Audit Essentials - Assignment Example

Question 1- Constructing a Matrix The matrix for accessing, reading and modifying of files by the employees is shown below: Employee Abbre Action taken Zenith Z Verify stock availability Verify account balances Yogi Y Update customer credit limits Xintha X Update inventory records for sales and purchases Willy W Add new customers Delete customers -written off as uncollectible Add inventory items Delete inventory items not required Valeria V Review audit logs of employee actions Used codes are 0 = no access, 1 = read only access, 2 = read and modify records and 3= read, modify, create, and delete records Tabular presentation Zenith Yogi Xintha Willy Valeria CMF –customers master file 1 2 1 3 0 IMF –inventory master file 1 0 2 3 0 PMF- payroll master file 0 0 0 0 0 SLF- system log file 0 0 0 0 1 In matrix format Question 2 The manufacture company that produce chemicals that are used by the military are considered with loses of data for manufacture, the secrets of chemical processes and the chemical itself to terrorist who may use to commit claim. Employees may also involve in the disappearance of such data from the system. The following table shows which Method Any Corporation Extra methods justified at a Financial Institution 1. Build on the right spot acceptable 2. Have redundant utilities acceptable 3. Pay attention to walls acceptable 4. Avoid windows acceptable 5. Use landscaping for protection acceptable 6. Keep a 100-foot buffer zone around the site acceptable 7. Use retractable crash barriers at vehicle entry points acceptable 8. Plan for bomb detection acceptable 9. Limit entry points acceptable 10. Make fire doors exit only acceptable 11. Use plenty of cameras acceptable 12. Protect the buildings machinery acceptable 13. Plan for secure air handling acceptable 14. Ensure nothing can hide in the walls and ceilings acceptable 15. Use two-factor authentication acceptable 16. Harden the core with security layers acceptable 17. Watch the exits too acceptable 18. Prohibit food in the computer rooms acceptable 19. Install visitor restrooms acceptable Question 3 Which preventive, detective, and/or corrective controls would best mitigate the following threats? a). A company’s programming staff Preventive- a company should have rules, codes and ethics relating programming practices within the company. The staff should be informed of need of checking the inputs of a programming code to ensure that is no vulnerability. Proper compiling and testing should be carried out before is released usage. Detective and corrective controls- in this case the program will be run to test remove all error to ensure that such buffer overflow vulnerability does not exist. The company should in house routine testing to ensure such errors does not occur in future. b). logged into the payroll system by guessing Preventive- the company should recommend to all authorized persons to use password which have a mixture of letters, numbers and signs such as 45uyt/4+8*p.. The password should have more than eight characters which should be changed regularly. Detective and corrective control- the system should be structured in manner that it detects more than three log in attempt that are unsuccessful and block them. Employees who have engaged in such activity should have dismissed c). mobile phone and laptop were stolen at airport. Preventive- the bank should have polices prohibiting employees from storing customers bio-data with sensitivity in their laptops and mobiles. If such information must stored then it must be encrypt. Detective and corrective control- the mobile and laptops which contain such details should have software which is remotely controlled and it can help recover the laptop and cell phone. d). A criminal remotely accessed a sensitive database. Preventive- the system should be structured to enable detection of login from different locations at the same time disable such logins Detective and corrective control- the systems should be programmed to detect such login and alert security department to communicate with the relevant officer e). email purporting to be from her personal banking relationship manager. Preventive- customers should be informed about phishing scam where criminals send an email with a link cable of infecting the machine with a program that send personal information to the person. Detective and corrective control- the customer should install anti-spyware that detects and cline all software viruses that are harmful to the customer. f). off- the shelf e-commerce software Preventive- before paying for the software the should insist on proper testing as well as proper specifications. Detective and corrective control- they should ensure that the program is regularly checked and warren should give for the software. g) . Attackers broke into the company’s information system Preventive- employees should be prohibited from installing private wireless access points by a policy of the company. Detective and corrective control- regular checks should carried out to detect unauthorized wireless access point and any employee involved in installing them should be discipline h). a USB drive in the parking lot Preventive – a policy should be formulated on the type of devices to inserted into PC and laptop be longing to the company. They should be taught on the possibility of USB drive containing viruses and spyware Detective and corrective control- all laptop should be installed with anti-spyware to detect and clean. i). internal network by installing a wireless access point Preventive- the company should ensure all wiring ports are lock or made inaccessible to outsiders Detective and corrective control –proper identification should be required from any person try to access the system. j). 30 minutes to determine who to contract to initiate response actions Preventive – ensure proper documentation on duties and responsibilities working within the company. Members in security department should available all the time deal with such challenges. Detective and corrective control- There should be a response plan within the company. k). an employee installed a modem on his office workstation Preventive – there should be proper regular checks to determine a possibility of unauthorized modems that have been installed Detective and corrective control – employee who installed should be sanctioned. Question 4- Advantages and disadvantages of opt-in versus opt-out To beginning with the customer will view opt-out as a disadvantage because the customer will not known which company is correcting information as the information is corrected by a program. The information may include personal data which may be used by identity thieves. At this point the customer will have an option of stopping program from correcting information. The company that is correcting information view opt-out as benefit as they can collect as much information as they can until the customer stops them. This is disadvantage to the customer. However the consumer is comfortable with opt-in because is able to control the information that is released to the companies. The companies can not collect information the customer without express permission. Question 5: The company should take necessary steps to protect customer and employee data by ensuring that the information they collect is not accessed by unauthorized individuals. It is the duty of the customer and employee to ensure personal information is not released to individual who may misuse them. Customers often reveal personal information, which include full names, contacts, hobbies, and preferences. The information is used by organizations to create a profile of the users. The organizations build up users’ profile through evaluation so that they can improve service provision (Chiu, 2000). Kizza (2010) observed that ethical and security issues on the customer are aroused when individuals and organizations unethically use private customer information in ways that are perceived to be harmful or have potentially adverse impacts on the society. Without proper security intruders into the privacy of users who allow them to access their confidential information for immediate economic gratification. Some customers go to the extent of exchanging their private information in order to access services or other information which should not the case. Bélanger and Crossler (2011) noted that there are four aspects of information privacy, which include collection, unauthorized access and secondary use, and errors. