audit in computerized accounting system

8/13/2019 audit in Computerized accounting system

1/21

Encryption

It is the conversion of data into a secret code forstorage in databases and transmission overnetworks.

The sender uses an encryption algorithm toconvert the original message into a codedequivalent. And decoded it back

Caesar Cipher earliest encryption method


2/21

2 fundamental components

Keymathematical value selected

Algorithm- the simple procedure of shifting eachletter in a cleartext message the number of positionsindicated by the key value.

Ex. +3 shift each letter three places to the right

A in clear text would be represented as letter D inciphertext message.

Modern day encryption algorithm- more complex andencryption keys are 40-128 bits in length.


3/21

Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW

When encrypting, a person looks up each letter of

the message in the "plain" line and writes down the

corresponding letter in the "cipher" line. Decipheringis done in reverse, with a right shift of 3.

Ciphertext: QEB NRFZH YOLTK CLU GRJMP LSBO QEBIXWV ALD

Plaintext: the quick brown fox jumps over the lazy dog


4/21

2 Commonly Used Methods of Encryption

Private Key Encryption Data Encryption Standard (DES)

Uses a single key known to both sender and thereceiver of the message

Public Key Encryption

Uses two different keys:

one for encoding the message and the other for

decoding


5/21

Data Encryption Standard Technique

Cleartext

MessageEncryption

Program

Key

CiphertextCommunications

System

Communications

SystemCiphertextEncryptionProgram

Cleartext

Message

SENDER

RECEIVER

KeyExtensionuse double encryption


6/21

Digital Certificates/ Digital Signatures

Digital Certificates is an attachment to anelectronic message used for security purposes

- to verify that a user sending a message is who heor she claims to be.

- to provide the receiver with a means to encode areply.

Most widely used DC- X.509


7/21

Send an encrypted message

internetCertificate Authority

decode verifies send


8/21


9/21

Business Recovery Plan-known as DRP

-effective control in e-commerce firms

Incident Response Plan-a similar technique

- prepare and plan for such event and if it

occurs then processes can be handledwithout pressure.


10/21

Controlling Exposures from EquipmentFailure

Line Errors

Echo Check

Involves returning of messages by the receiver tothe sender

Parity Check

Incorporates an extra bit (parity bit) into thestructure of a bit string when it is created or

transmitted

Most common problem

The noise on communication lines are consist

random signals


11/21

Vertical and Horizontal ParityUsing Odd Parity

1 0 1 1 0 0 0

0 0 0 0 0 0 01 1 1 1 1 0 0

0 0 0 0 0 1 1

0 0 0 0 0 1 1

1 0 1 0 1 1 1

1 1 1 0 1 0 0

0 0 1 0 0 1 1

1 1 0 1 0 1 1

0

10

1

1

0

1

0

0

VERTICAL PARITY

BIT

HORIZONTALPARITY BIT

BIT

STRUCTURE

OF

CHARACTER

BLOCK OF DATA END OFMESSAGE

START OFMESSAGE


12/21

Audit Objectives

Verify the security and integrity of the electroniccommerce transactions by determining thatcontrols

1.) can detect and correct message loss due toequipment failure,

2.) can prevent and detect illegal access bothinternally and from the internet, and

3.) will render useless any data that are successfullycaptured by a perpetrator


13/21

Audit Objectives

Verify that backup procedures are sufficient topreserve the integrity and physical security of thedatabases and other files connected to the network.

Determine that .

all EDI transactions are authorized, validated, and incompliance with the trading partner agreement;

no unauthorized organization accessed database records;

authorized trading partners have access only to approved

data and adequate controls are in place to ensure a complete audit

trail of all EDI transactions


14/21

Verify that backup is performed routinely

and frequently facilitate the recovery of

lost, destroyed and corrupted data Production databases should be copied

at regular intervals

Verify that automatic backup procedures

are in place and are functioning, copiesare stored off-site

Back up control for Networks


15/21

Any unauthorized trading partner transactions are

rejected by the VAN before they reach the vendorsystem

Before being converted, the translation software can

validate the TPs ID and password against a validation

file in the firms database

Before processing, the TPs application software canvalidated the transaction by referencing the valid

customer and vendor files.

TRANSACTION VALIDATION

To guard against unauthorized access, each company

must establish valid vendor and customer files

User authority tables can also be established.

Access Control


16/21

Test of Validation Controls Review agreements with the VAN facility to validate transactions

and ensure that information is complete and correct Examine the organizations valid trading partner file for accuracy

and completeness.

Test of Access Controls Verify control adequacy in 3 ways

Determine that access is limited to authorized employees only

Reconcile the terms of the trading partners agreement against

the access privileges stated in the database authority table The auditor should simulate access by a sample of TP and

attempt to violate access privileges


17/21

The auditor should verify that EDIsystem produces a transaction log

that tracks transaction through all

stages of processing.

Test of Audit Trail Controls


18/21


19/21

Verify the encryption process by transmitting a test message

and examining the contents at various points along the

channel between the sending and receiving locations

Review the adequacy of the firewall in achieving the proper

balance between control and convenience based on the

organizations business objectives and potential risks


20/21

Criteria for Assessing the FirewallEffectiveness

Flexibility Proxy services Filtering

Segregation of

systemsAudit tools

Probe for

weaknesses

Review password

controlprocedures


21/21

audit in computerized accounting system

Documents