I S 6 3 0 : A c c o u nti ng I n f orma tion S y s t ems
h t t p : / / w w w. c s u n . e d u / ~ d n 5 8 4 1 2 / I S 5 3 0 / I S 5 3 0 _ F 1 5 . h t m
Control of Computer Crimes
Lecture 11
Learning Objectives
 Elements of COSO’s Enterprise Risk Management—
Integrated Framework.
 Internal control systems as part of organizational and
IT governance initiatives.
 Roles of Internal control systems in helping
organizations achieve objectives and respond to
risks.
 Fraud, computer fraud, and computer abuse.
 Information technologies enable controls
IS 530 : Lecture 11
2
Why Controls Needed ?
1. To provide reasonable assurance that the goals of
each business process are being achieved.
2. To mitigate the risk that the enterprise will be
exposed to some type of harm, danger, or loss
(including loss caused by fraud or other intentional
and unintentional acts).
3. To provide reasonable assurance that the
company is in compliance with applicable legal
and regulatory obligations.
IS 530 : Lecture 11
3
Governance & Risk Management
 Organizational governance: process by which
organizations select objectives, establish processes
to achieve objectives, and monitor performance.
 Enterprise Risk Management (ERM): process,
effected by an entity’s board of directors,
management, and other personnel, applied in
strategy settings and across the enterprise,
designed to identify potential events that may
affect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.
IS 530 : Lecture 11
4
Control Objectives for Information
and Related Technology (COBIT)
 Provides guidance on the best practices for the
management of information technology.
 IT resources must be managed by IT control
processes to ensure an organization has the
information it needs to achieve its objectives.
 Provides a framework to ensure that IT:
•
•
•
•
is aligned with the business.
enables the business and maximizes benefits.
resources are used responsibly.
risks are managed appropriately.
IS 530 : Lecture 11
5
Components of ERM
 Internal Environment
• Encompasses the tone of an organization.
• Sets the basis for how risk is viewed and addressed by an
•
entity’s people.
Includes risk management philosophy and risk appetite,
integrity and ethical values, and the environment in which
they operate.
 Objective Setting
• Objectives must exist before management can identify
•
potential events affecting their achievement.
ERM ensures management has a process in place to set
objectives and that the objectives support and align with
the entity’s mission and are consistent with its risk appetite.
IS 530 : Lecture 11
6
Objective Setting
IS 530 : Lecture 11
7
Components of ERM . . .
 Event Identification
• Internal and external events affecting achievement of an
•
•
entity’s objectives must be identified, distinguishing
between risks and opportunities.
Risks: those events that would have a negative impact on
organization objectives
Opportunities are channeled back to management’s
strategy or objective-setting processes.
 Risk Assessment
• Risks are analyzed, considering likelihood and impact, as a
basis for determining how they should be managed.
• Risks are assessed on an inherent and a residual basis.
IS 530 : Lecture 11
8
Components of ERM . . .
 Risk Response
• Management selects risk responses – avoiding, accepting,
reducing, or sharing risk – developing a set of actions to
align risks with the entity’s risk tolerances and risk appetite.
 Control Activities
• Policies and procedures are established and implemented
to help ensure the risk responses are effectively carried out
IS 530 : Lecture 11
9
Components of ERM . . .
 Information and Communication
• Relevant information is identified, captured, and
•
communicated to enable people to carry out their
responsibilities.
Effective communication also occurs in a broader sense,
flowing down, across and up the entity.
 Monitoring
• Enterprise risk management is monitored and modifications
•
are made as necessary.
Monitoring is accomplished through ongoing management
activities and separate evaluations.
IS 530 : Lecture 11
10
Objectives, Risks, and Responses
IS 530 : Lecture 11
11
Definition of Internal Control
 COSO definition:
• Internal control is a process—effected by an entity’s board
of directors, management, and other personnel—designed
to provide reasonable assurance regarding the
achievement of objectives in the following categories:
o Effectiveness & efficiency of operations
o Reliability of financial reporting
o Compliance with applicable laws & regulations
IS 530 : Lecture 11
12
COSO Influence on Defining Internal Control
IS 530 : Lecture 11
13
Five Interrelated Components of Internal Control
1.
2.
3.
4.
Control environment - tone at the top.
Risk assessment - identification/analysis of risks.
Control activities - policies and procedures.
Information & communication - processing of
information in a form and time frame to enable
people to do their jobs.
5. Monitoring - process that assess quality of
internal control over time.
IS 530 : Lecture 11
14
Matrix for Evaluating Internal Controls
IS 530 : Lecture 11
15
Fundamental Tenets of Ethics
 Responsibility
 Accountability
 Liability
 What is unethical is not necessarily illegal
IS 530 : Lecture 11
16
Ethics and Controls
 Control environment reflects the organization’s
(primarily the board of directors’ and
management’s) general awareness of and
commitment to the importance of control
throughout the organization.
