Lec 9 Cyber Risk and IT Controls+Qs
Lec 9 Cyber Risk and IT Controls+Qs
Cybersecurity Risks Refers to the risk arising from dealing in the cyberspace (internet)
.Cybersecurity risk is an ever-increasing risk that requires increasing controls due to the increase
and complete dependence on the internet in the business environment As companies turn to
digital technologies for business operations, the risk of a security breach continues to rise. In
fact, leaders in the profession have identified cybersecurity as the number one technology risk.
Cyberattacks are perpetrated for varied reasons, including but not limited to financial
fraud, information theft or misuse, activist causes, to render computer systems inoperable, and to
disrupt critical infrastructure and vital services of a government or organization.
Cyber attacks examples :
❖ Phishing: The attacker sends a large number of fraudulent emails and gains access to the
system.
❖ Structured query language (SQL Injections): The attacker gains access to the protected
information by adding malicious code to the SQL server.
❖ Password Attack: Attackers gain access to the passwords unethically and gain access to the
confidential data. Passwords also may be compromised by IP spoofing, and packet sniffers.
✓ Spoofing: is identity misrepresentation in cyberspace, (e.g., Using a false website to obtain
visitors personal and Confidential information).
✓ Sniffing :is the use of software to eavesdrop on information sent by a user to the host
computer of a website.
1
❖ Denial of service Attack (DOS): an attack meant to shut down a machine or network, making it
inaccessible to its intended users by overloading the system with information.
Among the most Effective controls to address cybersecurity risks and Mitigate possible cyber attacks
include:
▪ Use of Data Encryption : Encryption technology converts data into a code. Unauthorized
users may still be able to access the data, but without the encryption key, they cannot
decode it.
▪ Segregation of Duties : an internal control designed to prevent error and fraud by ensuring
that at least two individuals are responsible for the separate parts of any task
a. The segregation of accounting duties can enhance systems security. Segregation of
duties involves the separation of the functions of authorization, recordkeeping, and asset
custody so as to minimize the opportunities for a person to be able to perpetrate and
conceal errors or fraud in the normal course of his or her duties.
b. Thus, computer operators, programmers, analysts, and librarians should not have
overlapping responsibilities.
2
Program Fraud incase no proper segregation of duties. make unauthorized changes to program
modules for the purpose of committing an illegal act as :
a) Salami slicing: A programmer wrote the software to calculate interest earned on savings
accounts in a bank.
Ex: He had the rounding feature round down if it should have rounded up, and deposit the
penny in his account. Made thousands of dollars before caught.
b) Trap door: Programmer writes code into the program that allows him to work around any or
all controls in the system, and thus makes it easy to commit fraud. By typing the “Magic
Word”, the programmer is unencumbered by application controls, and maybe system controls
▪ Routine Backup and Offsite Rotation : A typical backup routine involves duplicating all data
files and application programs at least once a month. (Application files must be backed up as
well as data since programs change too.). For this reason, periodic backup and rotation are
essential. And stored in an offsite location. The offsite location for storing data must be
temperature- and humidity-controlled and guarded against physical intrusion. it must be
geographically remote enough from the site of the organization's main operations that it
would not be affected by the same natural disaster.
3
6-What are the controls in IT environment ?
Responsibility : The responsibility for internal control for information and related technology lies
with management and the board of directors .
IT CONTROLS: “Internal Control,” introduces the concept of IT controls, which are commonly
classified as general or application controls:
▪ General controls apply to all systems components, processes, and data for a
given organization or systems environment. ( for the whole system)
1. Access controls
2. Segregation of duties controls
4
Internal Controls in electronic system
5
First General controls:
Focus on controls over all systems components (processes, data, environment……),
1. Access controls:
Is security technique that regulates who or what can view or use resources in a
computing environment, which is divided into:
A- Physical Controls:
❖ Physical access is an electronic system that control who is able to gain entry into a physical
space, to protect people and assets from theft and other IT risks. Such as: electronic door
locks, passwords, PIN Codes
B- Logical Controls:
Controls that focus on logical log in authentication and authorization
❖ Authorization: (the right to access and modify is for a specific person only)
- The act to allow users to access only the information necessary to perform their duties
according to granted permissions.
