Chapter 3

Cybersecurity, Risks and Controls and IT Governance

In this chapter we will cover:
1- What is Cybersecurity Risks ?
2- What are the resulting Cyber attacks ?
3- What are the Controls for Cyber risks ?
4- What are the controls in IT environment ?
5- What is IT Governance and what is the role of external auditor regarding Governance.
6- Role of cyber risk in audit risk model.

1-What is Cybersecurity Risks ?

Cybersecurity Risks Refers to the risk arising from dealing in the cyberspace (internet)
.Cybersecurity risk is an ever-increasing risk that requires increasing controls due to the increase
and complete dependence on the internet in the business environment As companies turn to
digital technologies for business operations, the risk of a security breach continues to rise. In
fact, leaders in the profession have identified cybersecurity as the number one technology risk.

2-What are the resulting Cyber attacks ?

Cyberattacks are perpetrated for varied reasons, including but not limited to financial
fraud, information theft or misuse, activist causes, to render computer systems inoperable, and to
disrupt critical infrastructure and vital services of a government or organization.
Cyber attacks examples :
❖ Phishing: The attacker sends a large number of fraudulent emails and gains access to the
system.
❖ Structured query language (SQL Injections): The attacker gains access to the protected
information by adding malicious code to the SQL server.
❖ Password Attack: Attackers gain access to the passwords unethically and gain access to the
confidential data. Passwords also may be compromised by IP spoofing, and packet sniffers.
✓ Spoofing: is identity misrepresentation in cyberspace, (e.g., Using a false website to obtain
visitors personal and Confidential information).
✓ Sniffing :is the use of software to eavesdrop on information sent by a user to the host
computer of a website.

1
 ❖ Denial of service Attack (DOS): an attack meant to shut down a machine or network, making it
inaccessible to its intended users by overloading the system with information.

✓ distributed denial-of-service (DDoS) : attack comes from multiple sources, for

example, the machines of several innocent parties infected by Trojan horses. When
activated, these programs send messages to the target and leave the connection open.
✓ DoS attack may establish as many network connections as possible to exclude other
users, thus overloading primary memory or corrupting file systems.
❖ A Man-in-the-middle (MITM) : attack is a type of cyber attack in which the attacker secretly
intercepts and relays messages between two parties who believe they are communicating directly
with each other. The attack is a type of eavesdropping in which the attacker intercepts and then
controls the entire conversation.

5-What are the Controls for Cyber risks

Among the most Effective controls to address cybersecurity risks and Mitigate possible cyber attacks
include:

▪ Use of Data Encryption : Encryption technology converts data into a code. Unauthorized
users may still be able to access the data, but without the encryption key, they cannot
decode it.

▪ Firewalls and antiviruses : A firewall is a combination of hardware and software that

separates an internal network from an external network, such as the Internet, and prevents
passage of specific types of traffic

▪ Segregation of Duties : an internal control designed to prevent error and fraud by ensuring
that at least two individuals are responsible for the separate parts of any task
a. The segregation of accounting duties can enhance systems security. Segregation of
duties involves the separation of the functions of authorization, recordkeeping, and asset
custody so as to minimize the opportunities for a person to be able to perpetrate and
conceal errors or fraud in the normal course of his or her duties.
b. Thus, computer operators, programmers, analysts, and librarians should not have
overlapping responsibilities.

2
Program Fraud incase no proper segregation of duties. make unauthorized changes to program
modules for the purpose of committing an illegal act as :

a) Salami slicing: A programmer wrote the software to calculate interest earned on savings
accounts in a bank.

Ex: He had the rounding feature round down if it should have rounded up, and deposit the
penny in his account. Made thousands of dollars before caught.

b) Trap door: Programmer writes code into the program that allows him to work around any or
all controls in the system, and thus makes it easy to commit fraud. By typing the “Magic
Word”, the programmer is unencumbered by application controls, and maybe system controls

▪ Password optimization : Passwords should be difficult to guess. dialog can be designed to

query the user for common names in his or her life (children, pets, sports teams) so that
these words can be stored and never permitted by the system to be used as that person's
password. The system should force passwords to be changed periodically, e.g., every 90
days. ideally, passwords are at least eight characters long and contain both uppercase and
lowercase letters and numerals.