 COSO places integrity and ethical values at the
heart of the of control environment (tone at the top).
 Expectations of ethical behavior are articulated in
corporate codes of conduct.
IS 530 : Lecture 11
17
What Is Fraud?
 Gaining an unfair advantage over another person
• A false statement, representation, or disclosure
• A material fact that induces a person to act
• An intent to deceive
• A justifiable reliance on the fraudulent fact in which a
person takes action
• An injury or loss suffered by the victim
 Individuals who commit fraud are referred to as
white-collar criminals.
IS 530 : Lecture 11
18
Forms of Fraud
 Misappropriation of assets
• Theft of a companies assets.
• Largest factors for theft of assets:
o Absence of internal control system
o Failure to enforce internal control system
 Fraudulent financial reporting
• “…intentional or reckless conduct, whether by act or
omission, that results in materially misleading financial
statements” (The Treadway Commission).
IS 530 : Lecture 11
19
Computer Fraud Classifications
 Input Fraud
• Alteration or falsifying input
 Processor Fraud
• Unauthorized system use
 Computer Instructions Fraud
• Modifying software, illegal copying of software, using
software in an unauthorized manner, creating software to
undergo unauthorized activities
 Data Fraud
Illegally using, copying, browsing, searching, or harming
company data
 Output Fraud
Stealing, copying, or misusing computer printouts or
displayed information
•
•
IS 530 : Lecture 11
20
Fraud and its Relationship to Control
• Management charged with responsibility to prevent
•
•
•
and/or disclose fraud. Instances of fraud undermine
management’s ability to convince various authorities
that it is upholding its stewardship responsibility.
Control systems enable management to do this job.
Management is responsible for an internal control
system per the Foreign Corrupt Practices Act of 1977.
Section 1102 of the Sarbanes-Oxley Act specifically
addresses corporate fraud.
IS 530 : Lecture 11
21
Common Threats to AIS
 Natural Disasters and Terrorist Threats
 Software Errors and/or Equipment Malfunction
 Unintentional Acts (Human Error)
 Intentional Acts (Computer Crimes)
IS 530 : Lecture 11
22
Why a Control Framework?
 Uniform, consistent approach.
 Complete analysis.
 Directed at objectives, rather than list of expected
controls.
 Can determine costs and benefits.
 Results in recommendations for improvements.
IS 530 : Lecture 11
23
Control Framework’s Key Elements
 Control matrix: tool designed to assist in evaluating
the potential effectiveness of controls in a business
process by matching control goals with relevant
control plans.
 Control goals: business process objectives that an
internal control system is designed to achieve.
 Control plans: reflect information-processing policies
and procedures that assist in accomplishing control
goals.
IS 530 : Lecture 11
24
Business Process Control Goals
 Control goals of the operations processes
• Ensure effectiveness of operations
• Ensure efficient employment of resources
• Ensure security of resources
 Control goals of the information processes
• For business event inputs, ensure
o Input validity, input completeness, input accuracy
• For master data, ensure
o Update completeness, update accuracy
IS 530 : Lecture 11
25
Control Plans
 Pervasive control plans relate to a multitude of
goals and processes, They are broad in scope and
apply equally to all business processes.
 General controls (also known as IT general
controls)—are applied to all IT service activities.
 Business process control plans are applied to a
particular business process, such as billing or cash
receipts.
 Application controls are automated business
process controls contained within IT application
systems (i.e., computer programs).
IS 530 : Lecture 11
26
Organizational Control Plans
 Key control issues:
• Combining incompatible functions.
• Unauthorized execution of events.
• Unauthorized recording of events.
• Recording invalid, incomplete, or inaccurate
data.
 Segregation of duties: separate the four basic
functions of event processing: authorizing events,
executing events, recording events, and
safeguarding resources resulting from
consummating events.
IS 530 : Lecture 11
27
Segregation of Duties:
The General Model
IS 530 : Lecture 11
28
Personnel Control Plans:
Key Control Issues
 Dishonest employees.
 Incompetent employees.
 Dissatisfied or disgruntled employees.
 Unmotivated employees.
 Excessive employee turnover.
 Inadequate staffing.
IS 530 : Lecture 11
29
Personnel Policy Control Plans
• Rotation of duties: policy that requires an employee
•
•
to alternate jobs periodically.
Forced vacations: policy that requires an employee
to take leave from the job and substitutes another
employee in his/her place.
Fidelity bond: indemnifies a company in case it
suffers losses from defalcations committed by its
employees. Employees who have access to cash
and other negotiable assets are usually bonded.
IS 530 : Lecture 11
30
Summary of Personnel Control Plans
IS 530 : Lecture 11
31
Monitoring Control Plans
• Monitoring in an internal control systems means the
assessment by management to determine whether
control plans in place are continuing to function
appropriately over time.
• Putting controls in place to periodically follow up on
the operation of control plans.
