Auditing Computer-Based 302 Information Systems After studying this chapter, you should be able t 1. Describe the scope and objectives of audit work, and identify the major steps in the audit process. 2. Identify the objectives of an information system audit, and describe the four-step approach necessary for meeting these objectives. 3. Design a plan for the study and evaluation of internal control in an Als, 4. Describe computer audit software, and explain how it is used in the audit of an AIS. 5. Describe the nature and scope of an operational audit INTEGRATIVE CASE SEATTLE PAPER PRODUCTS Seattle Paper Products (SPP) is modifying its sales department payroll system to change the way it calculates sales commissions. Under the old system, commissions were a fixed percentage of dollar les. The new system is considerably more complex, with commission rates varying according to the product sold and the total dollar volume of sales. Jason Scott was assigned to use audit software to write a parallel simulation test Program to calculate sales commissions and compare them with those generated by the new system, Jas n obtained the necessary payroll system documentation and the details on the new sales commission policy and prepared his program. Jason used the sales tr nsaction data from the last payroll period to run his pro- gram. To his surprise, his calculations were $5,000 less than those produced by SPP's new program. Individual differences existed for about half of the company's salespeo- ple, Jason double-checked his program code but could not locate any errors. Heselected a salesperson with a diserepancy and calculated the commission by hand. The result agreed with his program, He reviewed the new commission policy with the sales manager, line by line, and concluded that he understood the new policy completely. Jason is now convinced that his program is correct and that the error lies with SPP’ new program. He is now asking himself the following questions: 1. How could a programming error of this significance be overlooked by experi enced programmers who thoroughly reviewed and tested the new system? 2 Is 3. What can be done to find the error in the program? his an inadvertent error, or could it be a fraud? Introduction ‘This tema ape! process of 0 actions and events in order to determine how well they correspond with established criteria. The results of the audit ae then communicated to interested users. Auditin and the collection, review, and documentation of audit evidence. In developing tions, the auditor uses established criteria, such as the principles of control des chapters. as a basis for evaluation, Many organizations in the United States employ internal auditors to evaluate company ope ations. Governments employ auditors to evaluate management performance and compliance with legislative intent, The Depart 1 records of companies with defense contracts. Publicly held companies hire external auditors to provide an indepenclent review of their financial statements. Tis chapter is written from the perspective of an internal auditor. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve ‘organizational effectiveness and assisting in che design and implementation of an AIS. Intemal auditing helps an organization accomplish its objectives by bring tematic, diseipfined appronch to evaluate and improve the effectiveness of risk management control and focuses on auditing an accounting information system (AIS). Auditing isthe sys- regarding assertions ubout economic requires careful planning recommenda in previows int of Defense employs auditors ta review the Financ ficiency, includin There are several different tynes of internal audits: 1. A financial audit examines the reliability and integrity of financial transactions, account ing records, and financial statements, 303308 [ONTROL AND AUDIT OF Act OUNTING INFORMATION SYSTEMS Au information systems. ov internal control. audit ceviews the controls of un AIS 10 have with mal control policies and procedures and its effectiveness mn The audits usuatly evaluate system input and output processing con ‘vois: backup and reenvery pans: system security: ane computer Facilities, 3. An operational ith the economical and efficient use of resources and ‘onplishment of establishetl goals andl objectives. 4. 4 compliance audit determines whether entities are complying with applicable laws, regu. lanions, poticies. and procedures. These audits often result in recommendations to improve processes and won An investigative audit examines incidents of possible fraud, misappropriation of assets, ‘waste and abuse, or improps imental activities, In contrast, external auditors are responsible to comporste shareholders and are mostly cone cerned with gathering the evidence needed to express an opinion on the financial statements, They are unly indirectly concemted with the effectiveness of a corporate AIS, However, external ‘auditors are required to evaluate how audit strategy is affected by an organization's use of infor mation technology (IT). External auditors may need specialized skills to (1) determine how the ‘audi! will be wifected by IT. (2) assess and evaluate FT controls, and (3) design and perform both tests of IT controls and substantive tests Despite the distinction between internal and external auditing, many of the internal audit ‘concep sind techniques discussed in this chapter also apply to external audits, The First section of this chapter provides an overview oF auditing and the steps in the audi provess. The second section describes a methodology and set of techniques for evaluating Sntemal controls iv an ALS and conducting an information system audit. The third section dis cusses the computer sofiswave and oiler techniques for evaluating the reliability and integrity of information in an AIS. Finally, operational audits of an AIS are reviewed. The Nature of Auditing Overview of the Audit Process All aualits follow a similar sequence of activities. Audits may be divided into four stages: plan- ning. collecting evidence. evaluating evidence, and communicating audit results, Figure 11-L is an overview of the witing process and lists many of the procedures performed within each of these stages. ui FtANOHNG Audit planving determines why, how, when, aud By whom the audit will be Ihe audit's scope and objectives. For example, an audit of ® publicly held corporation determines whether its Financial statements are presented faily. In ‘contrast. an internal audit may examine a specific department or a computer application. It may Ficus on imlerna! eontials, financial into the thee performed, The first step is to estab ion. operating performance, oF some combination oF An auc feum with the necessary experience ane! expertise is formed. They become familiar with she audltee by conferring with supervisory and operating personnel, reviewing system doc- uumentation, and eviewing og ait fil Ap audit is planned so the fates! amount of audit work focuses on the areas With the high: types af audit risk 1 Inherent risk is the susceptibility 1 nuaterial risk in the absence of coms, For example, networks, databases, elecammunications, and yas uote wherent risk ean a butch processing system. terial misstatement will ger through the interna control fenvents. A company with weak intemal controls has higher contro sisk than ane with strong eontvals, Contra risk ean be determined by nernal controls. and considering control weak 2. Controt risk is uve risk that an ses ilentified in peinr auits and evaluating hu they have been rectified‘it Plan 1 Estoblsh scope and objectives | (Organize out eam Develop knowledge oF business operations. Review prior audit resus | | ‘deni rik factors | Prepare oi program i rn a ‘obser af opraing ons ow of docimerion j Dicosionswihemployes | Greve | Physical eamincton Fone | cenlemation rough bird pores eperormance ef procedures Vouching of rouce documents ‘Anelyieal review ‘Audi sori —T " = ~~ Evalueton of Audit Evid Assess quality of intern contol | ‘Assess relbiliy of informetion “Assess operating performance Consider ned fr adeno evidence | ‘Consider risk oetors Consider materihty factors | Document cud findings i | Forests audit conclusions | Develop recommendations for management Prepare aud report | Presant act sul fo management 3. Detection risk isthe risk that auditors and their audit procedures will fail to detect « mate- Fal error or misstatement. To conclude the planing stage, an ait program is prepared to show the nature, exten, and timing of the procedures