▪ Routine Backup and Offsite Rotation : A typical backup routine involves duplicating all data
files and application programs at least once a month. (Application files must be backed up as
well as data since programs change too.). For this reason, periodic backup and rotation are
essential. And stored in an offsite location. The offsite location for storing data must be
temperature- and humidity-controlled and guarded against physical intrusion. it must be
geographically remote enough from the site of the organization's main operations that it
would not be affected by the same natural disaster.

3
 6-What are the controls in IT environment ?

Responsibility : The responsibility for internal control for information and related technology lies
with management and the board of directors .

The Frame work for information System controls depends on Both :

▪ The report of the Committee of Sponsoring Organizations, Internal Control – Integrated
Framework (COSO Framework).
▪ Control Objectives for Information and related Technology (COBIT), authored by the IT
Governance Institute and published by the Information Systems Audit and Control
Foundation (ISACF).
IT Controls:
Procedure or policy or criteria that provide a reasonable assurance that the IT used operates
as intended, data is reliable and staff member are performing roles and responsibilities according to
standards

IT CONTROLS: “Internal Control,” introduces the concept of IT controls, which are commonly
classified as general or application controls:

▪ General controls apply to all systems components, processes, and data for a
given organization or systems environment. ( for the whole system)

1. Access controls
2. Segregation of duties controls

▪ Application controls pertain to the scope of individual business processes or

application systems and include controls within an application around input,
processing, and output.”(for part of the system one transaction cycle)
1. Input controls
2. Processing controls
3. Output controls

4
 Internal Controls in electronic system

General control Application control

Apply to all systems components, processes, and data for a given

Applied to individual business processes or application system
organization or systems environment.
( for the whole system) (transaction cycle)

1.Access control 2.Segregation 1.Input control 2.Processing 3.Out put

of duties control control
control
is a security technique that regulates who or an internal Designed to ensure that data Designed to Designed to
what can view or use resources in a computing control input into the system is valid, prevent or ensure that
environment because Information security is an designed to complete, and accurate detect and application
integral part of IT controls. protect an information prevent error 1. Source document correct errors system outputs
system from unauthorized physical and logical and fraud by control that occur are valid,
access. ensuring that - Prenumbered documents during complete, and
at least two - Sequence documents processing accurate and that
individuals 2. Controls total 1. Validation security over
are - Batch total controls outputs is
responsible - Hash total Compare new to properly
for the 3. Programmed edit existing data maintained
A-Physical access controls: B-Logical access 2. Sequence 1. errors
separate checks
controls listing
limit physical access and parts of any - Completeness check check
environmental damage limit logical access task - Field check Ensure proper 2. distribution
sequence of controls
1- 2- 1- 2- especially in - Validity check charts of
Physical Env- Authoriz Aut IT - Limit check
existence contr ation hent accounts and
environment - Range check processed
control ol icati
transactions
on

5
First General controls:
Focus on controls over all systems components (processes, data, environment……),

1. Access controls:
Is security technique that regulates who or what can view or use resources in a
computing environment, which is divided into:

A- Physical Controls:
❖ Physical access is an electronic system that control who is able to gain entry into a physical
space, to protect people and assets from theft and other IT risks. Such as: electronic door
locks, passwords, PIN Codes

❖ Environmental controls refer to regulation and measurement of specific parameters.

Such as; temperature control, cleanrooms, light control.

B- Logical Controls:
Controls that focus on logical log in authentication and authorization

❖ Authentication : (the right for access only)

- the act of ensuring that the person attempting to access the system is in fact who he says he
is, is the process of verifying who someone is
- The most widespread means of achieving this is through the use of IDs and passwords.
- The act of ensuring that a user accessing the IT Application or other aspect of IT
environment is not using it for another uses,

❖ Authorization: (the right to access and modify is for a specific person only)
- The act to allow users to access only the information necessary to perform their duties
according to granted permissions.
Ex:
Accounts receivable clerk can view customers' credit limits but cannot change them. Only the head
of the accounts receivable department should be able to execute the program that updates the
accounts receivable master balance file. An individual clerk should have no such power.
(Authentication for the clerk- Authorization for a head of account)

2. Segregation of duties:

Is an internal control tool designed to prevent error and fraud by ensuring that at least two
individuals are responsible for the separate parts of any task especially in IT environment.
▪ where not only accounting and reporting functions shouldn’t be overlapping also,
▪ Computer operators, programmers, analysts, and librarians should not have
overlapping responsibilities.

