Chapter 7: Controlling Information Systems: Introduction to Enterprise Risk Management and Internal Control Accounting Information Systems, 9e Gelinas ►Dull ► Wheeler © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives Summarize the eight elements of COSO’s Enterprise Risk Management—Integrated Framework. Understand that management employs internal control systems as part of organizational and IT governance initiatives. Describe how internal control systems help organizations achieve objectives and respond to risks. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives (cont’d) Describe fraud, computer fraud, and computer abuse. Enumerate control goals for operations and information processes. Describe the major categories of control plans. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Suggested Exercise Questions P 7-1 on page 250 P 7-3 on page 251 P 7-4 on page 253 © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Why are Controls Needed? 1. To provide reasonable assurance that the goals of each business process are being achieved. 2. To mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts). 3. To provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. A Control Hierarchy Chapter 7 Besides the internal control topics by the textbook, we will also study about IS analysis, design, and maintenance related control topics as well. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Governance Organizational governance Highest level of control mechanism process by which organizations select objectives, establish processes to achieve objectives, and monitor performance. Enterprise Risk Management (ERM): a framework that has been proven to be an effective process for organizational governance © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Governance example © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Risk Management Enterprise Risk Management (ERM): process, effected by an entity’s board of directors, management, and other personnel, applied in strategy settings and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Eight Components of Enterprise Risk Management (ERM) – on page. 221 Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring Another reason why ERM is necessary because of “Sarbanes-Oxley Act of 2002 (SOX)” © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Sarbanes-Oxley Act (SOX) of 2002 Created due to failure of governance (i.e., Enron) Detail from financial accounting and auditing courses Created public company accounting oversight board (PCAOB). Strengthened auditor independence rules. Increased accountability of company officers and directors. Mandated upper management to take responsibility for the company’s internal control structure. Enhanced the quality of financial reporting. Increased white collar crime penalties. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Key Elements of SOX (AIS perspective) Section 201—prohibits audit firms from providing a wide array of nonaudit services to audit clients in particular, the act prohibits consulting engagements involving the design and implementation of financial information systems. Section 302—CEOs and CFOs must certify quarterly and annual financial statements. Section 404—Mandates the annual report filed with the SEC include an internal control report. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Outline of SOX (AIS perspective) Outline on page 226 Title III—Corporate Responsibility: Company’s CEO and CFO must certify quarterly and annual reports stating: They are responsible for establishing, maintaining, and reporting on the effectiveness of internal controls, including significant deficiencies, frauds, or changes in internal controls. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Outline of SOX (AIS perspective) Title IV— Section 409 requires that companies disclose information on material changes in their financial condition or operations on a rapid and current basis. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Outline of SOX (AIS perspective) Title VIII—Corporate and Criminal Fraud Accountability: Makes it a felony to knowingly destroy, alter, or create records or documents with the intent to impede, obstruct, or influence an ongoing or contemplated federal investigation (example on the next slide). Offers legal protection to whistleblowers who provide evidence of fraud. Provides criminal penalties for those who knowingly execute, or attempt to execute, securities fraud. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Recovered E-Mail between Enron and Andersen Consulting Outline of SOX (AIS perspective) Title IX—White-Collar Crime Penalty Enhancements: Requires that CEOs and CFOs certify that information contained in periodic reports fairly presents, in all material respects, the financial condition and results of the company’s operations. Sets criminal penalties applicable to CEOs and CFOs if they knowingly or willfully falsely so certify. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Your Computer Usage Pattern Your property? Computer files, email by your personal email system Talking about your boss or peers by email Web shopping during lunch break Visiting adult website All files are deleted…are you safe now? When leaving the company? Access to your computer © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Definition of Internal Control Internal control is a process—effected by an entity’s board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness & efficiency of operations Reliability of financial reporting Compliance with applicable laws & regulations © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. COSO Influence on Defining Internal Control (most current COSO framework on the class website) © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Matrix for Evaluating Internal Controls © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Fraud and its Relationship to Control Fraud: deliberate act or untruth intended to obtain unfair or unlawful gain. Management charged with responsibility to prevent and/or disclose fraud. Instances of fraud undermine management’s ability to convince various authorities that it is upholding its stewardship responsibility. Control systems enable management to do this job. Management is responsible for an internal control system per the Foreign Corrupt Practices Act of 1977. Section 1102 of the Sarbanes-Oxley Act specifically addresses corporate fraud. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Consideration of Fraud in a Financial Statement Audit (SAS 99) The accounting profession has been proactive in dealing with corporate fraud, as it has launched an anti-fraud program. One of the manifestations of this initiative is Statement on Auditing Standards (SAS) No. 99. SAS 99 emphasizes brainstorming fraud risks, increasing professional skepticism, using unpredictable audit test patterns, and detecting management override of internal controls. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 2010 ACFE Report to the Nation on Occupational Fraud and Abuse Median loss from frauds was $160,000. One quarter of lasses at least $1 million. Projected global losses would be $2.9 trillion. Typical fraud was underway 18 months. Frauds were more likely detected by tips. Over 80 percent of the frauds were committed by individuals within the organization. Small businesses are disproportionately victimized by fraud (31 percent of cases). © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. PwC Economic Crime Survey 30% of companies reported frauds in the previous 12 months and 43% reported an increase from the previous year. Larger companies reported a greater number of frauds. Collateral damage—described as damage or significant damage to their business—was reported in 100% of frauds. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. PwC Economic Crime Survey (cont’d) Frauds were detected by internal audit (17%), internal tip-offs (16%) and fraud risk management (14%). There was a strong correlation between fraud risk management activities and higher chances of detecting frauds. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Computer Fraud and Abuse Digital forensics Computer crime Malware Computer virus © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. DIGITAL FORENSICS Digital forensics – the collection, authentication, preservation, and examination of electronic information for presentation in court Two phases 1. Collecting, authenticating, and preserving electronic evidence 2. Analyzing the findings Phase 1: Collection – Places to look for Electronic Evidence Phase 1: Preservation If possible, hard disk is removed without turning computer on Special forensics computer is used to ensure that nothing is written to drive Forensic image copy – an exact copy or snapshot of all stored information Mod H-30 Phase 1: Authentication Authentication process necessary for ensuring that no evidence was planted or destroyed MD5 hash value It is like a fingerprint of the file. There is a very small possibility of getting two identical hashes (fingerprint) of two different files. This feature can be useful both for comparing the files and their integrity control. Mod H-31 Forensic Hardware and Software Tools Forensics computers usually have a lot of RAM and very fast processors EnCase – software that finds all information on disks Quick View Plus and Conversions Plus – read files in many formats Mailbag Assistant – reads most e-mail Mod H-32 Forensics Hardware and Software Tools Gargoyle – software that identifies encrypted files and may decrypt them Irfan View – reads image files Ingenium – semantic analysis software that searches for meaning rather than an exact match Mod H-33 Cell Phones In 2004 - 200 countries with more than 1.5 billion users of GSM cell phones (Cingular and most of Europe) GSM: Global System for Mobile Communications Cell phones can be used for Illegal drug deals Storing stolen data Fraudulently securing goods and services Setting off explosives Mod H-34 Cell Phones and Other Handheld Devices Files Can Be Recovered from… Mod H-35 Phase 2: Analysis Interpretation of information uncovered Recovered information must be put into context Digital forensic software pinpoints the file’s location on the disk, its creator, the date it was created and many other features of the file Mod H-36 Where Data is Hiding Mod H-37 History of Disk Activity Live Analysis Examination of a system while it is still running Disadvantage - not possible to get an MD5 hash value Advantages include – the ability to retrieve information from RAM Helix – program to collect information during live analysis Mod H-39 RECOVERY AND INTERPRETATION Snippets of e-mail, when put into context, often tell an interesting story Mod H-40 E-Mail between engineers about the Spaceship Columbia Mod H-41 E-Mail between Enron and Andersen Consulting Mod H-42 E-Mail from Arresting Officer in the Rodney King Beating Mod H-43 Internal E-Mail from Bill Gates to Microsoft Employee Mod H-44 Places to Look for Useful Information Deleted files and slack space Slack space – the space between the end of the file and the end of the cluster System and registry files Controls virtual memory on hard disk Has records on installs and uninstalls Has MAC address (unique address of computer on the network) Mod H-45 Places to Look for Useful Information Unallocated space – set of clusters that has been marked as available to store information but has not yet received any Unused disk space Erased information that has not been overwritten Mod H-46 Anti-Forensics New branch of digital forensics Set of tools and activities that make it hard or impossible to track user activity Three categories Configuration settings Third party tools Forensic defeating software Mod H-47 Configuration Settings Examples: Delete files: By passing the recycle bin Rename the file with a different extension Clear out virtual memory Use Defrag to rearrange data on the hard disk and overwrite deleted files Use Disk Cleanup to delete ActiveX controls and Java applets Mod H-48 Configuration Settings Examples: Delete temporary Internet files Hide information by making it invisible with Hidden feature in Word or Excel Redact – black out portions of a document Protect your files with passwords Mod H-49 Configuration Settings Examples: Make the information invisible Use Windows to hide files Protect file with password Mod H-50 Third-Party Tools to Alter your registry Hide Excel files inside Word documents and