CH2 GRAMLING
CH2 GRAMLING
CH2 GRAMLING
Auditing standards historically have reflected a belief that it is not reasonable to expect auditors to detect
cleverly implemented frauds.
general public, as reflected in the orientation of the PCAOB, expects that auditors have a responsibility to detect
and report on material frauds, as noted below:
- The mission of the PCAOB is to restore the confidence of investors, and society generally, in the
independent auditors of companies.
- repeated revelations of accounting scandals and audit failures have seriously damaged public
confidence.
- The detection of material fraud is a reasonable expectation of users of audited financial statements.
Society needs and expects assurance that financial information has not been materially misstated
because fraud.
- Unless an independent audit can provide this assurance, it has little if any value to society.
Professional auditing standards do Require the auditor to plan and perform an audit that will detect material
Misstatements resulting from fraud.
1. begin an audit with a brainstorming session that focuses on how And where fraud could occur within
the organization.
2. Auditors also need to Communicate with the audit committee and management about the risks of
Fraud and how they are addressed.
3. auditor should then plan the audit To be responsive to an organization’s susceptibility to fraud.
,since
view the requirements of the Act as “best practice” and sometimes try to
adhere to the requirements even though they are not legally required to do so.
Due professional care – standard of care expected to be demonstrated by a competent auditing professional
Professional skepticism – attitude that includes a questioning mind and critical assessment of audit evidence
Financial statement audit
Systematic process of objectively obtaining and evaluating evidence regarding assertions about economic
actions and events to ascertain the degree of correspondence between those assertions and established
criteria; and communicating the results to interested users
most important Auditor client is the public, as represented by investors, lenders, workers, and others who
make decisions based on financial information about an organization.
Auditing requires the highest level of technical competence, freedom from bias, and concern for the integrity
of the financial reporting process. In essence, auditors should view themselves as guardians of the capital
markets be relevant and timely
The public expects auditors to
(a) find fraud,
(b) require accounting principles that best portray the spirit of the concepts adopted by accounting standard
setters, and
(c) be independent of management.
auditors must not only be independent in fact, but they must act in a manner that ensures that they are
independent in appearance.
management and the audit committee expect cost-effective audits.
auditing profession pressures—keeping fees down, making careful decisions regarding independence, and
conducting a quality audit.
COBIT CONTROLS
210 controls for ensuring information integrity
- Subset is relevant for external auditors
o IT control objectives for Sarbanes-Oxley, 2nd Edition
AICPA and CICA information systems controls
- Controls for system and financial statement reliability
Trust Services Framework - developed jointly by the American Institute of Certified Public
Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)
- provide guidance for assessing the reliability of information systems.
- organizes IT-related controls into five principles that jointly contribute to systems reliability:
1. Security—access (both physical and logical) to the
system and its data is controlled and restricted to
legitimate users.
- foundation of systems reliability
necessary for achieving each of other four
principles
2. Confidentiality—sensitive organizational
information (e.g., marketing plans, trade secrets) is
protected from unauthorized disclosure.
3. Privacy—personal information about customers,
employees, suppliers, or business partners is collected, used, disclosed, and maintained only
in compliance with internal policies and external regulatory requirements and is
protected from unauthorized disclosure.
4. Processing Integrity—data are processed accurately, completely, in a timely manner, and
only with proper authorization.
5. Availability—the system and its information are available to meet operational and
contractual obligations.
Information security procedures restrict system access to authorized users only, thereby protecting the
confidentiality of sensitive organizational data and the privacy of personal information collected from
customers.
Information security procedures protect information integrity by
preventing submission of unauthorized or fictitious transactions and
preventing unauthorized changes to stored data or programs.
Information security procedures provide protection against a variety
of attacks, including viruses and worms, thereby ensuring that the
system is available when needed.
TWO FUNDAMENTAL INFORMATION SECURITY
CONCEPTS
I. Security Is a Management Issue, Not Just a Technology Issue
Effective information security requires the deployment of technological tools such as firewalls, antivirus,
and encryption, senior management involvement and support throughout all phases of the security life cycle
Security life cycle
1. First step: assess the information security-related threats that the organization faces and select an
appropriate response.
- Information security professionals possess the expertise
to identify potential threats and to estimate their
likelihood and impact
- senior management must choose which of the four risk
responses (reduce, accept, share, or avoid) is
appropriate to adopt so that the resources invested in
information security reflect the organization’s risk appetite
2. Second Step: developing information security policies and
communicating them to all employees.
- Senior management must decide the sanctions they are willing to impose for noncompliance
- active support and involvement of top management is necessary to ensure that information
security training and communication is taken seriously.