6
7
Second: Application controls:
Controls related to the human activities in accounting system, which includes the following:

1-Input controls, 2- Processing controls 3-Output controls

1.Input Controls: Designed to ensure that data input into the system is valid,

1/1. Source document controls:

- Pre numbered Documents (allow a company to make sure that no documents missing or are
duplicated)
Ex: local purchase orders (LPO), receipt books
- Documents Sequence (is available for documents that are created either online or through
manual processing)
Ex: the general ledger transaction detail report (GLS7005)

1/2. Control totals:

- Batch total: A count of the records input for processing
Example: The number of time cards submitted for payroll processing.

- Hash total A total of an amount included in each record batched for processing., An otherwise
meaningless total that is used to ensure the completeness of data input for processing.
Example: The sum of the employee numbers in the batch of time cards submitted for processing.
The total of the number of hours worked in the batch of time cards submitted for payroll
processing.
1/3. Programmed edit checks:
• Completeness check: Examines the data input to ensure that all critical fields contain values.
Example: do not confirm sales order unless number of units and price and payment terms are
determined.

• Field check: Examines a field to determine whether it contains the appropriate type of data
Example: Customers phone numbers cannot accept alphabet- date field do not contain names –
Customers names don`t include numbers

• Limit check: Examines a field to determine whether the amount is ≤ a prescribed upper limit
or ≥ a prescribed lower limit.
Example: set maximum credit limit for customers $200,000

• Range check: Examines a field to determine whether the amount falls within prescribed range
Example: Discount rate allowed from 20-25%

8
• Validity check: Compares the data in a field with a predetermined set of authorized values to
ensure the field contains valid data.
Example: date field cannot accept zero values
• Reasonableness test: Compare quantities ordered with past sales history.to ensure
reasonableness of quantities ordered.

2-Processing Controls: Designed to prevent or detect and correct errors that occur
during processing(related to transactions)

2/1. Validation:
to ensure the validation you must match all documents, Identifiers are matched against master
files to determine existence.
- Example, any accounts payable transaction in which the vendor number does not match
a number on the vendor master file is rejected.

2/2. Sequence check:

Computer effort is expended most efficiently when data are processed in a logical order, This check
ensures the batch is sorted in this order before processing begins..
- Example: Inability to delete sales order once confirmed can be cancelled but not deleted.

3.Output Controls: Designed to ensure that system outputs are valid, complete, and
accurate and that security over outputs is properly maintained.

A complete audit trail should be generated by each process: batch number, time of submission,
time of completion, number of records in batch, total dollars in batch, number of records
rejected, total dollars rejected, etc.

3.1 Error listings: report all transactions rejected by the system. These should be corrected and
resubmitted by the user.

3.2 Distribution controls: Distribution of application system outputs is restricted to authorized

9
 7- Auditor role related to IT Governance :

IT governance represents a subdiscipline of organizational governance, which is

composed of leadership, processes, policies, and structures that ensure that
information technology supports the organization's strategies and objectives. IT
governance underpins the organization's regulatory, legal, environmental and
operational requirements so that aspirations and strategic plans can be achieve.

IT Governance is the responsibility of Management and Board of directors.

Role of external auditor related to IT Governanve

During test of controls Auditor Use audit procedures to Verify the accurate structure
of
1) IT Function,
2) operating systems
3) network
4) Proper Data base management :

❑ Verify whether maintenance programmers are not also original design programmers

❑ Observe segregation policies in practice

❑ Review operations room access log to determine whether programmers enter the
facility for reasons other than system failures

❑ Review user rights and privileges

❑ Review Physical controls over computer centers

❑ Test activation of authorization and authentication controls

o All users are required to have passwords
o password instructions for new users
o passwords changed regularly
o password file to determine that weak passwords are identified and disallowed
o encryption of password file and the encryption key is properly secured.
o password standards
o account lockout policies: The auditor should determine how many failed logon attempts
are allowed before the account is locked

10
❑ Test Audit trails control (verify existence of transaction log-Review sample of
transactions) review or verify…
1. Audit trails have been activated in accordance to the organization policy.
2. Archived log files to search for
▪ unauthorized or terminated users
▪ periods of inactivity
▪ activity by user, workgroups, or departments
▪ Access to specific files or applications
▪ Failed log on attempts
3. Disposition of security violation to assess the effectiveness of security group.