needed to achieve audit objectives and minimize ault risks. A time budget is prepared. and staf? membets are assigned to perform specifi aut steps COLLECTION OF AUDIT EVIDENCE Most audit effort is spent collecting evidence, Because many audit fests cant be performed on al tems under review, they are often performed on a sample basis. The following ae the most comunon ways to collect audit evidence: © Observation of the activities being audited (e-g., watching how data controf personne! han- de data processing work as itis received) © Review of documentation to understand how a particular process or internal control system is supposed to function © Discussians with employees about theit jobs and about hovw they carry out certain procedures © Questionnaires that gather data © Physical examination of the quantity and/or condition of tangible assets, such as equipment and inventory © Confirmation of the accuracy of information, such as customer account balances. through ‘communication with independent third parties © Reperformance of calculations to verify quantitative information (e.g. recalculating the annual depreciation expense) CHAPTER 11 + AUDITING COMPUTER-BASED INFORMATION SYSTEMS 305 FIGURE 11-1 Overview of the Auditing Process306 PART II + CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS © Vouching forthe validity of a transaction by examining supporting documents, such a8 the purus oder eshng pad vendor noe PPT a Scum pyle ans, | tection © -Analyrical review of relationships and tends among information to detect items that should be frther investigated. For example, an auditor fora chain store discovered that one store's rato of accounts receivable to sales was foo high, An investigation revealed thatthe man. ager was diverting collected funds 0 her personal use Atypical audit has a mix of audit procedures, For example, an internal control audit makes treater use oF observation, documentation review, employee interviews, and reperformance of control procedures. A financial audit focuses on physical examination, confirmation, vouching, analytical review, and reperformance of account balance calculations, EVALUATION OF AUDIT EVIDENCE The auditor evaluates the evidence gathered and decides ‘whether it supports favorable or unfavorable conclusion. If inconclusive, the auditor performs sufficient additional procedures to reach a definitive conclusion. Because errors exist in most systems, auditors focus on detecting and reporting those that significantly impact management's interpretation of the audit findings. Determining materiality, ‘what is and is not important in an audit, is & matter of professional judgment. Materiality is more important to extemal audits, where the emphasis is fairness of financial statement, than to inter- nal audits, where the focus is on adherence to management policies. ‘The auditor seeks reasonable assurance that no material error exists in the information or process audited. Because itis prohibitively expensive to seek complete assurance, the auditor has some risk thatthe audit conclusion is inconect. When inherent or control risk is high, the auditor ‘must obtain greater assurance to offset the greater uncertainty and risks, In all audit stages, findings and conclusions are documented in audit working papers. Documentation is especially important at the evaluation stage. when conclusions must be reached and supported COMMUNICATION OF AUDIT RESULTS The auditor submits a written report summarizing audit | findings and recommendations to management, the audit committee, the board of directors, and other appropriate parties. Afterwards auditors often da follow-up study t ascertain whether recommendations were implemented. The Risk-Based Audit Approach ‘The following internal control evaluation approach, ealled the risk-based audit approach, provides a framework for conducting information system aueits 1. Determine the threats (fraud and errors) facing the company, This is a list of the acc- dental or intentional abuse and damage to which the system is exposed, 2. Identify the control procedures that prevent, detect, or correct the threats. ‘These are all the controls that management has put into place and that auditors should review and test, to minimize the threats. 3. Evaluate control procedures. Contzols are evaluated two ways a. A systems review determines whether control procedures are actually in place b. Tests of controls are conducted to determine whether existing controls work as intended. 4, Evaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing procedures. If the nuditor determines that control risk is too high because the control system is inadequate, the auditor may have to gather more evidence, better evi- dence, or more timely evidence, Control weaknesses in une area may be acceptable if there are compensating controls in other areas, ‘The risk-based approach provides auditors with a clearer understanding of the fraud and ‘errors that can occur and the related risks and exposures, Tt also helps them plan how to test and evaluate intemal controls, as well as how to plan subsequent audit procedures. The result is 3 sound basis for developing recommendations to management on how the AIS controt system should be improved.(CHAPTER 11 © AUDITING COMPUTER-BASED INFORMATION SYSTEMS Information Systems Audits ‘The purpose of an information systems audit is to review and evaluate the internal controls that protect the system. When performing an information systems audit, auditors should ascertain thatthe following six objectives are met 1. Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction 2, Program development and acquisition are performed in accordance with management's general and specific authorization 3, Program modifications have management's authorization and approval 4, Processing of transactions files reports, and other computer records is accurate and complete. 5, Source data that are inaccurate or improperly authorized ure identified and handled according to prescribed managerial policies 66. Computer data files are accurate, complete, and confidential Figure 11-2 depicis the relationship among these six objectives and information systems components, Each of these objectives is discussed in detail in the following sections, Bach description includes an audit plan to accomplish euch objective, as well as the techniques and procedures to carry out the plan, Objective 1: Overall Security Tible 11-1 uses the risk-based approach to present a framework for alting overall computer security, It shows tha overall system security threats include accidental or intentional damage to system asses; unauthorized access, disclosure, or modification of data and programs; theft and intemuption of erucial business activities. ‘Objective 1: Overal infomaton sytem seer “Objective 5 Souree dota t : Objective 2: in y {Progen development | : 1 eed cequsiton Sovnce dota | : ' \ : 1 Objective 3: ' Objective 4 1 Objcive Sst ‘Program modition | Conpuerprecesing | Datos 307 FIGURE 11-2 Information Systems Components and Related Audit Objectives308 PARTI + CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS TABLE 11-1 Framework for Audit of Overall Computer Security Types of Errors and Fraud 1 Loss, theft or unauthorized aecess to programs, data, and other system esourees closure of confidential data Unauthorized modification of use of programs and dat files ° ° © Loss. thet. or unauthorize ° . Control Procedures, Information securty/protection plan Limiting of physical acess to computer equipne Limiting of logical acess to system using authentication and authorization controls Data storage and tunsmission eontols Virus protection provedees Fite backup and reco Faul-tolerant systems design plan Disaster reo Firewalls (Casualty and business interruption insurance dit Procedures: System Review Inspect compoter sites Review the information securityfpotection and disaster secovery pans 1erview information system personnel about security procedures Review physical and jal acvess policies and provedures jew file backup and recovery policies and procedures iow procedures employee minimize system dow tin Review vendor maintenance eoneacs Examine system acess logs ° ° ° . ° . ° . ° ° . A . ° ° . . ° ° ° ° © Exami Audit Procedures: Tests of Controls ‘Observe and test computersite acess coeedures Observe the preparation of and of ste storage of backup files Te Investigate how unauthorized access a assigarient andl modification procedures for user {Ds and passwords pts are deal with Verify the