- To be effective, this communication must involve more than just handing people a written
document or sending them an e-mail message and asking them to sign an acknowledgment
that they received and read the notice.
- employees must receive regular, periodic reminders about security policies and training on
how to comply with them.
3. Step 3: acquisition or building of specific technological tools.
- Senior management must authorize investing the necessary resources to mitigate the threats
identified and achieve the desired level of security.
4. Step 4: entails regular monitoring of performance to evaluate the effectiveness of the
organization’s information security program.
- management must periodically reassess the organization’s risk response
- when necessary, make changes to information security policies and invest in new solutions to
ensure that the organization’s information security efforts support its business strategy in a
manner that is consistent with management’s risk appetite.
II. Defense-in-Depth and the Time-Based Model of Information Security
defense-in-depth – Employing multiple layers of controls to avoid a single point-of-failure.
- example, organizations use not only firewalls but also multiple authentication methods
(passwords, tokens, and biometrics) to restrict access to their information systems.
- overlapping, complementary, and redundant controls increases overall effectiveness
because if one control fails or gets circumvented, another may function as planned.
- typically involves the use of a combination of preventive, detective, and corrective controls.
- preventive controls limit actions to specified individuals in accordance with the
organization’s security policy
time-based model of security - Implementing a combination of preventive, detective and corrective
controls that protect information assets long enough to enable an organization to recognize that an attack is
occurring and take steps to thwart it before any information is lost or compromised.
- a means for management to identify the most cost-effective approach to improving
security by comparing the effects of additional investments in preventive, detective, or
corrective controls
- This objective can be expressed in a formula that uses the following three variables:
P = the time it takes an attacker to break through the organization’s preventive controls
D = the time it takes to detect that an attack is in progress
C = the time it takes to respond to the attack and take corrective action
- Those three variables are then evaluated as follows: If P > D + C, then the organization’s
security procedures are effective. Otherwise, security is ineffective.
Authentication Controls
o authentication - Verifying the identity of the person or device attempting to access the system.
o Objective: to ensure that only legitimate users can access the system.
o Three types of credentials can be used to verify a person’s identity:
1. Something they know, such as passwords or personal identification numbers (PINs)
2. Something they have, such as smart cards or ID badges
3. Some physical or behavioral characteristic (referred to as a biometric identifier), such as
fingerprints or typing patterns
- biometric identifier - A physical or behavioral characteristic that is used as an
authentication credential
o Passwords - most commonly used authentication method, and also the most controversial.
o Individually, each authentication method has its limitations.
Passwords can be guessed, lost, written down, or given away.
Physical identification techniques (cards, badges, USB devices, etc.) can be lost, stolen, or
duplicated.
Even biometric techniques are not yet 100% accurate, sometimes rejecting legitimate users (e.g.,
voice recognition systems may not recognize an employee who has a cold) and sometimes
allowing access to unauthorized people.
Some biometric techniques, such as fingerprints, carry negative connotations that may hinder
their acceptance.
Biometric templates, such as the digital representation of an individual’s fingerprints or voice,
must be stored somewhere because biometric characteristics, unlike passwords or physical tokens,
cannot be replaced or changed.
o multifactor authentication - use of two or more types of authentication credentials in conjunction to
achieve a greater level of security
- Example - smart card in a card reader and enter a password provides much
stronger authentication than using either method alone.
o multimodal authentication - use of multiple authentication credentials of the same type to achieve a
greater level of security
- Example: online banking sites use several things that a person knows (password,
user ID, and recognition of a graphic image) for authentication.
o Both multifactor authentication and multimodal authentication are examples of applying the principle of
defense-in-depth.
o authenticate not only people, but also every device attempting to connect to the network.
- Media access control (MAC) address - unique identifier each NIC
- restrict network access to only corporate-owned devices by comparing the device’s MAC to a
list of recognized MAC addresses.
- a stronger way to authenticate devices involves the use of digital certificates that employ
encryption techniques to assign unique identifiers to each device.
Authorization Controls
o authorization - The process of restricting access of authenticated users to specific portions of the
system and limiting what actions they are permitted to perform
- COBIT 5 management practice DSS06.03
- objective: structure an individual employee’s rights and privileges in a manner that
establishes and maintains adequate segregation of duties.