❑ Verify Data base management controls ( Access controls - backup Controls)

8- IT role related to Cyber risk:

Is part of the assessment of Inherent risk and control risk of the client firm.
The higher the degree of cyber risk the higher the auditor assessment of
inherent risk and control risk
Cyber risk became an integer factor in auditor assessment of the risks related
to his client firm.

11
 Questions
FIRST: Auditor reviewing his client data base:

- IF you know that; the client has a cooling and heating system and light control
for the server room.
- IF you know that; client has designated user name and password for the
electronic door of the server room
Required:
- indicate the category of controls he can actually verify using the above
information.
Answer :

IT Control The reason

General – Access controls- physical access Only designated IT personnel allowed to
the room
General- Access controls- environmental There are cooling and heating system and
controls light control.
General- Access control- logical- Because the only Bugs can delete records
authorization
General - Access control- logical- All of employees can view accounting
authentication reports using independent user name and
passwords.
General- segregation of dutes Users from billing department differs
from those of the accounts receivable
department

12
 Second:
If you have the following data from sales invoices, For each column state
the suitable control needed:
# Sales invoices Serial No of units Price per unit Last 2 digits in
number ordered in each (d) Social security /
(b) invoice Telephone no of
(c) customers
(e)
1 125 5 200 12
2 126 10 100 36
3 127 3 500 98
4 - 1 300 38
5 - 2 100 10
6 28A 4 100 01
239B
# of records Sum of units Sum of $ Sum of last 2
=6 =25 unit value= $1300 no of telephone
numbers =195

Batch Prenumbered doc Hash total: Hash total: Hash total :

total: 6 Document sequence 25 1300 195

13
 Second:
If you have the following data from HR Module

Payroll Employee #Regular Regular $ #over Overtime

cards ID hours rate/hour time $
worked hours rate/hour
worked

1 111 216 0 0 60

2 112 A 220 100 3 110

3 - 230 120 5 130

4 114 240 140 2 130

5 115 250 150 4 160

If you know HR policies of XYZ co states that:

1) Employee ID should include only Numeric value

2) Regular rate/ hour should range between 216 <=regular hours worked<= 240

3) $rate/ hour for regular hours or overtime hour should never be equals zero

4) Payroll card sheet will not be confirmed unless the hours worked and Rate per
hour of whether for regular or overtime hours and ID number of Employees are
listed

5) Overtime rate/hour should be more than the regular rate/hour

Required :

Given the above HR policies of XYZ co, determine

1-the error found in the above data
2-the control needed to deter such errors

14
 Answer :

Payroll Employee ID #Regular Regular $ #over time Overtime $

cards hours rate/hour hours rate/hour
worked worked

1 111 216 0 0 60

2 112 A 220 100 3 110

3 - 230 120 5 130

4 114 240 140 2 130

5 115 250 150 4 160

If you know HR policies of XYZ co states that:

1. field check ( Invoice 2, Invoice 3)

2. range check ( Invoice 5 )

3. validity check . ( Invoice 1)

4. completeness check (Invoice 3)

5. Limit check ( Invoice 4)

15
 Question three: If you have the following data from time card of employee:
Worker ID: 0172 Worker ID: 9023 Worker ID: 2652
Surname: Mohamed Surname: Ahmed Surname: Amr
Week number: 12 Week number: 12 Week number: 12
Hours worked: 43 Hours worked: 30 Hours worked: 37
Salary per week: 3800 Salary per week: 3000 Salary per week: 3700

Required:
- Calculate number of batch total according to the previous information?
Number of batch Total (# documents of the same Category) =3
- Calculate number of hash total of each item in the previous time cards?
Hash total for workers ID = 0172+9023+2652 =11,847
Hash total for Week number = 12+12+12 =36
Hash total for hours worked =42+30+37 = 110
Hash total for Salary/week = 3,800+3,000+3,700 =10,500
- If you know that; payment per hour should be 100$/hour, determine
appropriate IT control tool needed and any error in the above
information (if found)

