Audit Operating

Systems
Lesson Five
What is an
operating
system?
 OPERATING SYSTEM
Threats to
01. Objectives 03. Integrity

Controls and
02. Security 04. Audit Tests
Operating System
is the computer's control program that enables
users and applications to share resources like
processors, memory, databases, and printers.

Compromised OS integrity can lead to the

circumvention of controls in individual accounting
applications. As the number of users and shared
resources increases, the importance of operating
system security as an internal control issue grows,
particularly in larger computer facilities.
 01.
Objective Operating System
Objectives

s
The operating system has three primary tasks:

1. Translating high-level programming

languages (e.g., Java, C++) into
machine-level code using compilers
and interpreters.

2. Allocating computer resources such

as memory, terminals, databases,
and printers to users, workgroups,
and applications.

3. Managing job scheduling and

multiprogramming to balance
resource use among competing
applications.
To ensure consistent and reliable performance, the
OS must meet five fundamental control objectives:

1. Protect itself from users to prevent damage or

control loss.
2. Protect users from each other to safeguard data and
programs.
3. Protect users from themselves to prevent internal
module corruption.
4. Protect itself from internal threats to ensure module
integrity.
5. Protect itself from environmental factors to allow
controlled recovery after failures.
 02. Operating System Security

Security
Operating system security encompasses policies, procedures, and controls
that define who can access the OS, which resources they can use, and their
permissible actions. Key security components include:

The initial defense against

unauthorized access,
Log-on requiring user ID and
Procedure password verification. After
a few failed attempts, the
user is locked out.

Created upon successful

log-in, it contains user
Access details like ID, password,
Token group, and privileges, used
to authorize actions during
the session.
Operating system security encompasses policies, procedures, and controls
that define who can access the OS, which resources they can use, and their
permissible actions. Key security components include:

Attached to each resource,

Access it specifies access
privileges for users. The
Control system grants access by
List matching the user's access
token with this list.

Resource owners can grant

Discretionary access privileges to other
Access users. This must be closely
monitored to prevent
Privileges security breaches.
 03. Threats to Operating
System Integrity

Threats
Threats to operating system integrity can
be accidental or intentional.
include hardware failures causing
system crashes and errors in user

Accidental applications leading to OS failures,

potentially resulting in the
unintended disclosure of confidential
information.

involve unauthorized data access or

privacy violations for financial gain,
and destructive programs with no Intentional
apparent benefit.
Intentional Threats
originate from:
1. Privileged personnel (e.g., system
administrators) abusing their authority.
2. Individuals identifying and exploiting
security flaws.
3. Insertion of computer viruses or destructive
programs by individuals.
 04.
OS Controls and
Operating System Controls
and Audit Tests

Audit Tests
Compromised operating system integrity can
jeopardize controls within accounting applications,
affecting financial reporting. This outlines control
techniques for maintaining OS integrity and the
related audit tests, focusing on:

1. Access Privileges
2. Password Control
3. Virus Control
4. Audit Trail Control
 Controls and Audit Tests
Malicious and
1 Access Privileges 3 Destructive
Programs

2 Password Control 4 System Audit Trail

Access Privileges
Access privileges are granted to individuals and
workgroups, determining which resources they can
access and what actions they can perform. These
privileges are assigned by system administrators or
resource owners. Management must ensure that
privileges are not incompatible with an individual's
duties, as improper assignment can compromise
system security.
Audit Objectives Audit Procedures
The auditor's objective is ● Review organizational policies for
separating incompatible functions to
to verify that access ensure they promote security.
privileges are granted in a ● Assess the appropriateness of access
manner that is consistent rights for selected user groups and
with the need to separate individuals based on their job
descriptions and positions.
incompatible functions and ● Verify that access to data and programs
is in accordance with the is granted based on the need to know.
organization's policy. ● Check personnel records to confirm
privileged employees have undergone
adequate security clearance checks per
company policy.
● Ensure users have formally
acknowledged their responsibility to
maintain data confidentiality.
● Review permitted log-on times to ensure
they are appropriate for the tasks
performed.
Password Control
Passwords are secret codes used to access systems,
applications, data files, or network servers. Despite
offering security, user behavior can undermine their
effectiveness.

Common issues include forgetting passwords,

writing them down, and using simplistic passwords
that are easy to guess.
 PASSWORD CONTROL
Common and involve reusing the same
password. Security depends on
complexity—personal or simplistic
Reusable passwords are weak; random
combinations are stronger but harder to
Passwords remember. Regular changes and
disabling weak passwords enhance
security.

