responsibilities Within the IT Function ............................................................................................. B. Segregation of Duties ............................................................................................................................................ C. Systems Design and Documentation..................................................................................................................... . D. Data Reliability Risks E. Disaster Recovery Plan ......................................................................................................................................... F. Internet Security Risks .......................................................................................................................................... G. Methods for Internet Security ...............................................................................................................................

SECTION 1 - CHAPTER 4 INTERNAL CONTROLS I. RISK ASSESSMENTS AND CONTROLS A. Definition and Objectives of Internal Control Internal control is defined as a process which is affected by an entity's board of directors, management as well as other personnel. It is designed to offer reasonable assurance in regard of the achievement of three major objectives (see below). The definition of internal control reflects the following concepts: 1. A Process: The management processes of planning, executing as well as monitoring combine together and thus formulate internal control. Controls are most effective when they are "built in" rather than "built on." Building in controls can reduce costs and promote the development of new controls necessary to new business activity. 2. People: Internal control is influenced by all the people of an organization, by what they do and what they say. A clear link must be established between peoples' duties, the way the duties are carried out, as well as the entity's objectives. 3. Reasonable Assurance: Internal control can offer merely reasonable assurance of the achievement of an organization's objectives. There are limitations in all control systems. These include human judgment, costs and benefits, breakdowns due to error or mistakes, collusion and management override. 4. Objectives : There are three aspects in which the following three objectives fall: financial reporting, operations as well as compliance. Reliability of financial reporting Efficieny & Effectiveness of operations Compliance with applicable laws and regulations B. Internal Control Components: There are five interrelated components in composing internal control: Control Activities Risk Assessment Information and Communication Monitoring Control Environment

1. Control Activities: Control activities are the policies and procedures that help guarantee that the entity's objectives are achieved. Control activities have various objectives and are applied at various organizational and functional levels. Include policies and procedures that pertain to: a. Segregation of Duties: CARP These control activities involve ensuring that different people are assigned responsibilities for maintaining custody of assets, authorizing transactions, recording transactions, and performing periodic reconciliations of existing assets to recorded amounts. They reduce the ability of individuals to both perpetuate and conceal errors or fraud. Desirable segregation of duties can be memorized using the acronym CARP: C A R Custody Authorization Recordkeeping

Periodic reconciliations

b. Information Processing: Check accuracy, completeness, as well as authorization of transactions are procedures in control activities. They include both general controls and application controls (discussed later in this chapter). Information processing controls include the use of prenumbered documents to ensure that all transactions are recorded and that they are recorded only once. c. Physical Controls: These control activities address the physical security of assets, including secured facilities, authorization access for computer programs and data files, as well as periodic counting and comparison of physical assets with control records. d. Performance Reviews: Investigations and corrective actions taken from comparisons of actual operating performance to budgets, prior period results, forcast, or reviews are all included in control activities. These activities also include internal performance reviews, such as credit manager reviews of credit approvals and accounts receivable aging balances. 2. Risk Assessment: Risk assessment is the entity's identification and analysis of relevant risks to achievement of its objectives so that the risks can be managed. Risk assessment is concerned not only with the total dollar value of assets that are exposed to loss, but also to with the probability that a loss will occur. a. Risks Relevant to Financial Reporting: Risks relevant to financial reporting include external and internal events and circumstances that may occur and adversely affect an entity's ability to record, process, summarize, and report financial data. Risk related to financial reporting may be broken down into the following three components: 1) Detection Risk: Detection risk arises either because all items in a population are not examined by the auditor (sampling error) or that audit procedures are improperly applied (non-sampling error). Detection risk is the likelihood that an internal or external auditor's procedures may not detect a material misstatement that exists. 2) Inherent Risk: Inherent risk is the likelihood of a material misstatement, assuming that there are no related internal controls. Some account balances or classes of transactions are intrinsically more susceptible to misstatement than others. Accounts receivable typically has a high level of inherent risk because of the large dollar volume of transactions flowing through the account, the opportunity for intentional misstatement, and the impact of economic trends. On the contrary, fixed assets usually have a lower level of inherent risk because of a lower volume of transactions and the high visibility of fixed asset acquisitions or dispositions. Yet, fixed assets may have high inherent risk related to their proper valuation in industries plagued by overcapacity. 3) Control Risk: (i)

(ii) (iii) (iv)

Control risk is the likelihood that a material misstatement could occur and not be prevented or detected by entity's internal control within a reasonable time. Control risk is usually low for cash or inventory - where companies often institute strong internal controls. Where controls are weaker, the risk that a misstatement will slip by the internal control structure is greater. Some control risk will always exist because of the inherent limitations of internal control (see discussion later in this chapter).