extent and effectiveness of data encryption Verity the effective use of data transinission controls Verity he Verily the use fective use of firewalls snd vi preventive mainvenanee and an uninterruptible power supply Verify amounts and limitations on insurance cover plas Examine the cesults of disasie recover simulations Compensating Controls, ‘© Sound personnel policies, inelading segreg tion of incompatible dates © Erective user controls 4 cal access, enerypting data, protecting Control procedures to minimize these threats. inet feloping an information security/protection plan, restricting physical and log against viruses, implementing firewalls, instituting data transmission controls, and preventing and recover ing from system failures or clisasters Systems review procedures include inspecting computer sites; interviewing personnel; reviewing policies and procedures: and examining access logs, insurance policies. and the disas- ter recovery plas Auditors test security conteols by observing procedures, verify ure they were handled correctly that controls are in place and work as intended, inves nd ing etrors or problems toe Rear eeeeeeeeeeeeeeeeeceeeeeeeeeeeeeeseseaesesseessse assesses es cseeeessesssseseesseeeessseeseeeeeeee(CHAPTER 11 » AUDITING COMPUTER-BASED INFORMATION SYSTEMS 309 examining any tests previously performed. For example, one way to test logical access conwols. js to try to break into a system, During a U.S. government security audit, auditors used agency terminals to gain unauthorized access to its computer syste m, disable its security-checking pro- cedures, and control the system from the terminal. The security brenkdown was possible because of poor administrative controls and inadequate security software Sound personnel policies and effective segregation of incompatible duties can partially com pensate for poor computer security. Good user canteols will also help. provided that user person- nel can recognize unusual system output. Because itis unlikely these controls ean compensate indefinitely for poor computer security, auditors should strongly recommend that security weak- nesses be corrected. Objective 2: Program Development and Acquisition ‘The auditor's role in systems development should be limited to an independent review of systems development activities, To maintain objectivity, auditors should not help develop the system. ‘Two things can go wrong in program development: (1) inadvertent programming errors due to misunderstanding system specifications or careless programming and (2) unauthorized instructions deliberately inserted into the programs. ‘These problems can be controlled by requiring management and user authorization and approval, thorough testing, and proper dacumentation, Daring systems review, auditors should discuss development procedures with management, system users, and information system personnel. They should also review the policies, proce- dures, standards, and documentation listed in Table 11-2 TABLE 11-2 Framework for Audit of Program Development ‘Types of Errors and Fraud © Inadvertom programming erors or unauthorized program code Contral Procedures © Review of software Tivense agreements © Management suthorization for program development and software acquisition © Management and user approval of programming specifiations © Thorough resting of new programs including user acceptance tests © Complece systems documentation, including approvals Audit Procedures: System Review © Independent review of the systems development process Review of systems developmenvcquistian policies and procedures Review of systems authorization andl approval policies and procedures Review of programming evaluation standards Review of program and system documentation standards Review of es specifications, cst dats and test results Review of test approval policies and procedures Review of acquisition of copyright license agreement policies and procedures Discussions with management, users, and information system personnel regarding \developnient procedures Audit Procedures: Tests of Controls Interview users about cher system aequisitionldevelopment and implementation involvement Review minutes of development team meetings for evidence of involvement nen an user sign-off approvals a development milestone points Review tes specifications, est dat, and systems test ess Review sofiware license agreements Verify manag seeee Compensating Controls, © Strong processing comrols Independent processing of test data by auditor310 PART i CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS To west systems development controls, auditors should interview managers and system users, lecamine development appiovals. and review development team aieeting minutes. The auditor ating tothe testing process 1 make sure all program changes were (ested. The auciior should examine the tes! specifications and the test data and evaluate the (est results, Auditors should usceriain how unexpected test result problems were resolved, Strong p sate for inadequate development controls if auclitors Ihwin persimsive evidence of compliance with processing contals, asing techniques such as This evidence is not obtained. auditors may have to conclude ‘ness exists and tha the tisk of significant threats in applica. should review all documentation fv imuerial internal contrat wea 1 progrtins is unacceptably hi Objective 3; Program Modi presents a framework for ausit 125 o application programs al system soft- ware The sae threats that secur during program development occur during program moxie nmer assigned to may his companys payroll system inserted a Tikes he was terminated. When he was fired. dhe system crashed Fable 1 ‘cominnand to erase ull eon I key fies TABLE 11-3 Framework for Audit of Program Modifications Types of Errors and Fraud) ‘vrs or onsunhorzed program code Control Procedures © User © Bho 1 ermpnents to e mex © Fhoswh ist of pragrum changes. ineluding user acceptance ests © Complete prorat change documentation, including approvals © Scprite development, ts, al production versions of prograars © Changes ime od by personnel independent a users an programmer audit Procedures: System Review © Review pr rv mciiation polices, stalls. and procedures © Review docmentalion sting fr program moditiation © Res iow fina wumeniation of program modifications © Review prowaum n es © Review tes py © Review and fest approval provedures ranoing evaluation standards © (sc snoletion pices and prowedres with mianayement, Users, ad systems personnel 1 Review logical a ‘ointet policies al prowesres wit Procedures: Tests of Controls © Verity icra managsment signoff appr fo progran changes © sity that program components tobe sified ure identified and listed © ests hat prorran change text pencedures at documentation comply With Sindards © Veit that logical access ena ae in elfet fe prow ws © Cobser.e poner etnange implementation © Verity tna separate development, Ws, ar! production versions ae misntained © Vert that eianges ae ne implemen caning personnel © Fes Lv mathorized or eons progrant cha a sive vexe soparison program, repocsing, al paral sinvulnion mpensating Controls © lapel ets He unauthorid ar m wn changes os reessng cantisWhen a program change is submitted for approval, alist ofall required updates should be compiled and approved by management and program users, All progeam changes should be tested and documented. During the change process, the developmental program must be kept separate from the production version, After the modified program is approved, the production version replaces the developmental version. During systems review, auditors should discuss the change process with management and user personnel. The policies, procedures, and standards for approving. mosifying. testing, and documenting the changes should be examined. All final documentation materials for program changes, including test procedures and cesults, should be reviewed. The procedures used to restrict logical access to the developmental program should be reviewed. ‘An important part of tests of controls is to verify that program changes were identified, listed, approved, tested, and documented. The auditor should verify that separate development and production programs are maintained and that changes are implemented by someone independent of the user and programming functions. The development program's access control table is reviewed to verify that only authorized users had access to the system, Auditors should test programs on a surprise basis to guard against an employee inserting unauthorized program changes after the audit is completed and removing them prior to the next audit, There are three ways auditors test for unauthorized program changes: 1. After testing a new program, auditors keep a copy of its source code. Auditors use a source code comparison program to compare the current version af the program with the source code. If no changes were authorized, the two versions should be identical; any dif- ferences should be investigated. Ifthe difference is an authorized change, auditors exam ine program change specifications to ensure that the changes were authorized and cor- rectly incorporated. 