Ex:
Accounts receivable clerk can view customers' credit limits but cannot change them. Only the head
of the accounts receivable department should be able to execute the program that updates the
accounts receivable master balance file. An individual clerk should have no such power.
(Authentication for the clerk- Authorization for a head of account)
2. Segregation of duties:
Is an internal control tool designed to prevent error and fraud by ensuring that at least two
individuals are responsible for the separate parts of any task especially in IT environment.
▪ where not only accounting and reporting functions shouldn’t be overlapping also,
▪ Computer operators, programmers, analysts, and librarians should not have
overlapping responsibilities.
6
7
Second: Application controls:
Controls related to the human activities in accounting system, which includes the following:
1.Input Controls: Designed to ensure that data input into the system is valid,
- Pre numbered Documents (allow a company to make sure that no documents missing or are
duplicated)
Ex: local purchase orders (LPO), receipt books
- Documents Sequence (is available for documents that are created either online or through
manual processing)
Ex: the general ledger transaction detail report (GLS7005)
- Hash total A total of an amount included in each record batched for processing., An otherwise
meaningless total that is used to ensure the completeness of data input for processing.
Example: The sum of the employee numbers in the batch of time cards submitted for processing.
The total of the number of hours worked in the batch of time cards submitted for payroll
processing.
1/3. Programmed edit checks:
• Completeness check: Examines the data input to ensure that all critical fields contain values.
Example: do not confirm sales order unless number of units and price and payment terms are
determined.
• Field check: Examines a field to determine whether it contains the appropriate type of data
Example: Customers phone numbers cannot accept alphabet- date field do not contain names –
Customers names don`t include numbers
• Limit check: Examines a field to determine whether the amount is ≤ a prescribed upper limit
or ≥ a prescribed lower limit.
Example: set maximum credit limit for customers $200,000
• Range check: Examines a field to determine whether the amount falls within prescribed range
Example: Discount rate allowed from 20-25%
8
• Validity check: Compares the data in a field with a predetermined set of authorized values to
ensure the field contains valid data.
Example: date field cannot accept zero values
• Reasonableness test: Compare quantities ordered with past sales history.to ensure
reasonableness of quantities ordered.
2-Processing Controls: Designed to prevent or detect and correct errors that occur
during processing(related to transactions)
2/1. Validation:
to ensure the validation you must match all documents, Identifiers are matched against master
files to determine existence.
- Example, any accounts payable transaction in which the vendor number does not match
a number on the vendor master file is rejected.
3.Output Controls: Designed to ensure that system outputs are valid, complete, and
accurate and that security over outputs is properly maintained.
A complete audit trail should be generated by each process: batch number, time of submission,
time of completion, number of records in batch, total dollars in batch, number of records
rejected, total dollars rejected, etc.
3.1 Error listings: report all transactions rejected by the system. These should be corrected and
resubmitted by the user.
9
7- Auditor role related to IT Governance :
During test of controls Auditor Use audit procedures to Verify the accurate structure
of
1) IT Function,
2) operating systems
3) network
4) Proper Data base management :
❑ Verify whether maintenance programmers are not also original design programmers
❑ Review operations room access log to determine whether programmers enter the
facility for reasons other than system failures
10
❑ Test Audit trails control (verify existence of transaction log-Review sample of
transactions) review or verify…
1. Audit trails have been activated in accordance to the organization policy.
2. Archived log files to search for
▪ unauthorized or terminated users
▪ periods of inactivity
▪ activity by user, workgroups, or departments
▪ Access to specific files or applications
▪ Failed log on attempts
3. Disposition of security violation to assess the effectiveness of security group.
Is part of the assessment of Inherent risk and control risk of the client firm.
The higher the degree of cyber risk the higher the auditor assessment of
inherent risk and control risk
Cyber risk became an integer factor in auditor assessment of the risks related
to his client firm.
11
Questions
FIRST: Auditor reviewing his client data base:
- IF you know that; the client has a cooling and heating system and light control
for the server room.
- IF you know that; client has designated user name and password for the
electronic door of the server room
Required:
- indicate the category of controls he can actually verify using the above
information.
