Chapter 15

Two of the most popular software packages are:

-Audit Control Language (ACL) -Interactive Data Extraction and Analysis (IDEA)

The three main purposes of WANs are

-To provide remote access to employees or customers -To link two or more sites within the firm -To provide corporate access to the Internet routers and firewalls

A general template that a steering team or the internal audit function can use:

1.Evaluate the overall benefit and cost 2.Develop a strategy 3.Plan and design 4.Implement continuous auditing 5.Performance monitoring

Five fundamental control objectives that operating system must achieve

1.Protect itself from users 2.Protect users from each other 3.Protect users from themselves 4.Be protected from itself 5.Be protected from its environment

Data warehouse

A centralized collection of firm-wide data for a relatively long period of time

MAC (Media Access Controls)

A designated address that is connected to each device via the network and only sees traffic

A local area network (LAN)

A group of computers, printers, and other devices connected to the same network that covers a limited geographic range.

Embedded audit module

A programmed audit module that is added to the system under review. A programmed module added to the system so that the auditors can monitor and collect data over online transactions.

Firewalls

A security system comprised of hardware and software that is built using routers, servers, and a variety of software; allows individuals on the corporate network to send/receive a data packet from the Internet

To audit a system, auditors use the test data technique to

A set of input data to validate system integrity.

A database

A shared collection of logically related data which meets the information needs of a firm

Database system

A term typically used to encapsulate the constructs of a data model, database management system (DBMS), and database.

Station

A wireless endpoint device equipped with a wireless Network Interface Card (NIC)

The integrated test facility (ITF) approach

An automated technique that enables test data to be continually evaluated during the normal operation of a system.

Technology plays a key role in

Analyzing trends and patterns of transactions Identifying exceptions and anomalies, and testing controls.

Generally Accepted Auditing Standards (GAAS)

Are broad guidelines regarding an auditor's professional responsibilities

CAATS

Are imperative tools for auditors to conduct an audit in accordance with heightened auditing standards.

Management controls of risk & info system security include:

Assigning roles/responsibilities Creating policies/procedures Conducting risk assessment on a regular basis Determine which types of information that may or may not be sent over wireless networks.

Parallel simulation

Attempts to simulate the firm's key features or processes.

Hubs

Broadcasts through multiple ports

Wireless Network

Comprised of two fundamental architectural components: Access point and stations

General security objectives for both wired LANs and wireless LANs include:

Confidentiality Integrity Availability Access Control

Routers

Connects different LANs software-based intelligent devices, examines the Internet Protocol (IP) address

What is continuous auditing?

Continuous auditing is to perform audit-related activities on a continuous basis. Testing in continuous audits often consists of continuous controls monitoring and continuous data assurance.

Related audit activity

Control assurance

Mobility

Convenient online access without a physical network using cables for connections.

What is data mining?

Data mining is the process of searching for patterns in the data in a data warehouse. Data mining is the process of searching and analyzing the data in a data warehouse for decision making. Data mining is used to identify patterns in making predictions.

Data governance is the convergence of which of the following items?

Data quality, data management, and data policies Business process management on data Risk management on data

In today's electronic world, most accounting records are stored in a ______________

Database

Integrity

Detect any intentional or unintentional changes to the data during transmission.

The most common security threats for wireless LANs include:

Eavesdropping Man-in-the-Middle Masquerading Message Modification Message Replay Misappropriation Traffic Analysis Rogue Access Points

Confidentiality

Ensure that communication cannot be read by unauthorized parties.

Availability

Ensure that devices and individuals can access a network and its resources whenever needed.

True or false: A local area network is a group of computers, printers, and other devices connected to the same network and covers a large geographic range such as a city, a county, or a state.

False

True or false: Wide area networks devices include hubs and routers.

False

Select the benefits of using wireless technology.

Freely setting up or removing wireless networks at different locations Convenient online access without a physical network using cables for connections

Flexibility and Scalability

Freely setting up or removing wireless networks at different locations.

Generalized Audit Software (GAS)

Frequently used to perform substantive tests and is used for testing of controls through transactional-data analysis. •Directly read and access data from various database platforms •Provides auditors an independent means to gain access to data for analysis and the ability to use high-level, problem-solving software to invoke functions to be performed on data files.

One widely used tool in auditing a system is generalized audit software (GAS). GAS is frequently used to perform substantive tests and is used for testing of controls through transactional-data analysis.