2, In the reprocessing technique, auditors reprocess data using the source code and compare the output with the company’s output. Discrepancies in the output are investigated 3. In parallel simulation, the auditor writes a program instead of using the source code compares the outputs, and investigates any differences, Parallel simulation ean be used to festa program during the implementation process. For example, Jason used this technique to test @ portion of SPP's new sales department payroll system, For each major program change, auditors observe testing and implementation, review authorizations and documents, and perform independent tests If this step is skipped and pro- gram change controls subsequently prove to be inadequate, it may not be possible to rely on Program outputs, 1 program change controls are deficient, a compensating contro! is source code comparison, ‘reprocessing. or parallel simulation performed by the auditor, Sound processing controls, inde. Pendently tested by the auditor, can partially compensate for sueh deficiencies. However, if the deficiencies are caused by inadequate restrietions on program file access, the auditor should Strongly recommend actions to strengthen the organization's logical access controls, Objective 4: Computer Processing Table 11-4 provides a framework for auditing the processing of transactions, files, and related computer records to update files and databases and to generate reports During computer processing, the system may fail to detect erroneous input, improperly cor- "ect input errors, process erroneous input, or improperly distribute o disclose output. Table 11-4 shows the eontrol procedures to detect ane prevent these thrents and the systems review and ests of controls used to understand the controls, evaluate their adequacy, and test whether they func- tion propery ; Auditors periodically reevaluate processing controls to ensuse their continued reliability. I | they are unsatisfactory, user and source data controls may be strong enough to compensate. If of, @ material weakness exists, and steps should he taken to eliminate the conttol deficiencies Several specialized techniques are used to test processing controls, each of which his its Wn advantages and disadvantages. No rechnique is effective forall circumstances: all awe more ppropriate in some situations and less so in others. Auditors should not disclose which tech- Bigue they use, because doing so may lessen their effectiveness, Each of these procedures is now plained, | —_— ses a312 PART Il + CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS TABLE 11-4 Framework for Audit of Computer Processing Controls “Types of Errors and Fraud © Failure to detect incorrect, incomplete, or woauthorized mp data © Failte co properly eorect errors flagged by da editing procedures © ‘niroxietion of errs into tiles oF databases ding updating © nnproper distribution or disetosure of eompunter output © ‘nventionel or unintentional inaccuracies in report Control Procedures Data editing routines Proper use of internal and external ile labels Reconciliation of hatch toils Efective error eorevtion procedures, Understandable operating documentation a run Competent supervision of computer operations Eefective handing of date input and output by data contro personnel Preparation of fle ch Maintenance of proper envionmental cone listings aa summaries for user depautanent review ions in computer facility ‘Audit Procedures: System Review Review administrative documentation for processing control standards Review systems documentation for data editing and other processing controls Review operating documentation for completeness ad catty Review copies of eror listings, bate foal reports, and file chang ° ° . ° rts © Ob.erve eomputer operations and dats contol Functions © Discuss processing ane! ouput contols with operators and information system supervisors Audit Procedures: Tests of Controls (© ‘Evaluate adequacy of provessing control standards and procedures Evaluate alequacy and completeness of data editing conto Verity adherence to processing costo procedures by observing computer an data contol operations Verity chat application system output is property distibuted Reconcile a sample of batch totals: follow upon discrepancies Trace « sample of data edit routines eros to ensure proper handling Verify processing accuracy of sensitive transactions Verify processing accuracy of computer-generated transactions Seach for erwneous or unauthorized code via analysis of program logic (Check accuracy and completeness of processing contol using test data nt audit techniques Recreate selected reports to test for aecuracy and completeness Monitor online processing systems us Compensating Controls, © Strong user controls and effective controls of source data PROCESSING TEST DATA One way to test a program is to process a hypothetical set of valid and invalid transactions. The program should provess all valid transactions correctly and reject all invalid ones, All logic pathy should be checked by one or more test transactions. Invalid data include records with missing data, fields containing unreasonably large amounts, invalid account numbers or processing ‘The following resources are helpful when preparing test data codes, nonnumerie data in aumerie fields, and records out of sequence. © A list of actual transactions © The test iransactions the company used to test the program © A rest data generator, which prepares test data based on progeam specifications In abatch processing system, the company’s program and a copy of relevant files are used 10 process the test dara, Results are compared with the predetermined! correct output: discrepancies indicate processing errors or control deficiencies to be investigated.Inan online system, auditors enter test data and then observe and log the system's response, If the system accepts erroneous test transactions, the auditor reverses the effects of the transac: tions, investigates the problem, and recommends that the deficiency be corrected Processing test transactions has two disadvantages, First, the auditor must spend consider- able time understanding the system and preparing the test transactions. Second, the auditor must censure that test data do not affect company files and databases, The auditor ean reverse the cffecs ofthe tes cranssetions or process the transactions in a separate run using a copy ofthe file or database. However, a separate run removes some of the authenticity obtained from processing test data with regular transactions, Because the reversal procedures may reveal the existence and nature of the auditor’s test to key personnel, it ean be less effective than a concealed test. CONCURRENT AUDIT TECHNIQUES Because transactions can be processed in an online system without leaving an audit tail, evidence gathered after data is processed is insufficient for audit purposes. In addition, because many online systems process transactions continuously, it is difficult (o stop the system co pesform audit tests. Thus, auditors use concurrent audit technigues to continually monitor the system and collect audit evidence while five data are processed during regular operating hours. Concurrent audit techniques use embedded audit modules, which are program code segments that perform audit function report test results, and store the evidence collected for auditor review. Concurrent audit techniques are time-consuming and difficult to use but are less so if incorporated when programs are developed. ‘Auditors commonly use five concurrent audit techniques. ‘An integrated test facility (ITF) inserts fictitious records that representa fictitious division ‘department, customer, or supplier in company master files. Processing test transactions to update them will not affect actual records. Because fictitious and actual records are processed together, company employees are unaware ofthe testing. The system distinguishes ITF records from actual records, collects information on the test transactions, and reports the results, The auditor compares processed data with expected results to verify thatthe systems and its controls operate correctly Ina batch processing system, the ITF eliminates the need to severse test transactions, ITF effectively ests online processing systems, because test transae- ‘ions can be submitted frequently, processed with actual trnsaetions, and traced throu, every processing stage without disrupting regular processing operations, The auditor must ‘ake care not to combine dummy and aetual records during the reporting process. 2. In the snapshot technique, selected transactions are marked with a special code. Audit mrodules record these transactions and their master file records before and after processing and store the data in a special file, The auditor reviews the data to verify that all processing steps were properly executed 3. System control audit review file (SCARF) uses embeclded audit modules to continuously monitor (ransaction activity, collect data on transactions with special audit significance, and store it in a SCARF file or audi log. Transactions recorded include those exceeding a specified dollar limit. involving inactive accounts, deviating from company policy, or con- taining write-downs of asset values. Periodically, the auditor examines the audit fog to identify and investigate questionsible transactions 4. Audit hooks are audit routines that notify auditors of questionable transactions, often as they occur, State Farms use of audit hooks, including how the company detected a major fraud, is explained in Focus 11-1 5. Continuous and intermittent simulation (CIS) eweds an audit module in a database ‘management systein (DBMS) that examines all transactions that update the database using Criteria similar to those of SCARF. Ifa transaction has special audit significance, the CIS ‘module independently processes the data (in a manne similar to parallel simulation), records the iesults, and compares them with those obtained by the DBMS. When diserep- Ancies exist, they are stored in an audit Jog far subsequent investigation, If the diserepan- Cies are serious, the CIS may prevent the DBMS from executing the tpdate ANALYSIS OF PROGRAM LOGIC If auditors suspect that t program contains unauthorized code OF serious errors, a detailed analysis of program logic may be nevessary. This is time-consuming f. hd requires proficiency in the appropriate programming language. so i should be used as a last (CHAPTER 11 + AUDITING COMPUTER-BASED INFORMATION SYSTEMS.314 11-4 ‘The State Farm Life Insurance Company computer system has a host computer in Bloomington, illinois, and smaller com= puters in regional offices. The system processes more than 30 million transactions per year for over 4 million individual policies worth more than $7 billion. This online, real-time system updates files and databases {as transactions occur. Paper audit trails have virtually van ished, and documents supporting changes to policyholder records have been eliminated or are held only a short time before disposition, Because anyone with access and a working knowledge of the system could commit fraud, the internal auclt staff was asked to identity all the ways fraud was possible. They brain stormed ways to defraud the system and interviewed system Users, who provided extremely valuable insights. ‘Auditors implemented 33 embedded audit hooks to mon- itor 42 different types of transactions. One audit hock PART II + CONTROL ANO AUDIT OF ACCOUNTING INFORMATION SYST Med Using Audit Hooks at State Farm Life Insurance Company Ms monitors unusual transactions in transfer accounts, which are clearing accounts far temporarily holding funds that are to be credited to muitipie accounts ‘The audit hooks have been very successful. One employee fraudulently processed a loan on her brother’ life insurance policy, forged her brothers signature, and cashed the check. To conceal the fraud, she had to repay the loan before the annual status report was sent to her brother. She used a series of fictitious transactions involving a transfer account. The fraud was uncovered almost immediately when the transfer account audit hook recognized the first of these fc titious transactions and notified the auditor. Within a month of the notification, the case had been investigated and the ‘employee terminates. Source: Unds Mare Leircke, W. Max ‘Computer Fraud Austin: Works," oad, and Jahn D. Ward, crmal Auditor (August 1990) resort. Auditors analyze development, operating, and program documentation as well as a printout of the source code, They also use the following software packages: © Automated flowcharting programs interpret source co ‘Automated decision table programs interpret source code and Scanning routines search a program for all eccurrences of specified items. ‘Mapping programs identify une’ le and generate a program flowchart cenerate decision table. sted program code. This software could have uncov ered the program code that an unscrupulous programmer inserted to erase all computer files when he was ter ted. ied when a program runs. © Program tracing sequentially prints all program steps exe intermingled with regular output so the Sequence of pr observed. Program tracing helps detect unauthorized program instructions. incorrect logic paths, and unexecuted program code 1m execution events can Objective 5: Source Data An input controls matris is used to document the review of souree data controls. The matt ia Figure 11-3 shows the control procedures applied to each input record fel The data control Function should be independent of other functions, maintain a data control handle errors, and ensute the overall efficiency of operations. tis usually not economically feasible for small businesses to have an indepen: department controls must be stronger with respect to data preparation, batch contro totals, edit programs, restrictions on physical and logical ac edues should be the focus of the autos systems review and ests of controls when there is na independent data contol funetion Although source data eontcols may not change often and auditors should regularly test th source data samples for prope dat edit errors were resolved and IF source data controls are inad compensate Table ant data control function, To compensate, user ss, and ettor-handling procedures. These pro- how strictly they are applied may em. The auditor tests the system by evaluating authorization, econciling batch controls, and evaluating whether for processing user departn not, auditors should recommend that source data control deficiencies be corrected. ent and data processing controls may [-S shows the internal controls that prevent, detect, and correct inaccurat thorized source data. It also shows the system use. In an online system, the source data entry and processing Functions are eview and tests of control procedures auditors ne operation. Therefore, source data controls a controls in Table L-4CHAPTER 11 © AUDITING COMPUTER-BASED INFORMATION SYSTENS | enplye Weel | peep! “eit [Feoree Hokies 7 (esd ens | Cesfeing Blane | [rl pecton tea pogrom [Seger dk (Ftc "Sign check [Weld check Limit chock “Recioneiene Conpleenen check | Oneriow rocwire | Ober Objective 6: Data Files ‘The sixth objective concerns the accuracy, integrity, and security of data stored on machine-read- able files, Table 11-6 summarizes the errors, controls, and audit procedures for this objective. If file controls are seriously deficient, especially with respect to physical or logical access oF to backup and recovery procedures, the auditor should recommend they be rectified. TABLE 11-5 Framework for Audit of Source Data Controls Types of Errors and Fraud © Inaccurate or unauthorized source data Control Procedures Elective handling of source data input hy date conto personne! User authorization of source dat input Preparation and eeconeilition of batch contrl totals Logging the eceipt, movement. and disposition of source data input Cheek Key verification Use of turnaround documents Data editing routines ‘User depariment review of file change listing Efective procedures for correcting and resubmitting ertamcous data ecccccccce Audit Procedures: System Review Review documentation about data contol function responsibilities Review administative documentation for source data control stands Review authorization methods and examine authorization signatores Review documentation to identity processing steps andl source data content ad conteols Document souree data controls wsing a inp eats! matrix Discuss source data controls with data contra personnel, system users, and managers (Continued) FIGURE 11-3, Input Controls Matrix 315316 PARTI + CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS \ | ‘Audit Procedures: Tests of Controls {© Observe and evaluate data cone depariment aperstions and contol procedures © Verity proper msinenance and use oF data coat 0 (© Evaluate how err log items ave dealt with eo: sine sousce data he proper authorization © Reconcile bate totals ad follow up on discrepancies ©. Trace disposition of enor Nagged by data edt routines © Stiong user and data processing contils | \ | TABLE 11-6 Framework for Audit of Data File Controls “Types of Errors and Fraud © Destruction of stoved data due to errs, hardware or software mafunctions, and intentional wets of © Unsthorized moufieation o disclosure of stored dats Contre! Procedures, © Sine of din ina secure ile brary and restriction of physical wevess 10 daa files wt © Lozics aecess cours and an access contol matiix © Proper use of fe labels and write-proeetion mechanisms ec {© Data encryption for confident dat © Vins protection software © Ost Pack of all dat les (© Checkpoint and slbuck procedures ca Faciltate system recovery Audit Procedures: System Review {© ‘Review documentation for fe hidsary operation © Review lgieal access policies snd procedures © Review standard for virus protection. off-site dl © Review eon and system recovery provedures cis or concurrent wpelates. data encryption ile Conversion, and reconciation of master swith independent conte © Exnmine disaser recovery plan © Discus fie vento! procedures with managers and operators ‘Audit Procedures: Tests of Controls (Oper snd eval ie bi operations Review seconds of passvend assignment aad modification file-handliy proeedares by operations personne! Onserve urd eval COserve de preparation and off-site storage of backup files Verily the fective ase of vias protection procedures ne como id data ence lion Verity eapletones, curren and esting of disaster coery plans RRevincile master fk toals with separately maintained coniol totals ompensating Controls . ° . ° . © Verity the use of ermeurent up . ° . « ° °(CHAPTER 11 + AUDITING COMPUTER-BASED INFORMATION SYSTEMS ‘The auditing-by-objectives approach is a comprehensive, systematic, and effective means of evaluating internal controls, It can be implemented using an audit procedures checklist for each objective. The checklist helps auditors reach a separate conclusion for each objective and sug- gests compensating controls as appropriate. Each of the six checklists should be completed for each significant application. Audit Software Computerassisted audit techniques (CAATS) refer to audit software, often called generalized audit software (GAS), that uses auditor-supplied specifications to generate x program that per- forms audit functions, thereby automating or simplifying the aut process. Two of the most pop- sar software packages are Audit Control Language (ACL) and Interactive Data Extraction and Analysis (IDEA). CAATS is ideally suited for examining large data files to identify records needing further audit scrutiny. “The U.S. government discovered that computer-asssted audit techniques are a valuable too in reducing massive federal budget deficits. The software is used to identify fraudulent Medicare claims and pinpoint excessive charges by defense contractors. The General Accounting Office (GAO) cross-checked figures with the IRS and discovered that thousands of veteran fed about their income to qualify for pension benefits. Some 116,000 veterans who received pensions based on need did not disclose $338 million in income from savings. dividends, or rents. More than 13,600 under reported income; one did nol report income of over $300,000, When the Veterans Administration (VA) notified beneficiaries that their income would be verified with the IRS and the Social Security Administration, pension rolls dropped by more than 13,000, at a savings of $9 millon a month, The VA plans to use the same system for checking income levels of those applying for medical care. If their income is found to be above a certain level, patients will be required make copayments, In another example, a new tax collector ina small New England town requested a tax audit, Using CATS. the auditor accessed tax collection records for the previous four years, sorted them by date, summed collections by month, and created a report of monthly tax collections. The analysis revealed that collections during January and July, the two busiest months, had declined by 58% and 72%, respectively. Auditors then used CAATS to compare each tax collection record with property records. They identified several discrepancies including one committed by the for mer tax collector, who used another taxpayer's payment 10 cover her own delinguent 12x bills The former tax collector was arresied for embezzlement. ‘To use CAATS, auditors decide on audit objectives, learn about the files and datahases to be audited, design the audit reports, and determine how to proxduce them, This information is tecorded on specification sheets and entered into the sysiem, The CAATS progran uses the specifications to produce an auditing program. The program uses a copy of the company’s Five data (to avoid introducing any errors) to perform the auditing procedures and produce the spec~ ified audit reports. CAATS cannot replace the auditor’ judgment or free the auditor from other Phases of the audit. For example, the auditor must still investigate items on exception reports, ‘erfy file totals against other sources of information, and examine and evaluate audit samples. CAATS are especially valuable for companies with complex processes. distributed opers tions, high transaction volumes, ora wide variety of applications and systems. ‘The following are some of the more important uses of CATS: ‘Querying data files to retrieve records meeting specified criteria, Creating, updating, comparing, downloading, and merging files Summarizing, sorting, and filtering data Accessing data indifferent formats and converting the data into a common format Examining records for quality, completeness, consistency, and correctness Swratifying records, selecting and analyzing statistical samples ‘Testing for specific risks and identifying how to control for that risk Performing calculations, statistical analyses, and other mathematica operations Performing analytical tests such as ratio and trend analysis, looking for unexpected or tunexplained data patterns that may indicate fraud 317318 PARTI + CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS © Identifying financial leakage, policy noncompliance, and data processing errors ‘© Reconciling physical counts to computed amounts testing clerical accuracy of extensions ‘and balances, testing for duplicate items (© Formatting and printing reports and documents © Creating electronic work papers Operational Audits of an AIS aac ‘The techniques and procedures used in operational audits are similar to audits of information systems and financial statements. The basic difference is audit scope. An information systems audit is confined to internal controls and a financial audit to systems output, whereas an opera. tional audit encompasses all aspects of systems management. In addition, objectives of an oper- ational audit include evaluating effectiveness, efficiency, and goal achievement ‘The first step in an operational audit is audit planning, during which the scope and objectives of the audit are established, a preliminary system review is performed, and a tentative audit pro ‘gram is prepared, The next step, evidence collection, includes the following activities: © Reviewing operating policies and documentation ‘© Confirming procedures with management and operating personnel © Observing operating functions and activities © Examining financial and operating plans and reports © Testing the accuracy of operating information © Testing controls At the evidence evaluation stage, the auditor measures the system against one that Follows the ‘best systems management principles. One important consideration is thatthe results of manage- ‘ment policies and practices are more significant than the policies and practices themselves, That is, if good results are achieved through policies and practices that are theoretically deficient, then the auditor must carefully consider whether