Other Types of Risk: Management accountants are concerned not only with financial statement risks, but also with other risks to the organization. Examples include risks related to product defects, customer credit policies, foreign currency contracts, and insurance coverage. 3. Information and Communication: The entity's information systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. 4. Monitoring: Monitoring is a process that assesses the quality of internal control performance over time. It is important to establish and maintain internal control. Management monitors controls to consider whether they are operating as intended and that they are modified as appropriate with changes in conditions. It may include:

Assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Ongoing activities, separate evaluations, or various combinations of the two. An ongoing activity is one that is performed regularly as part of normal operations, such as verit3/ing that disbursements over a certain amount are properly authorized. A separate evaluation is one that is performed irregularly, or perhaps only once. For example, a public entity might perform a special evaluation of internal control while implementing the requirements of the Sarbanes-Oxley Act. Internal auditing. Using information from communications from external parties such as customer complaints and regulator comments that may indicate problems or highlight areas in need of improvement. 5. Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, offering discipline and structure. The following are control environment factors: Human resource policies and practices Assignment of authority and responsibility Participation of board of directors or audit committee Integrity and ethical values Commitment to competence Organizational structure Management's Philosophy and operating style The following control environment issues are particularly important for management accountants: a. Organizational Structure: The organizational structure defines the key areas of authority and responsibility. 1) Internal Auditors: Internal auditors can play a significant monitoring role. The existence of an internal audit function is a control feature in itself. (More details are provided in a later section in this chapter.) 2) Board of Directors: Effective board members are objective, capable, and inquisitive. The board of directors is responsible for ensuring that the company is operated in the best interest of shareholders. A strong active board assisted by capable financial, legal, and internal audit functions is best able to monitor the control environment. 3) Management: Management is accountable to the board of directors. The CEO is ultimately responsible for internal control and sets the tone at the top that effects the integrity and ethics of a positive control environment. Senior managers delegate to junior managers who run their own departments or shops. While financial officers whose control activities cut across the operating and staff units of an enterprise. 4) Other Personnel: Almost all employees produce information used in the internal control system or take actions that effect control. Internal control should be an explicit or implicit part of everyone's job description. b. Competent Personnel: Personnel must be proficient at their responsibilities and appropriately trained for their positions. Their integrity and understanding of their responsibilities are critical to an efficient control environment. c. Pervasive Management Effects: Management's strengths and weaknesses may have a pervasive effect on internal control. However, human resource policies and practices directed toward hiring competent financial and accounting personnel may not mitigate a strong bias by top management to overstate earnings. C. Inherent Limitations: Internal control is expected to provide reasonable--not absolute--assurance that material errors or fraud will be

prevented or detected and corrected. There are inherent limitations to the effectiveness of any entity's internal control. Human Errors can occur Cost-benefit judgment Collusion between employees is possible Management can override controls Control Environment Projections to other Time periods are risky

1. Human Error: Errors may result from misunderstanding, mistakes of judgment, carelessness, distraction or fatigue. 2. Cost-Benefit Judgment: The costs of internal controls should not exceed the benefits, but it is not possible to precisely measure the quantitative or qualitative costs and benefits. 3. Collusion: Segregation of duties may be circumvented by collusion. 4. Management Override: Management may circumvent or otherwise override controls. 5. Control Environment: A weak control environment may reduce the effectiveness of other internal control components. 6. Time Period: Internal controls that are in place and operating effectively in one time period max not be in place or operative effectively during other time periods. Projection of conclusions reached about the internal control to future periods is subject to the risk that controls may cease to be adequate or that the degree of effectiveness may deteriorate. D. References of Control Activities in Specific Accounting Areas As you review the following lists, pay particular attention to the following types of control activities. 1. Accounts Receivable and Sales credit approval credit and sales department independent shipping invoices pre-numbered sales order and sales invoice comparison sales reconciled with cash receipts, AR, and inventory change matching of credit memoranda and receiving reports credit memoranda pre-numbered sales orders pre-numbered control over scrap sales and sales to employees authorization of AR write-offs control over collection of written-off receivables aging schedules in a timely manner independence of sales, AR, receipts, billing, and shipping


2.

