Auditing Operating Systems The operating is the computer’s control program. It allows users and their application to share and access common computer resource, such as processors, main memory, databases and printers. Operating System Objectives The operating system performs three main tasks. First, it translates high-level languages suah as COBOL, C++, BASIC, and SQL, into the machine-level languages that the computer can execute. Second, the operating system allocates computers resources to users, workgroups, and applications. Third, the operating system manages the tasks of job scheduling and multiprogramming. Jobs are submitted to the system in three ways: 1. Directly by the system operator 2. From various batch-job queues, and 3. Trought telecommunications links from remote workstations Operating System Security
Involves policies, procedures, and controls that
determine who can access the operating system. Log-on Procedures: A formal log-on procedures is the operating system’s first line of defense against anauthorized access. Access Token: If the log-on attempt is successfull, the operating system creates an access token that contains key information about the user, including user ID, password, and privileges granted to the users. Access control list is assigned to each IT resource, which controls access to the resource. Discretionary Access Privileges is The central system administrator usually determines who is granted access to specific resources and maintains the access control list Threats to Operating System Integrity Operating system contol objective may not be achieved because of flaws in the operating system that are exploited either accidentally or intentionally. Operating System Controls and Audit Test
If operating system integrity is compromised,
controls, within individual accounting applications that impact financial reporting may also be compromised. Controling access privileges Audit procedures relating to access privileges Password controls Audit objectives relating to passwords Controlling against Malicious and Destructive programs Audit Objective relating to viruses Audit procedures relating to viruses System audit trails controls Keystroke monitoring Event monitoring
Setting audit trail objective
Detecting Unauthorized access Reconstructing events Personal accountability
Implementing a system audit trail
Audit objectives relating to system audit trails Audit procedures relating to system audit trails Auditing Networks
Reliance on networks for business
communications poses concern about unauthorized access to confidental informations. Intranet Risks and Internet Risks Intranet Risks is Intranets consist of small LANs and large WANs that may contain thousands of individual nodes. Interception of Network messages Access to corporate database Privileged employees
Internet Risks is this section looks at three of the more significan
business risks associated with internet commerce. Ip Spoofing Denial of service attack 1. SYN flood attack 2. Smurf attack 3. Distributed denial of service 4. Motivation behind DOS attacks Controlling Networks
In the following section, we examine various
control techniques employed to mitigate the risks outlined in the previous section. Controlling Risks from Subversive Threats
Firewalls is organizations connected to the Internet or other
public networks often implement an electronic firewall to insulate their intranet from outside intruders. A fireall is a system that enfroces control between two networks. To acoomplish this: Networks level firewalls Applications level firewalls
Controlling Denial of Service Attacks is A previous section
described three common forms of denial of service attacks: SYN flood attack and distibuted denial of service (D Dos) attacks. Encryption
Is the conversion of data into a secret code for
stroge in database and transmission over networks. Digital Signatures is electronic authentication that cannot be forged Digital Certificate is the aforementioned proccess proves that the message received was nit tampered with during transmission. Message Sequence Numbering Message Transaction Log Request-Response Technique Call-back devices Audit Objective Relating to Subversive Threats Audit procedures relating to subversive threats Controlling Risks from Equipment Failure Line errors The most common problem in data communications data is loss due to line error. Edho check is involves the receiver of the message returning the message to the sender. Parity Check is incorporates an extra bit (the party bit) into the structure of a bit string when it is created or transmitted. Auditing Electronic Data Interchange (EDI) The intercompany exchange of computer processible business information in standard format. EDI standarts is key to EDI success is the use of standard format for messaging between dissimilar systems. Benefit of EDI is EDI has made considerable inroads in a number of industries, including automative, groceries, retail, health, care and electronics Financial EDI is using electronic fund transfer (EFT) for cash disbursement and cash receipts is more complicated that using EDI for purchasing and selling activities EDI controls is the absence of human interview in the EDI proccess presents a unique twist to traditional controls problems, including ensuring that transactions are authorized and valid, preventing unauthorized access to data files and maintaining an audit trail of transactions. Access controls is to functionsmoothly, EDI trading partners must permit a degree of access to private data files that would be foorbidden in a traditional environment EDI audit trail is the absence of source documents in EDI transaction eliminates the traditional audit trail and restrict the ability of accountants to verify the validaty, completeness, timming and accuracy of transaction. Audit PC based Accounting System and PC-System Risks and Controls The software market offers hundreds of PC-based accounting system. As previously discussed, the computer operating system and network contol techniques in mainframe and distributed environments provide effective system security Operating system weaknesses Weak access control Inadequate segregation of duties Multilevel password control Risks of theft Weak backup procedures Risks of virus infection Audit objective associated with PC security Audit procedures associated with PC security The discussion then turned to EDI Where firms are faced with a variety of exposures that arise in connection with a environment void of human intermediaries to authorize of review transactions. Controls in an EDI environment are achieved primarily through programmed procedures to authorize transaction. Limit access to data files, and ensure that transactions the system processes are valid. Three of the most serious exposures are: 1. The lack of properly segregated duties, 2. PC-operating systems that do not have the sophistication of mainframes and expose data to unauthorized access, and 3. Computer failures and inadequate backup procedures that to heavily on human intervention and thus threaten the security of accounting records.