Answer :
12
Second:
If you have the following data from sales invoices, For each column state
the suitable control needed:
# Sales invoices Serial No of units Price per unit Last 2 digits in
number ordered in each (d) Social security /
(b) invoice Telephone no of
(c) customers
(e)
1 125 5 200 12
2 126 10 100 36
3 127 3 500 98
4 - 1 300 38
5 - 2 100 10
6 28A 4 100 01
239B
# of records Sum of units Sum of $ Sum of last 2
=6 =25 unit value= $1300 no of telephone
numbers =195
13
Second:
If you have the following data from HR Module
1 111 216 0 0 60
2) Regular rate/ hour should range between 216 <=regular hours worked<= 240
3) $rate/ hour for regular hours or overtime hour should never be equals zero
4) Payroll card sheet will not be confirmed unless the hours worked and Rate per
hour of whether for regular or overtime hours and ID number of Employees are
listed
Required :
14
Answer :
1 111 216 0 0 60
15
Question three: If you have the following data from time card of employee:
Worker ID: 0172 Worker ID: 9023 Worker ID: 2652
Surname: Mohamed Surname: Ahmed Surname: Amr
Week number: 12 Week number: 12 Week number: 12
Hours worked: 43 Hours worked: 30 Hours worked: 37
Salary per week: 3800 Salary per week: 3000 Salary per week: 3700
Required:
- Calculate number of batch total according to the previous information?
Number of batch Total (# documents of the same Category) =3
- Calculate number of hash total of each item in the previous time cards?
Hash total for workers ID = 0172+9023+2652 =11,847
Hash total for Week number = 12+12+12 =36
Hash total for hours worked =42+30+37 = 110
Hash total for Salary/week = 3,800+3,000+3,700 =10,500
- If you know that; payment per hour should be 100$/hour, determine
appropriate IT control tool needed and any error in the above
information (if found)
16
Question four:
you have the following data from database of XYZ- CO:
Sales Customer No. of Price per Total Discount
invoices ID units unit sales rate
ordered in
each
invoice
1 1 123 50 100 5000 5%
2 2 543 100 150 15000 10%
3 3 - 150 100 15000 12%
4 4 345 200 0 0 13%
5 5.5 235 400 150 60000 15%
6 6 909 475 100 47500 15%
17
SYSTEM TERMS IT CONTROL Errors
Sales invoices should be Field check Invoice number five
serial number (Integer
number)
No. of units ordered max Limit check No error found
500 unit
Price per unit not accept Validity check Invoice number four
zero value
The sales invoice will not Completeness check Invoice number three
be processed unless both,
no of units and sale price
per unit are clearly listed
Discount rate should be Range check Invoice number one
10%- 15%
18
Questions on Cybersecurity risk management and Controls:
First: True or False:
1. Responsibilities for programming, operations, and data control should
always separated.
2. Cyber risk arises only from developers of subproducts.
3. Man in the middle attack is the only dangerous type of attacks that needs
specific mitigating controls.
4. Electric power generators are effective controls to prevent data loss
5. Electric power generators are effective controls to prevent data loss due to
Distributed denial of service attacks.
6. Authorization control is an application control used only to control for
transactions input.
7. Error listing is a type of control used to ensure data input into the system is
valid, complete, and accurate
8. Hash Totals are controls used to count for the number of records
9. Man in the middle is the riskiest type of Cyberattacks.
10. External auditor is responsible for applying proper IT governance in the firm.
11. External auditor is responsible for verifying accuracy of data base
management controls allegedly applied by management.
12. Auditor responsibility to it governance is limited to verifying accuracy of
accounting system used.
13. frequent cyber-attacks on audit client firm have no effect on auditors’
evaluation of risk of material misstatement
14. Denial of service attack is one of the cyber-attacks that can`t be mitigated.
15. On designing a proper accounting information system ensuring sequence of
processing of data in sales invoice is optional procedure.
16. ensuring sequence of logical processing of data in sales invoice is type of
control called validation control. F. sequence check.
17. System provides warning messages that Customers phone numbers cannot
accept alphabet is type of processing control.
