Auditing In Advanced Information Technology System Flashcards
List the effect of electronic data interchange (EDI)
- Quick reaction time
- Continuous processing
- Strict application of condition of payments
- Impact on unauthorized access more significant
- Increase importance of security control
- Computer application must meet interface standard
- Certain user controls become obsolete
- Lack of paper trails
- Human judgement and intervention falls away
- Contractual liabilities addressed thru agreements
List the advantages of EDI
- Cost saving
- Speed increased
- Reduced risk of errors
- Improved inventory and cash management
- Improved trade relation with suppliers
List the general risks relating to EDI
- Increased reliance on trading partners
- Increased reliance on technology
- Less human involvements less chance of detecting errors
- Dependency on service provider
- Legal risks
- Business risks
List the internal risks in EDI
- Security risks
- Implementation risks
- Processing risks
List the external risks with EDI
- Controls at trading partners and VANS
- Loss of sensitive data due to unauthorized access
- Legislation regarding business transactions
- Loss of EDI facility
- Error during transmission of data
- Manipulation of transaction during transmission
List the controls for increased reliance on trading partners
- Development and acceptance of proper contractual data interchange agreement
- Good relations between trading partners
- Third party review of trading partners on regular basis
List the controls for increased reliance on technology
- Hardware and software continuously tested
- Strict development standards
- Control over physical access to critical hardware
- Error correction procedures
- Backup
List the controls for less human involvement
- Automated controls
- Training on management to understand information and to react timeously
- Limits and exception built into trading agreement
- Authorization of transaction by users during initial development of the system
List the controls for dependency on VANS
- Assess reliability of service provider
2. Contractual agreement with service provider
List controls for legal risks
- Adherence to legal requirement
- Contractual rights and obligations must be clearly defined in agreement
- Employee bound by code of conduct
Name the control for business risk
Information risk management policies and procedures
List the security risks involved in internal risks
- General lack of security policy for the organization as a whole
- Absence of executive sponsorship for security issues
- Security breach due unauthorized access
- Manipulation of software applications
- Blackmail
List the controls for security risk
- Security policy and procedures implemented and regularly reviewed
- Programmed access controls
- Audit trails of access to EDI and follow up unauthorized access
- Backup, recovery and restoration facilities
- Error correction procedures
- Physical security
- Personnel security
- Administrative security
- Communication security
- Risk management
List the controls for implementation risks
- Data retention requirements determined in respect of period, medium, legal requirements
- Perform risk analysis
- Obtaining technical advice
- Auditor must be involved
- Normal system development procedures
List the controls for processing risks in EDI
- Edit tests by system
- Exception reports printed and followed up by management
- Sequential numbering and follow up missing items
- Reconciliation of control accounts and transactions
- Validation tests by system
- Transaction logs and audit trails
- Division of duties
- Protection of data transmitted through encryption
- High risk transactions are encrypted
List the controls for trading partner and VANS
- Contractual agreement
- Good relationship
- Third party review
- Verify the identity of trading partners
List the controls for loss of sensitive data due to unauthorized access
- Business agreement between partners
- Good business relationship
- Encryption of transaction and data
- Third party review
List the controls for EDI facility
- Regular testing of system
- Choice of network supplier
- Failover
List the controls to prevent error during transmission of data
- Edit tests
2. Parity test by system
List the controls to prevent manipulation of transactions during transmission
- Access controls
2. Encryption
List the general controls in an electronic business transaction system
- System development and implementation controls
- System maintenance controls
- Organizational and management controls
- Access controls
- Computer operating controls
- System software controls
- Business continuity controls
List the additional considerations in system development and implementation controls in an electronic business transaction system.
- Strategic planning to allow for EDI transactions and risks
- Risk analysis performed before implementation
- Use recognized standards and methodology in development
- Planning of a business strategy to accommodate EDI transactions
- Contractual agreement covering rights and obligations with trading partners and service providers
- Necessity to update accounting processing procedures and controls
List the aspects to be included in agreement with trading partners
- Responsibilities and duties
- Security audit
- Adequacy of controls
- Accountability for the creation, transmission and receipt of messages
- The format and frequency of acknowledgement
- Backups
- Contractual aspects
List the additional controls to be considered in the organizational and management control in an electronic business transaction environment
- Involvement and support by senior management
- EDI coordinator/supervisor
- Division of duties between authorization and transmission of data
- Risk management
- All responsibilities and duties regarding the management and protection of data addressed in policy
- Regular independent certification of security
- Personnel policies
- Administrative policies
List the additional controls for computer operating controls for electronic business transaction system.