Control Needed= Limit Check

Error: Payroll card for worker ID 0172 = salary per week = 3,800 instead of 4,300
If limit check were to be applied salary per week should have been =43 x100 =4,300
$/week

16
Question four:
you have the following data from database of XYZ- CO:
Sales Customer No. of Price per Total Discount
invoices ID units unit sales rate
ordered in
each
invoice
1 1 123 50 100 5000 5%
2 2 543 100 150 15000 10%
3 3 - 150 100 15000 12%
4 4 345 200 0 0 13%
5 5.5 235 400 150 60000 15%
6 6 909 475 100 47500 15%

If you know that:

- Sales invoices should have serial number (in the form of Integer numbers
only)
- No. of units ordered cannot exceed 500 unit /order
- Price per unit cannot accept zero value
- The sales invoice will not be processed unless both, no of units and sale
price per unit and Customer IDS are clearly listed
- Discount rate should be 10%- 15%
Required:
Given the above sales policies of XYZ Co, determine:
- The appropriate IT Control needed in each case according to programmed
edit checks
- Detect the errors in the current system.

17
 SYSTEM TERMS IT CONTROL Errors
Sales invoices should be Field check Invoice number five
serial number (Integer
number)
No. of units ordered max Limit check No error found
500 unit
Price per unit not accept Validity check Invoice number four
zero value
The sales invoice will not Completeness check Invoice number three
be processed unless both,
no of units and sale price
per unit are clearly listed
Discount rate should be Range check Invoice number one
10%- 15%

18
 Questions on Cybersecurity risk management and Controls:
First: True or False:
1. Responsibilities for programming, operations, and data control should
always separated.
2. Cyber risk arises only from developers of subproducts.
3. Man in the middle attack is the only dangerous type of attacks that needs
specific mitigating controls.
4. Electric power generators are effective controls to prevent data loss
5. Electric power generators are effective controls to prevent data loss due to
Distributed denial of service attacks.
6. Authorization control is an application control used only to control for
transactions input.
7. Error listing is a type of control used to ensure data input into the system is
valid, complete, and accurate
8. Hash Totals are controls used to count for the number of records
9. Man in the middle is the riskiest type of Cyberattacks.
10. External auditor is responsible for applying proper IT governance in the firm.
11. External auditor is responsible for verifying accuracy of data base
management controls allegedly applied by management.
12. Auditor responsibility to it governance is limited to verifying accuracy of
accounting system used.
13. frequent cyber-attacks on audit client firm have no effect on auditors’
evaluation of risk of material misstatement
14. Denial of service attack is one of the cyber-attacks that can`t be mitigated.
15. On designing a proper accounting information system ensuring sequence of
processing of data in sales invoice is optional procedure.
16. ensuring sequence of logical processing of data in sales invoice is type of
control called validation control. F. sequence check.
17. System provides warning messages that Customers phone numbers cannot
accept alphabet is type of processing control.
18. Error listings is one of controls designed to mitigate probable misstatements
while data inputs.
19. System Saving of log in trails generated by the accounting information
system is unimportant output that can be discarded by the system designer.

19
Second: MCQ questions:

1. Whan planning cybersecurity program, organization should consider:

a- Internal threats b- External threats
c- Both internal and external threats d- None of the above

2. An internet firewall is designed to provide protection against:

a-Computer viruses.
b-Unauthorized access from outsiders
c-Lightning strikes and power surges.
d- Arson.

3. If a dialogue query is designed to query the user for common names in his or
her life (children, pets, sports teams) so that these words can be stored and never
permitted by the system to be used as that person's password. Is a type of …..
a-Password optimization b-Preventive control
c-a&B d-Non of the above

4. Cyber Security risk management is crucially beneficial to organizations

depending on
a-Internet of things b- online inventory management system
c-All of the Above d-Non of the above

5. Which of the following is a type of cyber attack?

a) SQL Injections b) Encoding
c) Encryption d) All of the above

6. A type of cyber attack where The attacker sends a large number of fraudulent
emails and gains access to the system
a- Phishing b-Denial of the service
c- Advanced Encryption d-Non of the above