18. Error listings is one of controls designed to mitigate probable misstatements
while data inputs.
19. System Saving of log in trails generated by the accounting information
system is unimportant output that can be discarded by the system designer.
19
Second: MCQ questions:
3. If a dialogue query is designed to query the user for common names in his or
her life (children, pets, sports teams) so that these words can be stored and never
permitted by the system to be used as that person's password. Is a type of …..
a-Password optimization b-Preventive control
c-a&B d-Non of the above
6. A type of cyber attack where The attacker sends a large number of fraudulent
emails and gains access to the system
a- Phishing b-Denial of the service
c- Advanced Encryption d-Non of the above
20
the host computer of a website.
a-Sniffing b-Spoofing
c-Proofing d-Single-sign on
9. A type of internal controls applied in organizations in high intensive
information technology environment to ensure that responsibilities of computer
operators differs from that of programmers is
a-Logical control b-Physical Control
c- Segregations of duties d- Access Controls
11. Accounts receivable clerk can access the organization system and record on account sales
transaction and view customers' credit limits while sales clerk cannot. Is an example of:
a-Authorization control b-Authentication Control
c-Physical control d-Environmental Control
12. Accounts receivable clerk can view customers' credit limits but cannot change them. only
the head of the accounts receivable department should be able to execute the program that updates
the accounts receivable master balance file. Is an example of
a-Authorization control b-Authentication Control
c-Physical control d-Environmental Control
13. The number of time cards of employees submitted for payroll processing.is a type of
a-Logical control b-Physical Control
c- General control
d- Application Control (input control Record count)
14. The total of the number of hours worked in the batch of time cards submitted for payroll
processing.
a-Validation b-Hash total
c- Batch Total d- Record count
15. The total of the sum of social security numbers for all employees) worked in the batch of
21
time cards submitted for payroll processing.
a-Validation b-Hash total
c- Batch Total d- Record count
16. Among controls Designed to prevent or detect and correct errors that occur during
processing
a-Validation b-Hash total
c-batch total d-Record count
18. An entity should plan the physical location of its computer facility. Which of the following
is the primary consideration for selecting a computer site?
A. It should be in the basement or on the ground floor.
B. It should maximize the visibility of the computer.
C. It should minimize the distance that data control personnel must travel to deliver
data and reports and be easily accessible by a majority of company personnel.
D. It shoit`uld provide security.
19. Comparing quantities ordered with past sales history.to ensure reasonableness of
quantities ordered. Is a type of
A-Input b-Processing
d-Out put Control d-Non of the above
20. ensuring sequence of logical processing of data in sales invoice is type of control called
a-validation check b-Sequence check
c-Limit Check d-Range check
21. After Several instances of clients defaults, the firm credit policy was set to provide each
customer with Maximum credit of $20,000
a-Field check b-Limit check
c-Completeness check d-Range check
22. After Several instances of clients defaults, the firm credit policy was set to provide each
22
customer with Maximum credit of $20,000
A-Input b-Processing
d-Out put Control d-Non of the above
23. The firm Purchased new printer from B-Tech store, and scanned the bill . but a warning
message appeared “ the transaction cannot be processed” as the store number is different from that
included in the vendor master file
a-Validation check b-Sequence check
c-Limit Check d-Range check
24. Among controls Designed to prevent or detect and correct errors that occur during
output is
a-Sequence check b-Hash total
c-Distribution Control d- Validation check
25. …is composed of leadership, processes, policies, and structures that ensure that
information technology supports the organization's strategies and objectives.
a-IT Governance b-Internal audit
c-External audit d-Risk Assurance
23
Third: State the Category and type of controls needed
1. System Refusal of sales order unless number of units and price and payment
terms are clearly listed.
3. All accountants can view financial reports but Only head of accounting
department can edit the firm chart of accounts
4. After confirming a sales order, the customer recognized that the model he
asked for does not contain the needed features he cancelled the current order
and filed for a new one. The billing department could not delete the sales
order cancelled from the system.
6.The firm Purchased new printer from B-Tech store and scanned the bill. but a
warning message appeared “the transaction cannot be processed” as the store
number is different from that included in the vendor master file
24