Address reusable password issues by

changing continuously. A smart card
One- generates a new password every 60
seconds, synchronized with network
timePassw authentication software. Users enter a PIN
and the current password, which expires
ords quickly. Another OTP method uses a
challenge/response approach for additional
security.
Audit Objectives Audit Procedures
The auditor's objective ● Verify that all users are required to use
here is to ensure that the passwords and understand their
importance.
organization has an ● Review procedures to ensure regular
adequate and effective password changes.
password policy for ● Check the password file for weak
controlling access to the passwords and use software to identify
operating system. and disallow them.
● Confirm that the password file is
encrypted and the encryption key is
secure.
● Assess password standards, including
length and expiration intervals.
● Review the account lockout policy,
including the number of failed login
attempts allowed and the lockout
duration.
Malicious and
Destructive Programs
Malicious programs, including viruses, worms, logic
bombs, back doors, and Trojan horses, cause
significant corporate losses through data
corruption, degraded performance, hardware
damage, privacy violations, and repair costs. These
programs result in financial losses and impact
personnel time.
 Reducing Threats from
Destructive Programs
Source Policy on
Virus
Software Unauthorized
Scanning
Wisely Software Examine software
Purchase only from
reputable vendors Implement a policy upgrades for viruses
and accept software against using before
in its original, unauthorized or implementation.
factory-sealed illegal software.
package.
 Reducing Threats from
Destructive Programs
Educational Test New Regular
Programs Applications Backups
Raise user Install and test new Routinely backup
awareness about applications on a key files on
viruses and stand-alone mainframes,
malicious programs. computer with servers, and
antiviral software workstations.
before using them
on main systems.
 Reducing Threats from
Destructive Programs
Limit User Log-On Antiviral
Rights Procedures Software
Restrict users to
read and execute Use protocols that Use and maintain
permissions to ensure log-on up-to-date antiviral
prevent procedures are software to detect
unauthorized legitimate, such as and remove viruses,
writing. direct invocation though it may not
methods. catch all modified
(mutated) viruses.
Audit Objectives Audit Procedures
The key to computer virus ● Educate Personnel: Confirm
control is prevention through that operations staff are
strict adherence to educated about viruses and
organizational policies and aware of risky practices that
procedures that guard against could spread malicious
virus infection. The auditor's programs.
objective is to verify that ● Test New Software: Ensure
effective management new software is tested on
policies and procedures are in standalone workstations before
place to prevent the being implemented on main
introduction and spread of systems.
destructive programs, ● Update Antivirus Software:
including viruses, worms, back Verify that current antiviral
doors, logic bombs, and Trojan software is installed on servers
horses. and that upgrades are regularly
applied to workstations.
System Audit Trail
Controls
Audit trails are logs recording activity at the
system, application, and user levels.
Management must balance between capturing
significant events and avoiding irrelevant data
 There are two main types of audit logs:

Records user keystrokes and system

Keystroke responses, used for event
reconstruction or real-time control. It
Monitoring can be seen as intrusive and raises
privacy and legal concerns.

Summarizes key system

activities, including
session times,
user IDs,
executed
Event
programs,
resources.
and accessed Monitoring
 Setting Audit Trail Objectives
Detecting Promoting
Reconstructing
Unauthorized Personal
Events
Access Accountability
Audit trails help identify Detailed audit logs
Analysis of audit
unauthorized access in can influence user
real time or after the trails can reconstruct
the sequence of behavior by making
fact. Real-time
them aware their
monitoring protects events leading to
actions are recorded.
against breaches and system failures or
performance issues,
They also help detect
security violations, and address misuse,
while post-event logs helping assign
can determine access such as unauthorized
responsibility and access to sensitive
attempts and
outcomes. prevent recurrence. information.
Implementing a System
Audit logs provide valuable Audit for
information Trail
assessing
damage and financial loss from application errors,
abuse, or unauthorized access. However, excessive
detail in logs can obscure important information and
make them ineffective. Management should focus on
monitoring high-risk users, applications, or operations
and decide the level of detail to log based on the
potential financial impact. The benefits of audit logs
should be weighed against their implementation
costs.
Audit Objectives Audit Procedures
● Verify Audit Activation: Check that
The auditor's objective is to the audit trail has been activated as
ensure that the established per organizational policy using the
system audit trail is operating system's audit manager
adequate for preventing and function.
detecting abuses, ● Review Logs: Use audit log viewers
reconstructing key events to scan for unusual activity and access
that precede systems archived logs with data extraction
tools to search for specific conditions
failures, and planning
such as unauthorized users, periods of
resource allocation. inactivity, log-on/log-off times, and
failed login attempts.
● Assess Security Violations:
Evaluate a sample of security violation
cases handled by the security group to
determine the effectiveness of their
response and reporting.
RECITATION
 RECITATION
Which of the following best describes an operating
system’s role in resource allocation?

A) It translates user commands into machine code

only.
B) It manages resources but does not handle job
scheduling.
C) It allocates memory, terminals, databases, and
printers among applications and users.
D) It focuses solely on security management.
 RECITATION
Which control objective ensures the operating
system can recover from environmental factors
after a failure?