GAS provides auditors with an independent means to gain access to various types of data for analysis.

Which of the following frameworks/regulations is most relevant to data governance?

GDPR

Technical controls

Implemented and executed through mechanisms contained in computing-related equipment Including access-point management and encryption setup (using WPA/WPA2). Change the default configuration of all access points that have been deployed.

According to the Institute of Internal Auditors' (IIA) professional practice standard section 1220.A2

Internal auditors must consider the use of computer-assisted, technology-based audit tools and other data analysis techniques when conducting internal audits.

What is the black-box approach in auditing systems? Select all statements that apply.

It is adequate when automated systems applications are relatively simple. The advantage of this approach is that the systems will not be interrupted for auditing purposes. It is to audit around the computer.

What is the white-box approach in auditing systems? Select all statements that apply.

It requires auditors to understand the internal logic of the system/application being tested. Auditors need to create test cases to verify specific logic and controls in a system.

Wide area networks (WANs)

Links different sites together; transmits information across geographically dispersed networks; and covers a broad geographic area such as a city, region, nation, or an international link.

A ____________ (LAN) is a group of computers, printers, and other devices connected to the same network and covers a limited geographic range such as a home, small office, or a campus building.

Local Area Network

Access Point

Logically connects stations to a firm's network.

Security Controls in Wireless Networks can be categorized into three group:

Managemen Operational Technical Controls

Common benefits of using technology:

Mobility Rapid Deployment Flexibility and Scalability

Compare and contrast data warehouses and operational databases. Operational databases are updated as transactions are processed and data warehouses are not. The data in a data warehouse are volatile because it includes big data. The data in a data warehouse are updated when transactions are processed.

Operational databases are updated as transactions are processed and data warehouses are not.

A continuous audit

Performing audit-related activities on a continuous basis.

Operational controls are related to

Protecting a firm's premise and facilities, Preventing and detecting physical security breaches Providing security training to employees, contractors, or third party users. Conduct appropriate training on wireless networks and provide regular updates on organizational policies and procedures to employees.

Switches

Provides a path for each pair of connections

Information Systems Auditing Standards (ISASs)

Provides guidelines for conducting an IS/IT audit (issued by ISACA)

Access Control

Restrict the rights of devices or individuals to access a network or resources within a network.

Virtual Private Network (VPN)

Securely connects a firm's WANs by sending/receiving encrypted packets via virtual connections over the public Internet to distant offices, salespeople, and business partners.

The operating system (OS) must achieve fundamental control objectives to consistently and reliably perform its functions. Which of the following are the control objectives of the OS?

The OS must protect users from each other. The OS must protect itself from users. The OS must be protected from itself. The OS must protect users from themselves.

Man-in-the-Middle

The attacker actively intercepts communications between wireless clients and access points to obtain authentication credentials and data.

Message Modification

The attacker alters a legitimate message sent via wireless networks by deleting, adding to, changing, or reordering it.

Masquerading

The attacker impersonates an authorized user and gains certain unauthorized privileges to the wireless network.

Message Replay

The attacker passively monitors transmissions via wireless networks and retransmits messages, acting as if the attacker was a legitimate user.

Traffic Analysis

The attacker passively monitors transmissions via wireless networks to identify communication patterns and participants.

Eavesdropping

The attacker passively monitors wireless networks for data, including authentication credentials.

Rogue Access Points

The attacker sets up an unsecured wireless network near the enterprise with an identical name and intercepts any messages sent by unsuspecting users that log onto it.

Misappropriation

The attacker steals or makes unauthorized use of a service.

Data governance

The convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in a firm

The Operating System

The most important system software Because it performs the tasks that enable a computer to operate

Data mining

The process of searching for patterns in the data in a data warehouse and data analyzing these patterns for decision making Online Analytical processing (OLAP)-Tools used in data mining

Regarding data transmission security of wireless networks, all access points should be configured with encryption to maintain confidentiality and data integrity. Select correct statements on data transmission security. Multiple select question.

The wi-fi protected access (WPA) algorithm can provide effective authentication and encryption for data transmission. All access points should be configured with encryption to maintain confidentiality.

Rapid Deployment

Time saving on implementing networks because of reduction in using physical cables/media.

Identify the main purposes for a wide area network (WAN).

To provide corporate access to the Internet To provide remote access to employees or customers To link various sites within the firm

Accountants increasingly participate in designing internal control systems and improving business and IT processes in a database environment

True

How can a business make a wide area network secure? (Check all that apply).

