Chapter 9
IT Control – Fraud & Information
Security
6–1
Learning Objective 1
• Explain the steps in the fraud
management process
• Explain types of frauds
5–2
The Fraud Management Process
• Fraud management is a process that
involves several closely related phrases:
– Fraud Prevention
– Fraud Detection
– Fraud Investigation Process
– The Evidence Collection Process
– The Fraud Report
– Loss and Recovery Litigation
5–3
Fraud Prevention
• Fraud prevention is part of the Enterprise
Risk Management (ERM) process.
– Optimal fraud prevention requires more than
implementing control checklists (firewalls,
anti-virus software, etc.), but rather a
systematic life-cycle approach is required.
• Begins with threats and vulnerabilities and ends
with implementing corresponding risk-based
controls.
• Authoritative bodies provide standards (ISO
27000, COBIT)
5–4
Expert Testimony
• Forensic accountants can serve as expert
consultants or expert witnesses in court
cases:
– Expert consultants – provide expert
opinions/analyses to attorneys.
– Discovery is the process in which opposing
parties can require each other to produce
out-of-court evidence.
– Expert witness – forensic accountant who
testifies in court.
5–5
Fraud Schemes
• Financial Statement Fraud
• Employee Fraud
• Vendor Fraud
5–6
Financial Statement Fraud
• Financial statement fraud is the
intentional misrepresentation (either by
commission or omission) of any
information included as part of a financial
statement or report.
• Managers generally commit financial
statement fraud either as a way of
boosting financial performance or hiding
theft, bribery, or other illegal activities.
5–7
Financial Statement Fraud
• Financial statement fraud schemes
(COSO):
– Improper revenue recognition
– Overstatement of assets
– Understatement of expenses and
liabilities
– Misappropriation of assets
– Inappropriate disclosures
– Miscellaneous techniques
5–8
Financial Statement Fraud
• Prevention of financial statement fraud:
– Good internal control
– Information security
– Good corporate governance:
• Board of directors
• Audit committee
– SEC, PCAOB, external auditors
5–9
Employee Fraud
• Revenue Cycle Fraud:
– Cash collection fraud
– Robbing the cash register
– Swapping checks for cash
– Shortchanging the customer
– Stealing cash in the mailroom
– Stealing cash in transmission
– Lapping of accounts receivable
– Shortening bank deposits
– Noncustodial theft of cash
– Accounts receivable fraud
5 – 10
Employee Fraud
• Expenditure Cycle Fraud:
– Kickbacks and bid rigging
– Theft of petty cash
– Abuse of company credit cards
– Theft of company checks
– Fraudulent returns
– Theft of inventory and other assets
– Payroll fraud
– Other types of employee fraud
• Production Cycle Fraud:
– Misappropriation of waste, scrap, and spoiled
goods.
5 – 11
Vendor Fraud
• Vendor Fraud:
– Short shipments
– Substandard or defective goods
– Balance due billing
– Fraudulent cost-plus billing
5 – 12
Learning Objective 2
Describe general approaches to
analyzing vulnerabilities and threats
in information systems.
6 – 13
Overview
• The term information security involves protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide –
– Confidentiality: preserving authorized
restrictions on access and disclosure.
– Integrity: guarding against improper information
modification or destruction.
– Availability: ensuring timely and reliable access.
6 – 14
Overview
• The information security management system
(ISMS) is an organizational internal control
process that controls the special risks associated
with information within the organization.
– The ISMS has the basic elements of any
information system, such as hardware,
databases, procedures, and reports.
– The ISMS is part of the larger enterprise risk
management (ERM) process by which
management balances risk versus
opportunities.
6 – 15
The Information Security
Management System Life Cycle
Life-Cycle Phase
Objective
Systems Analysis
Analyze system vulnerabilities in
terms of relevant threats and
their associated loss exposure.
Systems Design
Design security measures and
contingency plans to control
the identified loss exposures.
Systems
Implementation
Implement the security
measures as designed.
Systems Operation,
Evaluation,
and Control
Operate the system and
assess its effectiveness and
efficiency. Make changes
as circumstances require.
6 – 16
The Information Security in the
Organization
•
The information security system must be managed by a
chief security officer (CSO).
– This individual should report directly to the board of directors in
order to maintain complete independence.