Accounts Payable independent from purchasing, cashier, receiving comparison of detail and control control over purchase returns accuracy of vendor's invoices matching of PO, receiving report, and vendor invoice reconcile vendor statements with AP detail

3. Payroll

control over debit memos review of unmatched receiving reports investigate discounts not taken

authorization to employ personnel data records supervisor review of time records review of payroll calculations distribution of payroll checks independent of payroll authorization control over unclaimed wages

4. Inventory and Cost of Sales 5. periodic inventory counts by non-custodians control over count tags control over adjustments perpetual records comparison of GL and perpetual records preparation of receiving reports pre-numbered receiving reports separate inventory custodian from recordkeeping physical safeguards against theft and fire inventory requisitions standard costs and variance analysis reports of inventory usage

Cash Receipts


6.

detail listing of all mail receipts daily deposit comparison of duplicate deposit slips with cash book and AR separation of cashier from accounting cash registers numbered cash receipts records daily cash collection reconciliation

Cash Disbursements prenumbered checks limited authorization to sign checks all checks accounted for detail listing of checks mutilation of voided checks control over signature machines check listing compared with cash book physical control over unused checks cancellation of supporting documents independent reconciliation of bank accounts no access to cash records or receipts by check signers

7. Purchasing approvals limited to both amount and type

separate authorize purchase, receive goods, and account for inventory functions establish qualified suppliers requisitions matched with PO access to computerized ordering system controlled by passwords, order limits account for all PO's, even voids receiving reports, invoices, POs all reconciled and match reviews of open POs

E. Foreign Corrupt Practices Act The Foreign Corrupt Practices Act of 1977 deals with bribery and accounting controls for publicly held companies. 1. Provisions: The Act in general says that internal accounting controls shall be examined and, if material weaknesses are found, controls must be strengthened or additional ones installed. Bribes or questionable conduct shall cease, and funds for such bribes and conduct must not be made available. The Act makes bribing someone else's government a crime and it applies to the bribe giver rather than the taker. Every publicly held company shall: Make and keep books, records, and accounts, which in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that: Transactions are executed in accordance with management's authorization. Transactions are recorded as necessary to permit preparation of financial statements in conformity with GAAP and to maintain accountability for assets. Access to assets is permitted only in accordance with management's authorization. The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any difference. 2. Assurance: Management is responsible to provide reasonable assurance that transactions arc authorized and accounted for and that assets are safeguarded. II. INTERNAL AUDITING

A. Purposes 1. Assess Performance: The internal auditor compares actual performance to standards established by management policies and goals, including compliance with GAAP, contract provisions, loan covenants, or government laws and regulations. 2. Identify Opportunities for Improvement: The criteria to evaluate improvement are increased economy, efficiency, and/or effectiveness. Ideas for improvements can come from many sources: contacts in professional organizations, staff members in the affected department or other departments, the auditor's own professional reading and research, or academic research. B. Attribute Standards for Internal Auditing The Institute of Internal Auditors (IIA), the national professional organization for internal auditors, has developed a Professional Practices Framework. The following list of internal auditing attributes is adapted from the IIA framework.

1. Purpose, Authority, and Responsibility: (i) The purpose, authority, and responsibility of the internal audit function should be clearly documented and approved. (ii) Individual internal audit engagements should be communicated to the engagement clients. 2. Independence and Objectivity: (i) Internal auditors are not independent in the same sense that external auditors are, because they are employees of the organization. (ii) However an effective internal audit department must have organizational independence from

(iii)

(iv)

(v)

the activities they audit. Independence is also achieved by the internal auditor having direct and frequent access to the audit committee of the board of directors, usually through the audit committee, and to senior management. The internal audit department should report to either the chief executive officer or a financial officer without daily operational responsibility in financial functional areas such as treasury, or accounting. The internal audit department should establish policies to promote objectivity and to assess individual objectivity.