- Hardware devices validate the source of all incoming messages using recognition codes
- Hardware devices confirm the identity of recipient of all outgoing messages
- Central computer should pool all remote devices on regular basis
- Communication links and network maintenance
- Recognition of receipt of data
- Correction of error
- Backup and recovery procedures
- System logs record all incoming and outgoing messages
- Line interference protection ensure messages not distorted
List the system recovery procedures from operational failure
- System provide a record of accepted data transfer
- Written procedures for the re-transmission of non-accepted data transfer
- Controls to prevent duplication following syste recovery
- An incident log should be kept of all interruption
- Hardware failure, processing switch to alternative terminal or server
- Line failure, processing switch to other communication media
- Contingency plan tested periodically
List the additional controls for system software controls
- Encryption of sensitive data before transmission
- Use of secure server software programs to encrypt all information before transmission
- Control in place to protect data against unauthorized manipulation and deletion during transmission and storage
- Secure electronic transmission (SET) set up by organization in respect of credit card transactions
- Protection of transaction data transmitted by use of digital signature
List the additional controls for business continuity controls
- Contract with service provider/trading partners
- Power backup
- Communication lines
- Hardware
- Logging and storage copies of incoming and outgoing messages
- Numbering or other forms of systematic storage of incoming and outgoing messages
List the programmed application controls for electronic business transaction system
- Echo checking
- Verification of headers, trailers and record counts to ensure completeness of message
- Hash values and hash value comparisons
- Check digits on control fields
- Verification of controls and/or hash totals
- Message automatically re-transmitted if any error detected
- Verification of proper message structure
List the user application controls for electronic business transaction system
- Authorization of transaction by users
- Regular audit trails printout of incoming messages with exception reports
- Regular review of audit trails and exception reports by management
- Correction of error as soon as possible
- Reconciliation of control account
List the controls in EFT transactions
- Master file changes
- Execution of payments
- validity
- completeness
- accuracy
List the accuracy control in EFT
- Training
- Edit tests
- format test
- screen test
- dependency test
- limit/reasonability test
- check digits
- control totals
- validity/existence test
- field size
Problem areas in auditing in an EDI environment
- Transaction are performed and accounted for electronically without paper/documentation
- Transaction often take place automatically
- Authorized by computer
- Large Number of transactions
- High risk of unauthorized access
- Transaction stored in electronic format
List the benefits of trading via Internet
- Ability to exchange information
- Ability to share information
- Cost-effective
- Marketing, advertising
Risks on trading via Internet
- Security risks
- Privacy risks
- Hackers, hactivist, phishing, spoofing and spyware
- Wireless application
- Business continuity risks
- Payment via credit card
- Accounting risks
- Tax and regulation
- Outsourcing
What are some of security risks of trading via internet
- Internet protocol carrying no identity enabling Intruders to pose as someone else
- Internet not defined with security in mind
- No central management of the Internet
- Dependence on on appropriate and adequate system design to prevent and detect abnormalities
- Dependence on programmed controls to cope with large volume of transactions
- Remote transactions initiated by users
- Risks relating to managing security ranging from choice of business model at the strategic level to the interface between processes
- Failure of encryption based security
Name the privacy risks relating to trading via Internet
- Invasion of privacy may increase
2. Issues concerning payment with credit card
List the risks relating to wireless applications
- Interception of confidential information by unauthorized data
- Risk of unauthorized access to computers and servers through wireless connection
List the risks with payment via credit card
- Unauthorized acquisition of credit card information
- Claims against the organization where client information is accessed unauthorized users
- Risk of bad debts resulting for stolen card
List the controls in Internet based system
- Certification
- Authentication
- Confidentiality
- Credit card
- Non-repudiation
- Identification and authentication
- Privacy policy
- Assurance logo
- Firewalls
- Controls relating to transaction integrity
- Controls over master file information
List the controls against viruses
- Software protection
- Data file protection
- Staff
Steps taken to implement software protection controls against virus
- Purchase from reputable suppliers, program tested before implementation
- Care taken when using free or public domain software
- Do not lend out removable media devices
- Never boot up a hard drive from removable devices
- Set anti-virus software to scan before mount
- Never use illegal copies of software
List the controls for data file protection
- Sound access controls including firewall
- Install virus detection software
- Test data for virus before use
- Regular backups
- Keep removable device set on”write protect”
Advantages of outsourcing and using a service provider
- Division of duties effected through processing being done by third party
- Cost consideration
- Hardware, resources and expertise are provided by service provider
- Reliability of processing
- Service provider is likely to have secure control environment
Disadvantages of using service providers
- Dependence on service provider for processing
- Loss of control over information processing
- Reliability of service provider in respect of processing and safeguarding of integrity of data
- Risk of being locked into obsolete technology
Factors to be consider when using a service provider
- Fee structure
- Speed of information turnaround
- Whether or not the service provider is financially sound
- Quality of backups and support available
- The service provider’s contingency plan
- Service provider’s ability to keep pace with technology
- Quality of information available
- Implication of management control
- Implication of accounting controls
- Effect of company’s image