– A primary duty of the CSO is to present reports to the BOD for
approval covering each phase of the life cycle:
Life-Cycle Phase
Systems Analysis
Report to BOD
Summary of all relevant loss exposures
Systems Design
Detailed plans for controlling and
managing losses
Systems
Implementation
Specifics on security system
performance, including an itemization
of losses and security breaches,
analysis of compliance, and costs of
operating the security system
Systems Operation,
Evaluation, and Control
6 – 17
Analyzing Vulnerabilities
and Threats
• Two Basic Approaches:
1. Quantitative approach to risk
assessment
2. Qualitative approach to risk
assessment
6 – 18
Analyzing Vulnerabilities
and Threats
• Quantitative Approach to Risk Assessment
- each loss exposure is computed as the
product of the cost of an individual loss
times the likelihood of its occurrence.
– Difficulties:
• Identifying the relevant costs per loss and
•
the associated likelihoods can be difficult.
Estimating the likelihood of a given failure
requires predicting the future, which is very
difficult.
6 – 19
Analyzing Vulnerabilities
and Threats
• Qualitative Approach to Risk
Assessment – lists out the system’s
vulnerabilities and threats and
subjectively ranks them in order of their
contribution to the company’s total loss
exposures.
6 – 20
Analyzing Vulnerabilities
and Threats
• Regardless of the method used, an
analysis must include loss exposure for
the following areas:
– Business interruption
– Loss of software
– Loss of hardware
– Loss of facilities
– Loss of service and personnel
– Loss of reputation
6 – 21
Learning Objective 3
Identify active and passive
threats to information systems.
6 – 22
Vulnerabilities and Threats
• A vulnerability is a weakness in a
system.
• A threat is a potential exploitation of
a vulnerability.
6 – 23
Vulnerabilities and Threats
• Two categories of threats:
– Active threats include information
systems fraud and computer sabotage.
– Passive threats include system faults, as
well as natural disasters (e.g.,
earthquakes, floods, fires, and
hurricanes).
• System faults represent component
equipment failures such as disk failures,
power outages, etc.
6 – 24
Individuals Posing a Threat to the Information
System
•
There are three groups of individuals that
could carry out an attack on an information
system:
1. Computer and information systems personnel
are often given a wide range of access
privileges to sensitive data and programs.
2. Users are given narrow access, but can still
find ways to commit fraud.
3. Intruders and attackers are given no access,
but are highly capable.
6 – 25
Individuals Posing a Threat to the Information
System
• Computer and Information Systems
Personnel include:
– Computer maintenance personnel
– Programmers
– Network operators
– Information systems administrative
personnel
– Data control clerks
6 – 26
Individuals Posing a Threat to the Information
System
• Users are composed of heterogeneous
groups of people. Their functional area
does not lie in data processing or
information technology.
• An intruder is anyone who accesses
equipment, electronic data, files, or any
kind of privileged information without
proper authorization.
6 – 27
Individuals Posing a Threat to the Information
System
• A hacker is an intruder who uses electronic
and other means to break into or attack
information systems for fun, challenge,
profit, revenge, or other nefarious motives.
– Not all hackers are malicious
• White hat hackers legitimately probe systems for
weaknesses to help with security.
• Black hat hackers attack systems for illegitimate
reasons.
• Grey hat hackers are white hat hackers who skirt
the edges of the law.
6 – 28
Individuals Posing a Threat to the Information
System
Hacker Methods
Social Engineering
Pretexting, Phishing
Malware
Trojan horse, keyboard loggers, backdoor, botnet, Denial-of-Service (DoS)
Viruses, Spyware, Logic Bombs, Worms
Direct Observation
Shoulder surfing, dumpster diving, cloned cell phone
Exploits
Code injection, vulnerability scanner
6 – 29
Methods of Attack by Information Systems
Personnel and Users
6 – 30
Methods of Attack by Information Systems
Personnel and Users
• Input manipulation is used in most cases
of insider computer fraud.
• Program alteration is one of the least
common methods.
• Direct file alteration occurs when
individuals find ways to bypass the
normal process for inputting data into
computer programs.
6 – 31
Methods of Attack by Information Systems
Personnel and Users
• Data theft is a serious problem.
• Sabotage poses a serious danger to
information systems.
• Misappropriation or theft of information
occurs when employees use company
computers’ resources for their own
personal use or their own business.