3. Knowledge, Skills, and Competencies: Internet audits should be performed with proficiency. This means that internal auditors must have sufficient knowledge, skills, and competencies to perform their work. There must also be adequate supervision, education, and continuing education of the internal audit staff. 4. Due Professional Care: Internal auditors should exercise due professional care in the conduct of their work. 5. Quality Assurance and Improvement of Internal Audit: Internal auditors should promote quality assurance and improvement not only for the organization, but also for the internal audit function. C. Internal Audit Process The internal audit process in the I1A Professional Practices Framework includes the following steps: Analyze and interpret data Collect data Communicate interim progress Complete performance appraisals of engagement staff Conduct client satisfaction survey Develop recommendations when appropriate Develop work papers Draw conclusions Evaluate the relevance, sufficiency, and competence of evidence Maintain an awareness of the potential for fraud Plan the engagement Research and apply appropriate standards Report engagement results Review work papers

D. Fraud Detection and Investigation The internal audit process includes planning for and maintaining an awareness of the potential for fraud. Thus, internal auditors should understand that the perpetration of fraud requires opportunity and motivation. A good internal control system, well monitored by the internal auditors, can significantly reduce opportunity. 1. General Responsibilities: The internal auditor's responsibilities for detecting fraud are to: a. Knowledge: Have sufficient knowledge of fraud to be able to identify indicators that fraud might have been committed. This includes the characteristics, the techniques and the types of fraud associated with the activities audited. b. Alert: Be alert of opportunities, such as control weaknesses, that could allow fraud. C.Evaluate: Evaluate indicators that fraud might have been committed. d. Notify: Notify the appropriate authorities within the organization. This might mean reporting incidents to top managers or the board of directors, as appropriate.

2. Public Companies: The 1987 Report of the National Commission on Fraudulent Financial Reporting (Treadway) made several recommendations to public companies concerning internal audit:

Public companies should maintain an effective internal audit function staffed with an adequate number of qualified personnel appropriate to the size and the nature of the company. Public companies should ensure that their internal audit functions are performed in an objective manner. Internal auditors should consider the implications of their nonfinancial audit findings for the company's financial statements. Management and the audit committee should ensure that the internal auditors' involvement in the audit of the entire financial reporting process is appropriate and properly coordinated with the independent public accountant.

E. Types of Internal Audit Engagements Internal auditors perform many different types of engagements. 1. Compliance Auditing: A compliance audit is designed to determine whether an organization is conforming or acting in accordance with some type of rules and regulations, such as: Audit compliance of financial statements with GAAP Compliance with the Foreign Corrupt Practices Act Compliance with environmental regulations

2. Operational Auditing: An operational audit is aimed primarily at operational efficiency and is designed to examine and evaluate systems of internal control and overall company operations.

3. Other Internal Audit Functions: Internal auditors can be involved in almost any aspect of the organization where objectivity, analysis, and measurement skills are required. Internal auditors provide analyses, appraisals, recommendations, counsel, and information concerning activities reviewed to assist management. Following are examples: III. Assess the ethical climate of the board of directors Conduct follow-up and report on management response to external audit Develop and implement an organization-wide risk and control framework Determine information security vulnerabilities

SYSTEMS CONTROLS AND SECURITY MEASURES

A. Roles and Responsibilities Within the IT Function The information systems (IS) department should be divided into separate functions, such as the
following:

1 Control Group: Control group personnel review the input, monitor processing, handle reprocessing of errors, and review and distribute output to the user groups. They also review the logs for computer operator intervention and review the librarian log for program and file usage. In a network, the control group function may be performed by a network administrator.
2. Programming: Programmers write, test, and debug system and/or applications programs designed by the system analyst. The programmer also writes the program documentation. 3. Information Systems Manager: The manager is responsible for the operation of the intbrmation systems department. This includes supervision of personnel and maintenance of computer systems. 4. System Analysis: An analyst is responsible for the design and implementation of' the information technology. 5. Computer Operations: This department performs the data processing activities based on operating instructions prepared by the programmer. A console log is maintained which documents all operator intervention with the computer processing activities.