A) Protect users from each other

B) Protect itself from users
C) Protect itself from environmental factors
D) Protect users from themselves
 RECITATION
In the context of operating system security, what is
an 'Access Control List'?

A) A list of user privileges attached to each

resource
B) A list of logged activities on the system
C) A backup list for disaster recovery
D) A password policy guideline
 RECITATION
What is the primary purpose of 'Keystroke
Monitoring' in audit trails?

A) To log only failed access attempts

B) To monitor CPU and memory usage
C) To record user actions and responses for real-
time or post-event analysis
D) To summarize system activities for general
performance tracking
 RECITATION
Which type of access privilege allows resource
owners to share access permissions with other
users?

A) System-assigned privileges
B) Discretionary access privileges
C) Mandatory access privileges
D) Exclusive access privileges
 RECITATION
How does 'Log-on Procedure' contribute to
operating system security?

A) By verifying encryption standards

B) By enabling system recovery
C) By identifying user identity and limiting
unauthorized access
D) By monitoring system load and resource usage
 RECITATION
Which of the following threats is categorized as
intentional in operating system security?

A) System crashes due to hardware failures

B) OS failures caused by user application errors
C) Unauthorized access for financial gain or
malicious intent
D) Environmental interference leading to system
downtime
 RECITATION
What is an auditor's objective regarding password
control within an operating system?

A) To monitor network performance issues

B) To ensure all system files are encrypted
C) To verify that the organization’s password policy
is both adequate and effective
D) To regularly reset all system passwords
automatically
 RECITATION
Which audit trail technique focuses on recording
the sequence of events that occurred before a
system failure?

A) Intrusion Detection
B) Real-time Monitoring
C) Event Reconstruction
D) System Verification
 RECITATION
To prevent the spread of viruses, which of the
following is NOT recommended as an operating
system control?

A) Limiting user permissions to only read and

execute
B) Conducting regular software upgrades without
testing
C) Using up-to-date antiviral software
D) Restricting installation of unauthorized software
 RECITATION
To prevent the spread of viruses, which of the
following is NOT recommended as an operating
system control?

A) Limiting user permissions to only read and

execute
B) Conducting regular software upgrades without
testing
C) Using up-to-date antiviral software
D) Restricting installation of unauthorized software
 RECITATION
A new employee has been granted access to the
accounting application within the operating system but
has unintentionally been given access to confidential HR
files. Which control weakness does this scenario
illustrate, and what would an auditor likely recommend?

A) Weak password control; recommend stronger

password policies.
B) Inadequate access privilege management;
recommend reviewing user access rights.
C) Insufficient audit trails; recommend implementing
keystroke monitoring.
D) Ineffective virus control; recommend frequent
antivirus updates.
 RECITATION
A system administrator notices that an employee’s
account is frequently locking after multiple failed log-in
attempts. What should the administrator investigate first
to determine if this is a security concern?

A) The integrity of the employee’s password file

B) The access control list for the resources the employee
is attempting to access
C) The audit trail for unusual login activity related to this
account
D) The configuration of antivirus software on the
employee's computer
 RECITATION
During an audit, it is found that several system files were
modified by a user who should not have access to them.
This indicates a breach of which operating system
control objective, and what should be implemented to
prevent it in the future?

A) Protection from environmental factors; add surge

protection.
B) Protection of the OS from internal threats; limit
discretionary access privileges.
C) Protection of users from each other; require stricter
password controls.
D) System performance optimization; increase hardware
capacity.
 RECITATION
An organization experiences a data loss incident due to
an undetected virus that corrupted essential files. Which
control or audit test could have most effectively
minimized this damage?

A) Enforcing strong password policies

B) Implementing event monitoring within audit trails
C) Restricting access privileges to only authorized users
D) Ensuring up-to-date antiviral software and regular
virus scanning
 RECITATION
An auditor is assessing a company’s policy for software
installation. They find that employees can install any
software without prior testing. What risk does this pose,
and what is the best practice to mitigate it?

A) Increased risk of data corruption; conduct virus scans

on installed software.
B) Reduced system performance; limit software to
essential applications.
C) Increased risk of malicious software infections; test
software on standalone systems before deployment.
D) Reduced user accountability; implement keystroke
monitoring.
ESSAY
 QUESTION
Your organization has recently faced a
data breach due to an employee
unknowingly downloading malicious
software. As an IT auditor, what steps
would you recommend to prevent
similar incidents, and why?
 QUESTION
Imagine that during an audit, you
discover that many users have access
privileges beyond what their roles
require. What would you propose as
the best solution for this issue, and
how would it benefit the organization?
 QUESTION
You are auditing a system and notice
that audit trails are disabled for most
high-risk applications. What would be
your approach to address this, and why
do you think audit trails are critical for
these applications?
END
 Resources
● Hall, J. (2017). Information Technology
Auditing (4th ed.) [Book]. Cengage Learning
Asia Pte Ltd.