6 – 32
Learning Objective 4
Identify key aspects of an
information security system.
6 – 33
Methods of Attack by Information Systems
Personnel and Users
• Security measures focus on preventing
and detecting threats.
• Contingency plans focus on correcting
the effects of threats.
• The basic elements of internal control
(control environment, risk assessment,
control activities, information and
communication, and monitoring) are
important to the ISMS.
6 – 34
The Control Environment
• Establishing a good control environment
depends on seven factors:
–
–
–
–
–
–
–
–
Management philosophy and operating style
Organizational structure
Board of directors and its committees
Methods of assigning authority and
responsibility
Management control activities
Internal audit function
Personnel policies and practices
External influences
6 – 35
Controls for Active Threats
•
The layered approach to access control
involves erecting multiple layers of controls that
separate the would-be perpetrator from his or
her potential target.
Site-access controls – physically separates
unauthorized individuals from information systems
resources.
– System-access controls – authenticate users with
user IDs, passwords, IP addresses, and hardware
devices.
– File-access controls – prevent unauthorized
access to data and program files.
–
6 – 36
Controls for Passive Threats
• Preventative controls:
– Fault-tolerance systems use redundant
components to take over when one part
of the system fails, so the system can
continue operating with little or no
interruption.
6 – 37
Controls for Passive Threats
•
Corrective controls:
– File backups –
• A full backup backs up all files on a given disk.
–
•
•
Each file contains an archive bit that is set to 0.
An incremental backup backs up only those files
that have been modified since the last full or
incremental backup.
A differential backup is the same as an
incremental backup, and only the archive bits are
not reset to 0.
6 – 38
Internet Security
• Operating System Vulnerabilities:
– Virtualization
– Hypervisor
• Web server vulnerabilities
• Private network vulnerabilities
• Vulnerabilities from server and
communication programs
6 – 39
Internet Security
• Cloud Computing
– Cloud is a synonym for the Internet
– Cloud computing is the use of cloud-based
services and data storage.
– Software as a Service (SaaS)
• Grid computing involves clusters of
interlinked computers that share common
workloads.
• General Security Procedures
6 – 40
Learning Objective 5
Discuss contingency planning
and other disaster risk
management practices.
6 – 41
Disaster Risk Management
• Disaster risk management is
essential to ensure continuity of
operations in the event of a
catastrophe.
– Prevention
– Contingency planning
6 – 42
Disaster Risk Management
• Disaster prevention is the first step in
managing disaster risk.
• Frequencies of disaster causes:
– Natural disasters
30%
– Deliberate actions 45%
– Human error
25%
• Disasters can be mitigated or avoided by
a good security policy.
6 – 43
Disaster Risk Management
• Contingency Planning for Disasters
– A disaster recovery plan must be
implemented at the highest levels in the
company.
• The first step in developing a disaster
recovery plan is obtaining the support
of senior management and setting up
a planning committee.
6 – 44
Disaster Risk Management
• The design of a disaster recovery
plan should include three major
components:
1. Assess the company’s critical needs.
2. List priorities for recovery.
3. Establish strategies and procedures.
6 – 45
Disaster Risk Management
• A complete set of recovery strategies
should take into account the following
considerations:
–
–
–
–
Emergency response center
Escalation procedures
Alternate processing arrangements
Personnel relocation and replacements
plans
– Salvage plan
– Plan for testing and maintaining the system
6 – 46
Information Security Standards
• ISO/IEC 27000 12 Categories:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Risk assessment
Security policies
Organization and governance of IS
Asset management
Human resources
Physical and environmental security
Communications and operations management
Access control
IS acquisition, development, & maintenance
IS incident management
Business continuity management
Compliance
6 – 47
Information Security Standards
 COBIT framework is divided into four
domains:
1. Plan and Organize
2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate
 COSO’s Internal Control – Integrated
Framework: Guidance on Monitoring
Internal Control.
6 – 48
Business Continuity Planning and Disaster
Recovery Standards
 A business continuity plan is a strategy to
mitigate disruption to business operations in
the event of a disaster.
 In the U.S., various economic sectors and
industries are subject to BCP compliance
standards:




Security of Federal Automated Information Resources
Financial Institution Safeguards
Sound Practices for Management and Supervision
Specification for Business Continuity Management
6 – 49