6. File and Program Library: The librarian maintains control over master files, transaction files, computer programs, and other important information to prevent misuse or loss. 7 Data Entry: Personnel are responsible for entering information into the system, such as at point-of-sale registers or personal computers. B. Segregation of Duties 1. Segregation of Duties for IT Functions: Segregation of duties also applies to various 1T functions. Duties should be segregated between the IS department and other user departments, and also within the IS department and to prevent the IS department from either initiating or authorizing transactions. The separation between programming and operations is the most critical. Ideally, however, the following functions should be segregated: Distributing output Input preparation Operating data input equipment Operating computer and sorting equipment Preparing rejects for reentry Programming Reconciling output

2. Limitations of Segregation for IT Functions: By its nature, IT requires combining duties traditionally performed my multiple individuals. Incompatible functions are those which place a person in a position to perpetrate and conceal errors or fraud in the normal course of his or her duties. Procedures designed to detect errors and fraud should be performed by persons other than those who are in the position to perpetrate them. In a computerized accounting system, functions that would be incompatible in a manual system are often performed by the computer. If there are control procedures which prevent an individual who has access to computer operations from performing incompatible functions (i.e. limited access to data files), it does not reflect a weakness adoption. Yet, there is reduced visibility of the audit trail (particularly for authorization), less human involvement in processing transactions, as well as the possibility of unauthorized access to the system causing loss of data or fraudulent alteration of data. Increased adoption of IT often involves a decrease in segregation of duties, which increases the ability of an individual to both perpetrate and cover up a fraud. C. Systems Design and Documentation Systems design and documentation controls are used to enhance the storage functions, accuracy, validity, security , safety, adaptability of systems input, output, and processing. 1 Coding: One of the fundamental aspects of any software program is the account coding and classifications scheme used.

a. Purposes of Coding: A code serves two purposes: 1) Identification: Providing a brief identification. 2) Meaning: Providing meaning to data in subsequent processing b. Coding Systems: Coding systems or types include: 1) Sequential Coding: Organizing data on the basis of position. Ascending order is most common. For example, checks are numbered in sequence. 2) Block Code: Classifying objects into certain groups. The position of the character has a special meaning. The Universal Product Code is a block code. The first 5 digits identify the manufacturer and the next five identify the particular product. 3) Group or Hierarchical Code: There are several sub-classifications in each major block. This system gives meaning to the value and position of a character. The ZIP code is a group code with the first number having value and position significance. 2 Record of Acceptance: This includes documenting the formal acceptance from the user, IT management, audit, IT operations, and the documentation librarian for completeness of documentation. 3. User Manuals: User manuals are often poorly done without enough detail. 4. Operator Instructions: These instructions explain how a particular job is performed and how operators should respond to certain system requests or when halt conditions occur. 5. Program Description: This describes the details of the individual programs, lncluded are flowcharts, decision tables, table descriptions, flags and switches, program change and modification forms, program listing, program controls. 6. Problem Definition: Definition of the problem provides a clear, logical and formal record of the problem to be solved. 7. Application Description: The description provides an overview of the total application and ties together individual computer programs within an application. Flowchart, narrative, record layouts, print layouts, file descriptions, special codes, and controls, especially security controls are included. 8. Flowcharts: (i) A flowchart is a graphic representation of a specific segment of a system. (ii) The purpose of the flowchart is to show the sequential flow of data in a logical, organized and easy to understand format. (iii) Ideally, it should reflect all areas of an entity's operations and should also show the transformation of source documents into accounting data. (iv) In an accounting system, a flowchart will typically indicate the flow of a document or series of documents through various departments, and will depict the various clerical and control operations that the documents are subject to. (v) Flowcharts are also used to document the sequence of procedures within a computer program. a. Flowchart Symbols:

Document: This symbol represents a printed document or report that may be prepared manually or by a computer. Checks, purchase orders, time sheets, shipping reports, receiving reports, vouchers, etc are included as instances. A description/name of the document is indicated inside each symbol.