Use a virtual private network Use dedicated leased lines

Operational databases

Used for daily operations and often includes data for the current fiscal year only

A cheaper alternative to leased lines, yet carry the disadvantage of not having guaranteed QoS.

VPNs

In our electronic world, all or most accounting records are stored in a database. A database is:

a shared collection of logically related data that meets the information needs of a firm

The operating system performs the tasks that enable a computer to operate. It is comprised of system utilities and programs that: allocate computer resources to users and applications. it is the main function in managing a database. ensure the integrity of the system. control the flow of multiprogramming.

allocate computer resources to users and applications. ensure the integrity of the system. control the flow of multiprogramming.

Operating system security should be included

as part of IT governance in establishing proper policies and procedures for IT controls.

According to the Institute of Internal Auditors' (IIA) professional practice standard, internal auditors must consider the use of computer ____________ technology-based audit tools and other data analysis techniques when conducting internal audits.

assisted

The term "computer-assisted audit techniques (CAATs)" refers to any ____________ Audit techniques that can be used by an auditor to perform audits or achieve audit objectives.

automated

When a firm considers whether or not to implement continuous auditing, it should first evaluate the overall ________ and __________ of having continuous auditing as part of the firm's overall governance, risk, and compliance (GRC) effort.

benefit or benefits cost or costs

Testing in continuous audits often consists of

continuous controls monitoring and continuous data assurance.

The audit activities related to continuous auditing range from continuous ____________ assessment to continuous ____________ assessment

control risk

Related management activity

control monitoring

Computer-assisted audit techniques enable auditors to gather and analyze audit _____________ to test the adequacy and reliability of financial information and internal controls in a computerized environment.

evidence

During the course of an audit, the IS auditor should obtain sufficient, reliable, and relevant _______________ to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this__________

evidence

LAN devices include

hubs and switches.

Management controls are security controls that focus on ____________ of risk and information system security.

management

Data is

often the core asset of many companies

The attacker of a wireless network sometimes uses a ____________ access point to set up an unsecured wireless network near the enterprise with an identical name and to intercepts any messages sent by unsuspecting users that who log onto it.

rogue

Local area network (LAN) devices include hubs and switches. From a security perspective _____________ provide a significant improvement over __________

switches hubs

The data in a data __________ are pulled periodically from each of the operational databases (ranging from a couple of times a day to once a year) and often maintained for 5 to 10 years.

warehouse

Technical Challenges

•Access to all relevant data in a timely manner •Accumulating and quantifying the risks and the exposures that have been identified •Defining the appropriate analytic that will effectively identify exceptions to controls •Developing a suitable scoring/weighting mechanism to prioritize exceptions •Balancing the costs and efforts of reviewing large volumes of exceptions against the exposures of the exceptions themselves

Two approaches to use CAATs in Auditing Systems

•Auditing around the computer (the black-box approach) •Auditing through the computer (the white-box approach)

The Operating System is comprised of system utilities and programs that

•Ensure the integrity of the system. •Control the flow of multiprogramming and tasks of scheduling in the computer. •Allocate computer resources to users and applications. •Manage the interfaces with the computer.

Implementation of Continuous Auditing

•Extensible Markup Language (XML) •Extensible Business Reporting Language (XBRL) •Database management systems •Transaction logging and query tools •Data warehouses •Data mining or computer-assisted audit techniques (CAATs)

Auditing around the Computer (the Black-Box Approach)

•First calculating expected results from the transactions entered into the system •Then comparing these calculations to the processing or output results •The advantage of this approach is that the systems will not be interrupted for auditing purposes. The black-box approach could be adequate when automated systems applications are relatively simple.

Non-technical Barriers

•Perceived negative impact of continuous auditing on the firm. •Priority of implementation in determined key areas. •Readiness of the internal audit group to develop and adopt continuous auditing •Unrealistic expectations of the benefits of continuous auditing

Use CAATs in Auditing Systems

•Test of details of transactions and balances •Analytical review procedures •Compliance tests of IT general and application controls •Operating system and network vulnerability assessments •Application security testing and source code security scans •Penetration Testing

Auditing through the Computer (the White-Box Approach)

•The white-box approach requires auditors to understand the internal logic of the system/application being tested. •The auditing through the computer approach embraces a variety of techniques: test data technique, parallel simulation, integrated test facility (ITF), and embedded audit module.