• Timely communication of control weaknesses.
• Appropriate corrective action.
• Differ from normal control plans, as they verify the
operation of normal control plans.
IS 530 : Lecture 11
32
Organizational Governance
and IT Governance
 Organizational governance: processes employed
by organizations to select objectives, establish
processes to achieve objectives, and monitor
performance.
 IT governance: process that ensures the enterprise’s
IT sustains and extends the organization’s strategies
and objectives.
IS 530 : Lecture 11
33
Ensure Continuous Service
Business continuity planning (also known as disaster
recovery planning, contingency planning, and
business interruption planning): a process that
identifies events that may threaten an organization
and provides a framework to ensure that the
organization will continue to operate when the
threatened event occurs or will resume operations
with a minimum of disruption.
IS 530 : Lecture 11
34
Continuity of IT Services
 Backup: making a copy of data, programs, and
documentation.
 Recovery: use the backup data to restore lost data
and resume operations.
 Continuous Data Protection (CDP): all data changes
are date stamped and saved to secondary systems
as the changes are happening.
 Electronic vaulting: service whereby data changes
are automatically transmitted over the Internet on a
continuous basis to an off-site server maintained by
a third party.
IS 530 : Lecture 11
35
Continuity of IT Services . . .
 Mirror site: the site that maintains copies of the
primary site’s programs and data.
 Hot site: fully equipped data center that can
accommodate many businesses and that is made
available to client companies for a monthly
subscriber fee.
 Cold site: facility usually comprised of airconditioned space with a raised floor, telephone
connections, and computer ports into which a
subscriber can move equipment.
IS 530 : Lecture 11
36
Continuity of IT Services . . .
 Denial-of-service attack: a Web site is
overwhelmed by an intentional onslaught of
thousands of simultaneous messages, making it
impossible for the attacked site to engage in its
normal activities.
 Distributed denial-of-service attack: uses many
computers (called zombies) that unwittingly
cooperate in a denial-of-service attack by sending
messages to the target Web sites.
IS 530 : Lecture 11
37
Physical Protection of IT Assets
Preventive maintenance: periodic cleaning, testing,
and adjusting of computer equipment to ensure their
equipment’s continued efficient and correct
operation.
IS 530 : Lecture 11
38
Security Threats
IS 530 : Lecture 11
39
Protecting Information Resources
 Physical controls
 Access controls
 Communications (network) controls
 Application controls
IS 530 : Lecture 11
40
Physical vs. Access/Logical Controls
IS 530 : Lecture 11
41
Restricting Logical Access to Stored
Programs, Data, and Documentation
 Access control software: ensures that
1. only authorized users gain access to a system through
a process of identification (e.g., a unique account
number for each user) and authentication (e.g., a
password to verify that users are who they say they
are),
2. restricts authorized users to specific data they require
and sets the action privileges for that data (e.g.,
read, copy, write data),
3. monitors access attempts and violations.
IS 530 : Lecture 11
42
Restricting Logical Access to Stored
Programs, Data, and Documentation . . .
 Intrusion-detection system (IDS): part of access
control software that logs and monitors who is on or
trying to access the network.
 Intrusion-prevention system (IPS): actively block
unauthorized traffic using rules specified by the
organization.
 Library controls: a combination of people,
procedures, and computer software that restrict
access to data, programs, and documentation in
an offline environment.
IS 530 : Lecture 11
43
Restricting Logical Access to Stored
Programs, Data, and Documentation . . .
 Data encryption: process that employs
mathematical algorithms and encryption keys to
encode data so that it is unintelligible in its
encrypted form.
 Public-key cryptography: employs a pair of
matched keys for each system user, one private
(i.e., encryption algorithm known only to the party
who possesses it) and one public. The public key
corresponds to but is not the same as the user’s
private key.
IS 530 : Lecture 11
44
Encoding
Normal sequence :
A B C D E F G H
I J
K L M N O P Q R
S T U V W X Y Z
Encoded sequence :
F G H I J
K L M
N O P Q R S T U V W X Y Z
A B C D E
Message :
DROPBOX TONIGHT
Encoded message :
IWTUGTC YTSNLMY
IS 530 : Lecture 11
45
Encryption
Binary Codes
ASCII (American Standard Code for Information Interchange) : 8 bits
EBCDIC (Extended Binary-Coded Decimal Interchange Code ) : 16 bits
Unicode : 32 bits and more
I
S
5
3
1
01001001 01010011 00110101 00110011 00110001
Change bit stream sequence :
10010101 00110011 01010011 00110011 00010100
Change bit value :
01101010 11001100 10101100 11001100 11101011
IS 530 : Lecture 11
46
Basic Home Firewall &
Corporate Firewall
IS 530 : Lecture 11
47
How Public Key Encryption Works
IS 530 : Lecture 11
48
How Digital Certificates Work
IS 530 : Lecture 11
49