Multi-copy Document: A document that is prepared in multiple copies. Each part is sent to a different department/file/party.

Process: A process symbol is used to represent a defined operation or function. Typically, a process causes some kind of change in the form, value, or location of information or data. Examples of a process would be summarizing revenue from several sources, or the physical transfer of data from one location to another. A description of the process is shown within the symbol. This symbol can also be used to represent a screen/page on a computer.

Group of Operations

Input: This symbol indicates that user must input information. It is part of a process. Sometimes this symbol is also used to represent output

Manual Operation: This is task done off-line by humans and is linked to a process on the flowchart. An example of a manual operation would be filing a document in a file cabinet.

Manual Input: This represents the manual input of data into the system.

Display: This represents a computer display screen that is used for input, output, or query.

Directional Flow Line: These lines are used to connect the flowchart symbols and to indicate the directional flow of documents or information. Typically, a solid line represents document flow and a dotted or dashed line represents information flow
.

Annotation: This symbol is connected to another symbol by dotted or dashed lines. It is used to add comments or explanations to the flowchart.

Decision: A decision symbol is used when multiple conditions are possible which can affect the direction of the information flow. The decision typically requires either a "yes" or "no" response to the inquiry presented. The response affects the direction to be followed.

On-Page Connector: In complex flowcharts, it is likely that the directional flow lines will flow in many directions. This can make the flowchart confusing and difficult to read. Connectors are used to reduce the number of flow lines for clarity. An easy way to identify corresponding connectors is with alphabetical letters.

Off-Page Connector: Often, a flowchart will take up more than one page. The off-page connector is used to connect the end of a page with the beginning of a succeeding page.

Off-line Storage: This symbol is used when data is stored outside of the computer. For example, the file cabinet where documents used in data entry would be represented by this symbol.

An "N" within the symbol denotes numerical filing. A "C" within the symbol denotes chronological filing. An "A" within the symbol denotes alphabetical filing.

Storage Device: This symbol traditionally referred to a magnetic disk such as a hard disk, but it currently refers also to optical disks, such as CDs. The symbol indicates that information is recorded and stored electronically. This is not the only symbol that may be used to represent electronic storage (see below).

Sequential Access Storage (Magnetic Tape): This symbol indicates that information is recorded and stored electronically in sequential format, usually on a tape. This form of storage is becoming less common.

Direct Access/Online Storage: This symbol indicates that information is recorded and stored electronically and can be accessed online. The data can be accessed in any sequence.

Stored Data: This symbol indicates that information is stored/filed (without reference to the format).

Communication link: It represents the flow of information via a telecommunication line. Arrows may be used to indicate the direction of flow of

Terminal: This indicates the beginning or ending point in a program flowchart.