recommended improvements would substantially improve Fesults, Auditors docoment ther findings and conclusions and communicate them to management ‘The ideal operational auditor has audit raining and experience as well as a few years’ expe. sence in a managerial position, Auditors with strong auditing backgrounds but weak manage- ‘ment experience often lack the perspective necessary to understand the management process. Summary and Case Conclusion Jason i trying to determine how his parallel simulation program generated sales commission fg- ‘res that were higher than those generated by SPP’s program. Believing that this diserepancy ‘meant there was a systematic error, he asked to review a copy of SPP's program. The program was lengthy, so Jason used a scanning routine to seurch the code for occur ‘ences of “40000,” because that was the point at which the commission rate changes, according to the new policy, He discovered a commission rate of 0.085 for sales in excess of $40,000, whereas the policy called for only 0,075. Some quick calculations confirmed that this error caused the dferences between the two programs. Jason's audit manager met withthe embarrassed development team, who acknowledged and corrected the coding eroe The audit manager calfed Jason to congratulate him. He informed Jason that the undetected programming error would have cost over $100,000 per year in excess sales commissions, Jason was grateful forthe managers praise and took the opportunity to point out deficiencies in the development team’s programing practices. Firs, the commission rate table was embedded it the program code; good programming practice requires that it be stored in a separate table to be used by the program when needed. Second. the incident called into question the quality of SPP'S program development and testing practices, Jason asked whether a more extensive operational audit of those practices was appropriate. The audit manager agreed it was worth examining and Promised to raise the issue at his next meeting with Northwest's director of internal auditing.cHapren of COMPUTER FRAUD AND ABUSE TECHNIQUES) 165 4g QuickTime video containing malicious software that replaced the links inthe wer Pane wi Tks ta phishing ste. The devastating Conficker orm infected 25% of enterprise Window PCs, ‘Many viruses and worms exploit known software vulnerabilities than can be corected with {software patch. Therefore, o good defense against them is making sue that al software patches ae installed as son a they are available Recent viruses and worms have attacked cell phones and personal electronic deviees using teat messages, Internet page downloads, and Bluctoothwireiess technology. Flaws in Bluetooth “Ipplications open the system to attack. Bluesnarfing is stealing (sharting) contact lists, images, 1 ant other data sing Bluetooth. A reporter for TimesOnline aecompanied Adam Laure, a seeu- #ehty exper, around London scanning for Bluetooth-compatible phones. Before a Bluetooth con- teetion ean be made, the person contacted must agree to accept the link. However, Laurie as Ajrtten software to bypass this control and identified vulnerable handses at an average rate of one r minute. He dowaloaded entire phonebooks, calendars diary contents, and stored pictures ones upto 90 meters avay were vulnerable Bluebugging is taking contol of someone else's phone 10 make or listen to calls, send or ead text messages, connect t0 the Internet, forward the victim's eas, and call numbers that share fees. These attacks will become more popular as phones are used to pay for items pur “Ghose. When a hacker wants something, ll he has todo is bluebug a nearby phone and make a jpurchase.To prevent these attacks, «bluetooth device can beset o make it hard fr other devices } jp recognize it Antivir sotware for phones is being developed to deal with such problems Tn the future, many other devices—such as home security systems, home appliances, automo- tes, and elevators willbe connected tote Itemet and wl be the target of viruses and worms ‘Table 6-1 summarizes, in alphabetical order, the computer fraud and abuse techniques discussed inthe chapter. BF Technique Description ‘Address Resolution Protocol Sending fake ARP messages to an Ethemet LAN. ARP is a computer networking protocol for determin- Be (ARP) spooting 1 a network host’ hardware address when onl its IP or network address is know. = Adware Software that Insert is surfed ects and forwards data to advertising companies or causes banner ads 1o pop up as the one to make calls, send te Blucbugsing ‘Taking contol of 3 «messages, listen to cals, o read text mestages. E luesnaring Stealing contact lists, images, and other data using Bluetooth Boanet, bot herders A network of hijacked computers, Bot sled zombies, in a variety of Internet antacks, es use the hijacked computers, Butler overflow atack Inputting so much date thatthe input buffer overflows. The overflow contains code tat takes control of the computer, Displaying an incorrect aumber onthe recipients caller ID display to hide the ideaiy of de caller. and selling stolen creditcard. Carding Verifying creditcard validity; buy Chipping Planting «chip that records transaction data ina legitimate eredit card reader = -Cross-site scripting (XSS) atack Exploits Web page security vulnerabilities to bypass browser security mechanisms and create a mali- : cous link that injects unwanted code into a Web site. © cyberbullying Using computer technology to hart another person. (Cyber-exortion ke iting a company to pay money to keep an extortionst fom harming a computer ora person. Data diddling ‘Changing data before, during, or after iti entered into the systr Data leakage [Unauthorized copyi of company data, Denialof-servce attck An attack designed to messages that ke computer resources unavailable 10 ts users. Por example, so many e-1 et service providers e-mail server is overlouded and shuts down, Dictionary attack Using sofware to guess company addeesses, send employees blank e-mails, and add uoreturned mes. DNS spoofing Sniffing the ID of « Domain Name System (server that converts Web: quest and replying before the eal DNS server sae to an IP address) Eavesdropping Listening to private voice or data transmissions Ne (Continued)166 PARTI + CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS TABLE 6-1 Continued Technique Description’ Economic espionage aa thveats| Em spoofing Evil in Hacking Hijacking IP address spooting Ieentty thet Internet auotion fa Internet misinformation nteret tears Tetemmet pump-and-dump trad Key logger Lebanese looping Logic bombs and time bornbs Malware Main-the-midle (MITM) attack Masqueridinglimpersonation Packet siffing Password eracking Phaning Phishing Phreaking Pigaybucking Podslurping Posing Prowexti Rootkit vedo ed Salami technique Searewore “The thet of information, ade secrets, and intellectual property Senilng a theatening message asking recipients to do something that makes it posible to defraud ther. Making «sender address and other part of an e-mail header appear as though the e-mail originated from a different source: ‘A ovteess network with the same name as another wireless uevess point. Users knowingly connect to the evil twin; hackers monitor the walficTooking for useful information Unauthorized access. modification, oF use of computer systems, usually by means of w PC and u com munications newwork Gaining control of someone else’ compute for ili astivites. Creating InernetProtoco] packets with forged IP address to hie the sender's entity ortoimperson- | ate another computer system. i Assuming someone's édentity by illepally obtaining confidential information suchas a Soci Seeurity number | {Using an Intemet auction sie to commit fad | Using dhe latemet to spread false or misleading information 7 Using the Internet to diseapt communications and ecommeree Using the Internet to pump up the price ofa stock and then sel it Using spyware to record a user's keystokes Inserting a sleve into an ATM so that it will ot eet the victim's card pretending to help the victim 3s 4 mess to discover his or her PIN, and then using the card and PIN to drain the aecount Software that sis ile until a specified vrcumstance or ime tigger i, destroying programs, data, or both Software that can be used to do harm, lo called session A tucker placing himself between 2 client and s host to intercept network sath icing. [Accessing system by pretending tobe an authorized user. The impersonator enjoys the same privileges asthe legitimate user Inspecting