visa versa Change the properties like creation date in Windows Replace disk contents with 1’s and 0’s – called wiping programs Mod H-51 Third Party Tools Encryption – scrambles the contents of a file so that you can’t read it without the decryption key Steganography – hiding information inside other information The watermark on dollar bills is an example U3 Smart drive – stores and can launch and run software without going through the hard disk thus leaving no trace of itself Mod H-52 Forensic Defeating Software Software on the market specially designed to evade forensic examination Such software would include programs to remove data in slack space data in cache memory cookies, Internet files, Google search history, etc. Mod H-53 WHO NEEDS DIGITAL FORENSICS INVESTIGATORS? Digital forensics is used in The military for national and international investigations Law enforcement, to gather electronic evidence in criminal investigations Corporations and not-for-profits for internal investigations Consulting firms that special in forensics Mod H-54 Organizations Use Digital Forensics in Two Ways 1. Proactive education to educate employees 2. Reactive digital forensics for incident response Mod H-55 Proactive Education to Educate Employees Proactive Education for Problem Prevention What to do and not to do with computer resources such as The purposes for which e-mail should be used How long it may be saved What Internet sites are may be visited Mod H-56 Reactive Digital forensics for Incident Response What to do if wrong-doing is suspected and how to investigate it Encouraged by the Sarbanes-Oxley Act, which expressly requires implementation of policies to prevent illegal activity and to investigate allegations promptly Mod H-57 A Day in the Life… As a digital forensics expert you must Know a lot about computers and how they work Keep learning Have infinite patience Be detail-oriented Be good at explaining how computers work Be able to stay cool and think on your feet Mod H-58 Computer Crime Computer crime – a crime in which a computer, or computers, play a significant part Computers are involved in crime in two ways As the targets of misdeeds As weapons or tools of misdeeds Computer crimes can be committed Inside the organization Outside the organization Mod H-59 Examples of Computer Crimes Mod H-60 Crimes in Which Computers Usually Play a Part Mod H-61 Outside the Organization Financial loss stemmed from Virus and worm attacks Unauthorized access Theft of hardware Theft of information Malware Mod H-62 Types of Malware Malware – software designed to harm you computer or computer security Viruses Worms Misleading e-mail Types of Malware Denial-of-service attacks Distributed Denial-of-Service Attack Web defacing Malware bots Mod H-63 Viruses Computer virus (virus) – software that was written with malicious intent to cause annoyance or damage Worm – a computer virus that replicates and spreads itself from computer to computer Mod H-64 Recent Problems The most common type of worm was a botnet in 2007 and 2008 Botnet –collection of computers that have been infected with blocks of code (called bots) that can run automatically by themselves. A botnet can Collect e-mail addresses from infected machines Distribute vast amounts of e-mail Lie dormant to be used at a later date by crooks Mod H-65 The Love Bug Worm Mod H-66 Stand-Alone Viruses Spoofing – forging of return address on email so that it appears to come from someone other than sender of record Klez family of worms Introduced spoofing of sender and recipient Mod H-67 Trojan Horse Viruses Trojan horse virus – hides inside other software, usually an attachment or download Examples: Key logger (key trapper) software – program that, when installed on a computer, records every keystroke and mouse click Ping-of-Death DoS attack designed to crash Web sites Mod H-68 Misleading E-mail: Virus Hoax Objective is to cause damage to your system Virus hoax is an e-mail telling you of a nonexistent virus Makes recipients believe that they already have a virus and gives instructions on removal which actually delete a Windows file Often purports to come from Microsoft -Microsoft always sends you to a Web site to find the solution to such a problem Mod H-69 Denial-of-Service Attacks Denial-of-Service (DoS) attack – floods a Web site with so many requests for service that it slows down or crashes Objective is to prevent legitimate customers from using Web site Mod H-70 Distributed DoS Distributed denial-of-service attack (DDoS) – attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes. Mod H-71 Distributed Denial-of-Service Attack Mod H-72 Malware Bots Bot – a computer program that runs automatically. Malware bots – bots that are used for fraud, sabotage, denial-of-service attacks, or some other malicious purpose Zombies (or drones) – malware-bot-infected computers Mod H-73 Rootkits Rootkit – software that gives you administrator rights to a computer or network and its purpose is to allow you to conceal processes, files, or system data from the operating system. Mod H-74 Web Defacing Web defacing – maliciously changing another’s Web site Electronic equivalent of graffiti Mod H-75 Players Hackers – knowledgeable computer users who use their knowledge to invade other people’s computers Thrill-seeker hackers – break into computer systems for entertainment White-hat (ethical) hackers – computer security professionals who are hired by a company to uncover vulnerabilities in a network Mod H-76 Players Black hat hackers – cyber vandals. They’re the people who exploit or destroy information Crackers – hackers for hire, are the people who engage in electronic corporate espionage Social engineering – acquiring information that you have no right to by means of deception Mod H-77 Players Hacktivists – politically motivated hackers who use the Internet to send a political message Cyberterrorists – those who seek to cause harm to people or destroy critical systems or information Mod H-78 Players Script kiddies (or bunnies) – people who would like to be hackers but don’t have much technical expertise Are often used by experienced hackers as shields Mod H-79 COSO Influence on Defining Internal Control © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.