b. General Flow: In constructing a flowchart, the processing or document flow is generally from top to bottom and from left to right. D. Data Reliability Risks The following are major errors and fraud risks related to electronic data (special risks related to the Internet are addressed later in this chapter): 1 Software Bugs: Software may not work properly, causing errors in the creation or storage of data. This risk is reduced through procedures for the review and debugging of software and through output controls where users monitor computerized results. 2 Hardware Malfunctions: Disk crashes and other malfunctions can destroy data and interrupt This risk is reduced through the acquisition of reliable hardware and the availability of alternative operations. equipment. 3. Sabotage: There are many ways to cause serious damage to the computer installation. Magnets can destroy data on disks and tapes. Radar beams directed at the installation can have similar effects. Techniques to prevent sabotage include physical security, terminated employee access denial, and maintaining back-ups at a remote location. Sabotage techniques by programmers include "logic bombs" - a timed destruction code, "trojan horse" - a destructive program masquerading as a legitimate program, and "virus programs" - destructive programs that spread themselves usually through executable files. 4. Data Theft: The method includes theft of physical items such as disks or tapes as well as electronic theft by interception or remote access. Techniques to prevent data theft include physical security, encryption, and call back modem. 5. Input Manipulation: This method requires the least knowledge or technical skill. Input documents are altered or revised. Techniques to prevent this fraud include approval and review of input documents and input programmed controls, accepting only certain inputs from users based on time, location, or access codes. 6. File Alteration: This method involves the revision of data files, such as increasing one's pay. Techniques to prevent file alternation include restricted access to data files and electronic audit trails. 7. Data Transmission Errors: Errors can occur when data is transmitted from one computer to another. These types of errors can be minimized with the use of error detection and correction software when transmitting data. 8. Theft of Computer Time: This is the use of the computer for personal purposes. Techniques to reduce this risk include time access limits for users, policy statements, and electronic audit trails. 9. Human Error: Reliability is always exposed to human error, whether in manual or computerized systems.Yet, application programs can reduce error by replacing human performance of mechanical procedures (such as addition) and through input controls such as limit and reasonableness tests and well-designed user interfaces. 10. Program Alteration: This method requires programming skills and knowledge of the program to make unauthorized program changes or to place "trapdoors" in programs which enable access, bypassing normal security. Many companies have program testing methods that detect altered programs. Techniques to prevent alteration include making changes to copies of programs and then a final review before replacement. E. Disaster Recovery Plan Fires, floods, acts of terrorism, and other disasters can destroy computer systems as well as data. This risk can be minimized through the general controls discussed above to prevent damage and also through a disaster recovery plan. A disaster recovery plan must be implemented at the highest levels in the company.

1. Assess Critical Needs: All mission critical resources should be identified and assessed. These include hardware, software, power and maintenance, space, vital records as well as people. 2. List Priorities for Recovery: A prioritized list is developed of services and activities and the time tables for each. 3. Recovery Strategies: The company should know what to do, who should do it, how to do it, and how long it should take. 4. Emergency Response Team and Center: Authority should be transferred to an emergency response team. 5. Escalation Procedures: These procedures state who has authority to declare a disaster and whom to notify. 6. Processing Arrangements: Hardware, program, and document backup are dealt withs. Computer installations must make formal arrangements for alternative processing capability in the event a data center becomes disabled. Common plans involve in-house backups, service bureaus, reciprocal agreements, cold sites (containing wiring but no equipment), or hot sites (fully operational offset data processing facility). 7. Personnel Relocation Plan: Personnel will have to be relocated to the alternate site. 8. Personnel Replacement Plan: Personnel may have to be replaced. 9. Insurance Needs: Insurance will be needed to defray costs of media reconstruction, extra expense, business interruption, errors and omissions, and liability to customers. 10. Plan Testing and Maintenance: Plans should be tested at least annually and updated to reflect the current business conditions and technology. This steps also entails ensuring that personnel are adequately trained with emergency procedures. F. Internet Security Risks

1. Sniffers: (i) A sniffer (or packet sniffer) is a program or device that monitors data traveling on a network. (ii) Sniffers may be used legitimately by network administrators or by hackers. Administrators may use snifibrs to troubleshoot network problems, detect intrusion attempts or unauthorized content (such as illegal downloading of copyrighted material), or monitor network usage. (iii) Attackers use sniffers to collect user account names and passwords.
2. IP Spoofing: (i) IP spoofing involves an attack from outside your network by a user who pretends to be a trusted computer. The attacker modifies the message header information to make it appear as if a trusted IP address has sent the message. (ii) IP spoofing occurs in cases where trust relationships exist between machines (such as computers within a corporate network). (iii) IP spoofing gives the attacker authentication to enter a system, where they may input commands into data passed along the network. IP spoofing attacks can be prevented through firewalls.

3. Password Attacks: Password attacks usually refer to repeated attempts to identify user accounts and passwords called brute-force attacks. However, other methods can be used to obtain passwords, including Trojan horse programs, IP spoofing, and packet sniffers. With access to a user name and password, the attacker has the same rights as the user whose account has been compromised, The attacker also may be able to create a back door for future access. 4. a. Malicious Software: Malicious software is designed to do harm. Several common types are: Viruses: (i) Viruses attach themselves to a host program, typically the operating system, and then infect application files. (ii) The virus is spread when files are transferred to other computers. While some viruses are

(iii)

relatively harmless, they use memory and storage space, sometimes destroy files, and may be used to circumvent usual authorization procedures on a network. Viruses are usually introduced from outside sources such as e-mail attachments, disks brought in from the outside, or from downloading free software or files from the Internet.