information packets 3s they travel the Internet and er networks. Penetrating system defenses, stealing passwords, and decrypting them to access system programs, files nd data Redirecting traffic to a spoofed Web ste to obtain eondentil information ‘Communications that request recipients to disclose confidential information by responding to an e-mail ‘or visting a Web site [Attcking phone systems to get fee phone access: using phone lines to transmit virwses and to access steal and destroy data, 1. Clandestine use of someone’s Wi-Fi network 2. Tapping into a communications line and entering 4 system by latching onto a legitimate user cal security controls by entering «secure doar when a authorized person opens it. 3, Bypassing py Using a smal device with storage capa computer 5 iPod, Pash deve) to download unauthorized data from a ‘Creating a seemingly legitimate business, collecting personal data while making a se, and never deliv ering items sold Acting under fase pretenses guin confidential information Software that conceals processes. files, network connections. and system data from the operating systemt and other prograns “Traneatig interest calculations at to decimal places and plicing truncated amounts nthe perpetra Software tht encrypts programs snd data until a ransom is pail to remove i Stealing tiny slices of money over ime. “Malicious software of no benefit that is sold wsing sere tactics eeTABLE 6-1 Continued (CHAPTER 6 © COMPUTER FRAUD AND ABUSE TECHNIQUES 167 Technique: ‘Seven numer diving Sesting Shoulder sur Skimming SSMS spoofing Social engineer Software piracy Sparsming Splog Spyware Spoofing SQL injection attack Steganography Superzapping “Tabnapping ‘Trap door ‘Toon horse Typosquatting/URL hijacking Virus Vishing Wart War drving/racket Wb rani ‘Web page spoof Wom Description _ Searching for contidenta) information by searching For docursents an records in garbage cans, com nal rash bins, and ety dumps Exch Wah Dovile-sping 4 credit card or covertly siping ng explicit ent messages and pictures 1 or istening fo people enter or dsclese confidential data car reacer that records the data Fr Iter use se service (SMS) 104 Using short mess ing the name or number a Lext message appears to come from, “Techaigues tha tick a person inte disclosing confidential information Unauthorized copying or distribution of copyrighted software, E-mailing an unsolicited message 10 many people at the sume ime ‘A spam blog that promotes Web sites to increase their Google PageRank (how often a Web page is ref ereced by other pages) Soltware that monitors computing habits and sends tht data to someone ele. often without the users pesmisson, “Making electronic eumunications look tke someone else venti Insersing a malicious SQL query in input in such a way thai is passed to and executed by an applica tion program Hiding data trom one Fie inside a ost fle, sue as 2 large image or sound File Using special software to bypass system controls and perform illegal acts, Secretly changing an already open browser tab using JavaScript AA back door int system that bypasses sormal system controls. ‘Unauthorized code in sn authorized and properly functioning program: ‘Web sites with names simi to real Web sites sess misking typographical errs ae set 10a site filled with malware Executable coe that Triggered by a predefined event it damages sysfem resources or displ suaces ise to software, replicates itself. and spreads to other systems oF files. ‘Voice phishing. in which 4 confidential data, il ecpents ate asked wo call phone number that ask them to divulge Dialing phone fines find idle medems 19 use fencer 8 system. capture the atached computer. and gin aecess fo its nenwonk(s) kel Looking tor unproveted wireless networks using wear oF 019 Developing 2 free snd worthless ial-version Web site al charging the subscriber’ pone bil for r mouths even if the subseriber cancels Also called phishing Sinilarto a virus a program rather than a code segment hidden in a host program Actively transmits itself other systems, I usually does not live lang but is quite destuctive while alive Auch berween the time a software vulnerability is discovered ad patch to fx the problem i released, Summary and Case Conclusion Ie took RPC two days to get its system back up to the point that the audit team could continue their work. RPC had been hit with rvaltiple problems a! the same time. Hackers had used packet sniffers and eavesdropping to intercept & public key RPC had sent to Northvvest. That led to a man in-the-middle attack. Which allowed the hicker to intercept all communications about the Pending merger. It also opened the door to other attacks on both systems. Law enforcement was called into investigate the problem. und they were following up on tree possibilities. The First was that hackers had used the intercepted information to purchase Stock in both companies. leak news of the purchase to others via Internet chat rooms, and, oneeCHAPTER 21 4. Avoids potential for disagreement. Both parties possess the same exp tinent information is captured in writin tations, and per RFPS for exact hardware and software specifications have lower total costs and require less time to prepare and evaluate, but they do not permit the vendor to recommend alternative technology. Requesting & system that meets specific performance objectives and requirements leaves technical issues to the vendor but is harder to evaluate and oftep results in more costly bids, “The more information a company provides vendors, the better theirchances of receiving a system that meets its requirements. Vendors need detailed specifications, including requited applications, inputs and outputs, files and databases, frequency and methods of tile updating and inquiry, and F unique requirements, It is essential to distinguish mandatory requirements from desirable features, Evaluating Proposals and Selecting a System F proposals that lack important information, fail to meet minimum requirements, or are ambiguous ‘re eliminated. Proposals passing this preliminary screening are compared with system require Frrnents to determine whether all mandatory requirements are met and how many desirable requirements are met. Top vendors are invited to demonstrate their system using company supplied data to measure system performance and validate vendor's claims. Table 21-1 presents hardware, software, and vendor evaluation criteria, TABLE 21-1 Hardware, Software, and Vendor Evaluation Crite! hardware costs reasonable, based on capabilities and features? [Ave provessing speed and capabilities adequate for the intended we? ‘Are secondary storage capabilites adequate? ‘Are the input and output speeds and capabilities adequate? fs the system expandable? 1s the hardwate based on old technology that will soon to be out-of-date? [s te hardware available now? not, when? Ts the hardware compatible with existing hardware, software, and peripherals? How do performance evaluations compare with competitors? What are the availablity and cost of support and maintenance? What warranties come with the system? Is financing available (if appliabley? Hardware evaluation Software evaluation Does te software meet all mandatory specifications? How well does the software meet desirable specifications? Will program modifications be required to me: Does the software have adequate contol capabilities? Is the performance (speed, accuracy, reliability) adequate? How many companies use the software? Are they sisted? Is documentation adequate? Is the software compatible with existing software? ‘Was the software demonstration/test drive adequate? Does the software have an adequate warranty? Is the software flexible, easily maintained, and user-tiendly? [s online inquiry of files and records possible? ‘Will the vendor keep the package upto date? Vendor evaluation How long has the vendor been in business? [the vendor financially stble and secure? How experienced i the vendor with the hardware and software? Does the vendor stand behind its products? How good is its warranty? Does the vendor regularly update its products? Does the vendor provide financing? ‘Will the vendor put promises ina contract? ‘Will the vendor supply «ist of customer references? Does the vendor have a reputation for reliability and dependability? Does the vendor provide timely suppor and maintenance? ‘Does the vendor provide implementation and installation suppor?” Does the vendor have high-quality, responsive, and experienced personnel? Does the vendor provide taining? ee ‘company needs?