7. Using a false website to obtain visitors personal and Confidential information is

a common type of attacks called
a-Sniffing b-Spoofing
c-Proofing d-Single-sign on

8. ………..is the use of software to eavesdrop on information sent by a user to

20
 the host computer of a website.
a-Sniffing b-Spoofing
c-Proofing d-Single-sign on
9. A type of internal controls applied in organizations in high intensive
information technology environment to ensure that responsibilities of computer
operators differs from that of programmers is
a-Logical control b-Physical Control
c- Segregations of duties d- Access Controls

10. A type of internal controls applied in organizations depending on electronic accounting

system , applied to all systems components, processes, and data is
a-Logical control b-Physical Control
c- General control d- Application Control

11. Accounts receivable clerk can access the organization system and record on account sales
transaction and view customers' credit limits while sales clerk cannot. Is an example of:
a-Authorization control b-Authentication Control
c-Physical control d-Environmental Control
12. Accounts receivable clerk can view customers' credit limits but cannot change them. only
the head of the accounts receivable department should be able to execute the program that updates
the accounts receivable master balance file. Is an example of
a-Authorization control b-Authentication Control
c-Physical control d-Environmental Control

13. The number of time cards of employees submitted for payroll processing.is a type of
a-Logical control b-Physical Control
c- General control
d- Application Control (input control Record count)

14. The total of the number of hours worked in the batch of time cards submitted for payroll
processing.
a-Validation b-Hash total
c- Batch Total d- Record count

15. The total of the sum of social security numbers for all employees) worked in the batch of

21
time cards submitted for payroll processing.
a-Validation b-Hash total
c- Batch Total d- Record count

16. Among controls Designed to prevent or detect and correct errors that occur during
processing
a-Validation b-Hash total
c-batch total d-Record count

17. The following are benefits of using IT-based controls, except

A. Ability to process large volume of transactions.
B. Over-reliance on computer-generated reports.
C. Ability to replace manual controls with computer-based controls.
D. Reduction in misstatements due to consistent processing of transactions.

18. An entity should plan the physical location of its computer facility. Which of the following
is the primary consideration for selecting a computer site?
A. It should be in the basement or on the ground floor.
B. It should maximize the visibility of the computer.
C. It should minimize the distance that data control personnel must travel to deliver
data and reports and be easily accessible by a majority of company personnel.
D. It shoit`uld provide security.

19. Comparing quantities ordered with past sales history.to ensure reasonableness of
quantities ordered. Is a type of
A-Input b-Processing
d-Out put Control d-Non of the above

20. ensuring sequence of logical processing of data in sales invoice is type of control called
a-validation check b-Sequence check
c-Limit Check d-Range check

21. After Several instances of clients defaults, the firm credit policy was set to provide each
customer with Maximum credit of $20,000
a-Field check b-Limit check
c-Completeness check d-Range check

22. After Several instances of clients defaults, the firm credit policy was set to provide each

22
customer with Maximum credit of $20,000
A-Input b-Processing
d-Out put Control d-Non of the above

23. The firm Purchased new printer from B-Tech store, and scanned the bill . but a warning
message appeared “ the transaction cannot be processed” as the store number is different from that
included in the vendor master file
a-Validation check b-Sequence check
c-Limit Check d-Range check

24. Among controls Designed to prevent or detect and correct errors that occur during
output is
a-Sequence check b-Hash total
c-Distribution Control d- Validation check

25. …is composed of leadership, processes, policies, and structures that ensure that
information technology supports the organization's strategies and objectives.
a-IT Governance b-Internal audit
c-External audit d-Risk Assurance

23
Third: State the Category and type of controls needed

1. System Refusal of sales order unless number of units and price and payment
terms are clearly listed.

2. System provides warning messages that Customers phone numbers cannot

accept alphabet

3. All accountants can view financial reports but Only head of accounting
department can edit the firm chart of accounts

4. After confirming a sales order, the customer recognized that the model he
asked for does not contain the needed features he cancelled the current order
and filed for a new one. The billing department could not delete the sales
order cancelled from the system.

6.The firm Purchased new printer from B-Tech store and scanned the bill. but a
warning message appeared “the transaction cannot be processed” as the store
number is different from that included in the vendor master file

24