- Example: a customer service representative should not be authorized to access the
payroll system.
o Authorization controls are often implemented by creating
an access control matrix
- access control matrix - A table used to
implement authorization controls
o compatibility test - Matching the user’s authentication
credentials against the access control matrix to determine
whether that employee should be allowed to access that
resource and perform the requested action
o regularly update the access control matrix to reflect changes in job duties due to promotions or
transfers. Otherwise, over time an employee may accumulate a set of rights and privileges that is
incompatible with proper segregation of duties
o to achieve even greater control and segregation of duties: use business process management systems
to embed authorization into automated business processes, rather than relying on a static access control
matrix
- Example: particular employee may be permitted to access credit information about the customer
who is currently requesting service, but simultaneously prevented from “browsing” through the rest
of the customer file
IT Solutions: Antimalware Controls
- Malware (e.g., viruses, worms, keystroke logging software, etc.) is a major threat.
can damage or destroy information or provide a means for unauthorized access.
COBIT 5 section DSS05.01 lists malware protection as one of the keys to effective security,
specifically recommending:
1. Malicious software awareness education,
2. Installation of antimalware protection tools on all devices,
3. Centralized management of patches and updates to antimalware software,
4. Regular review of new malware threats,
5. Filtering of incoming traffic to block potential sources of malware, and
6. Training employees not to install shared or unapproved software.
2) Intrusion Detection Systems (IDS) - A system that creates logs of all network traffic that was permitted to
pass the firewall and then analyzes those logs for signs of attempted or successful intrusions
o Network IDSs consist of a set of sensors and a central monitoring unit that create logs of network traffic
that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful
intrusions.
- functions by comparing observed traffic to its rulebase
main difference between an IDS and an IPS
IDS - only produces a warning alert when it detects a IPS not only issues an alert but also automatically takes
suspicious pattern of network traffic; steps to stop a suspected attack.
- it is then up to the human responsible for monitoring
the IDS to decide what course of action to take.
3) Penetration Testing -
- COBIT 5 control processes MEA01 and MEA02 state the need to periodically test the effectiveness of
business processes and internal controls (including security procedures).
- penetration test - An authorized attempt to break into the organization’s information system
- provides a more rigorous way to test the effectiveness of an organization’s information security.
4) Continuous Monitoring
- COBIT 5 management practice APO01.08 stresses the importance of continuously monitoring both
employee compliance with the organization’s information security policies and overall performance of
business processes.
- effectively monitoring performance requires judgment and skill
CORRECTIVE CONTROLS
- COBIT 5 management practice MEA01.05 explains, organizations also need procedures to undertake timely
corrective actions.
- Many corrective controls rely on human judgment
- effectiveness depends to a great extent on proper planning and preparation.
- COBIT 5 devotes two sections to the entire process:
1. managing and responding to incidents (DSS02)
2. problems (DSS03).
- three particularly important corrective controls:
1. Computer Incident Response Team (CIRT) - A team that is responsible for dealing with major security
incidents.
- should include not only technical specialists but also senior
operations management
- CIRT should lead the organization’s incident response process through the following four steps:
(1) Recognition that a problem exists.
- Typically occurs when an IPS or IDS signals an alert, but it can also be the result of log
analysis by a systems administrator.
(2) Containment of the problem.
- Once an intrusion is detected, prompt action is needed to stop it and to contain the damage.
(3) Recovery.
- Damage caused by the attack must be repaired.
- may involve restoring data from backup and reinstalling corrupted programs
(4) Follow-up.
- Once recovery is in process, the CIRT should lead the analysis of how the incident occurred.
- it needs to immediately involve forensic experts to ensure that all possible evidence is
collected and maintained in a manner that makes it admissible for use in court.
- Communication is vital throughout all four steps in the incident response process.
- multiple methods of notifying members of the CIRT are necessary
- important to practice the incident response plan, including the alert process.
- It is much better to discover a gap in the plan during a practice run than when a real incident occurs.
- Regular practice helps identify the need for change in response to technological changes.
2. Chief Information Security Officer (CISO)
- CISO - independent of other information systems functions and should report to either the chief
operating officer (COO) or the chief executive officer (CEO).
- must understand the company’s technology environment and work with the chief information officer
(CIO) to design, implement, and promote sound security policies and procedures.
- an impartial assessor and evaluator of the IT environment.
- have responsibility for ensuring that vulnerability and risk assessments are performed regularly and
that security audits are
- to work closely with the person in charge of physical security, because unauthorized physical access can
allow an intruder to bypass the most elaborate logical access controls
3. Patch Management
- exploit - A program designed to take advantage of a known vulnerability.
- patch - Code released by software developers that fixes a particular vulnerability
- sometimes create new problems because of unanticipated side effects.
- patch management - The process of regularly applying patches and updates to software.
- Fix known vulnerabilities by installing the latest updates
Security programs, operating systems, application programs