update from business week number of net fraud complaints – 2002 – 48,252 – 2004 – 207,449
TRANSCRIPT
Update from Business Week
Number of Net Fraud Complaints– 2002 – 48,252– 2004 – 207,449
Update from Business WeekCybertricks
Phishing Pharming – viruses attached to emails and
web sites drop monitoring software onto peoples computers
Wi-Phishing – Cybercrooks set up “free” wireless networks. Monitor use and steal passwords and other identify information
Typosquatting – Web site addresses similar to real sites (whitehouse.com)
Scope Of Bank Data Theft Grows To 676,000 Customers– largest breach of banking security in the U.S. to
date – investigators learned that the bank employees
normally conducted 40 to 50 searches of customer bank accounts as a daily part of their jobs. While the ring was in operation, however, they performed up to 500 account searches a day, looking for new data to steal.
Study: Insider revenge often behind cyberattacks (MAY 20, 2005 COMPUTERWORLD)
Companies hoping to thwart insider attacks need to have good password, account and configuration management practices in place, as well as the right processes for disabling network access when employees are terminated
Investigation of 49 cases of insider attacks – In 92% of the cases, a negative work-related event
triggered the insider action
Internal Control
Primary objectives of an AIS
Identify and record all valid transactions Properly classify transactions Record transactions at the proper monetary
value Record transactions in the proper accounting
period Properly present transactions and related
disclosures in the financial statements
AICPA
AIS Auditing
Audit Through the Computer– Review and evaluate internal controls during
compliance testing
Audit With the Computer– Direct verification of financial statement balances– Part of substantive testing of account balances
Audit Around the Computer– Treat AIS as a black box– Enter specific test transactions, determine if
output reflects those transactions
IS Auditing Techniques
Test data (black box testing)– Both valid and invalid input
Determine expected output before processing the input Run the input transaction through the system Compare actual output with expected output Determine the cause of any discrepancy
– Good for: Verifying validation controls Verifying computational routines (depreciation calculations)
IS Auditing Techniques
Test data (black box testing)– Complications
Will not detect fraud by clever programmers How do you reverse the test transactions? Not feasible to test all combinations of logic within a program
IS Auditing Techniques
Integrated Test Facility– Create fictitious entities within system for test
Run test transactions in conjunction with live data
– Must exclude fictitious entities and data from normal output reports (financial statements)
– Same technique used in Equity Funding scandal
IS Auditing Techniques
Parallel Simulation– Process real data through test programs
As opposed to processing test data through real programs
– Compare regular output with simulated output– Very useful when evaluating changes or upgrades to a
system Need to ensure that upgrades did not negatively affect
existing routines
IS Auditing Techniques
Embedded Audit Routines – modify computer programs for audit purposes– Snapshot
Status of the system at a given point in time Take a snapshot of database before transaction, process the
transaction, then take snapshot of database after.
– Trace Detailed audit trail Requires in-depth knowledge of computer program
– Desk Check Manually process transaction through program logic (as
provided in flowchart or program listing)
Internal Control
Time to put it all together
Internal Control Process Control Environment
Bridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030B
Control Environment
Integrity and ethical values– Ethics and corporate culture
Commitment to competence Management philosophy and operating style Responsibility and commensurate authority Human resources
– Adequate supervision– Job rotation and forced vacations– Dual control
Internal Control Process Risk Assessment
Bridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030B
Apply Risk Assessment Framework
What is threat? What is likelihood that
threat will occur? What is potential
damage from threat? What controls can be
used to minimize damage?
What is the cost of implementing the control?
Internal Control Process Control Activities
Bridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030B
Control Activities
Constraints imposed on a user or a system to secure systems against risks.
Types– Prevent– Detect– Correct
General vs IT specific
Segregation of Systems Duties
Systems Administration Network Management Security Management Change Management
Systems Analysis Programming/
Development Test and Validation Computer Operations Data Control
Internal Control Process Information and Communication
Bridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030B
Information and Communication
Need to understand:– How transactions are initiated– How data are captured in machine-readable form
(or converted from source documents into machine-readable form)
– How computer files are accessed and updated– How data are processed– How information is reported to internal and
external users
Internal Control Process Monitoring
Bridge, Mike and Ian Moss. “COSO back in the limelight”http://www.pwc.com/extweb/indissue.nsf/docid/41D0EC9E16678147CA256D030038030B
Monitoring
Effective Supervision Responsibility Accounting Monitor System Activities
– Review computer and network security– Detect illegal entry– Test for weaknesses and vulnerabilities– Monitor for viruses, spyware, span, pop-ups, etc.
Track purchased software
In-Class Exercise
Problem 36, pg 477
Final Project
Project 3