Worms: (i) Worms are stand-alone pieces of software that replicate themselves. Unlike viruses, worms do not require other pieces software to attach themselves to. (ii) Worms are spread either by exploiting an operating system vulnerability or through tricking a user to execute a program containing a worm. (iii) Worms may delete files, shut a system down, send unauthorized documents via email messages, or create sufficient quantities of Internet traffic to cause a slowdown of the Internet. Trojan Horses: (i) Trojan horses appear to be a legitimate application which are spread when a user is tricked into installing the program. (ii) Trojan horses can create backdoors through which an attacker can gain unauthorized access. d. Spyware: Spyware is a piece of software similar to a Trojan horse that collects and sends information without authorization. G. Methods for Internet Security 1. Backup and Recovery: Both the server as well as the client/local PCs should be backed up regularly. Backup of data maintained on client computers can be a particular weakness in network systems. 2. Download Policy: Disallowing the downloading of unauthorized software from the Internet. 3. Monitor for Suspicious Activity: The network administrator or other control group should continuously monitor electronic audit trails/logs for suspicious activity. 4. Anti-Virus Software: To protect against various types of malicious software, an organization can use antivirus software. It is critical for the software to be continuously updated as new types of software attacks occur. 5. Install Operating System Security Patches: Operating system vendors periodically release system updates that patch security problems. These updates should be installed as soon as possible. 6. Log-off Policy: Requiring users to log off when they are away from their computers. 7. On Site Spare Hardware: Keeping on-site spares for critical hardware that must be operating all of the time. 8. User Access Security: The system software should come with enough security monitoring features to ensure that the system is being used as and by whom directed. Users should be authenticated, and then the system should ensure that they access only those parts of the system for which they are authorized. Examples of security methods include passwords, expiration dates and usage limits, allowable log-in time and physical location, number of incorrect log-in attempts, and different levels of access restriction. 9. Firewalls: Network software and/or hardware that prevents forbidden communication. Several important reasons to use firewalls include: a. Impermeable Barrier: The creation of an impermeable barrier between a corporate internal network and the external internet is the basic goal. b. Information Protection: To protect information like a network's e-mail and data files within an organization site from internal non-authorized access. c. Boundary Formation: To form a boundary between networked computers within the firewall from those

outside. 10. Firewall Techniques: Firewalls are typically adopted to prevent unauthorized access to a network via the Internet (especially intranets). All communications to or from network pass through the firewall, which blocks messages that fail to meet specified security criteria. Firewalls often use multiple techniques, which may include: a. Packet Filter: Looks at each packet of information entering or leaving the network and evaluates it based on user-defined rules. b. Application Filter or Gateway: Looks at each packet going to and front specific applications. c. Proxy Server: Looks at all messages entering and leaving the network and hides the true network addresses. 11. Encryption: Encryption technology plays a significant role in ensuring confidentiality between electronic senders and receivers. a. Encryption Software: Encryption software is based on mathematical conversions from ordinary text to encoded text through algorithm formulas. The encrypted data (also called cipher text) is unintelligible without a deciphering mechanism. The encrypted data is translated into a decoded message using a string of characters referred to as the key. The key system may be either private or public. The receiver can decode the message only with a secret key or password. b. Public Key System: Public key systems are asymmetric, meaning that the key used to encrypt a message is not the same as the key used to decode the message. The sender uses the recipient's public key to encrypt the message, and the recipient uses a private key to decipher it. c. Symmetric Encryption: Under symmetric encryption, the same key is used to both encrypt and decrypt the message. This means that the key must be remain confidential. 12. Digital Signature: A digital code that attached to a message that authenticates the sender. A common type of digital signature is the opposite of a public key encryption system (see above). The sender encrypts the signature using a private key, as well as the recipient deciphers it using the public key.

Оценить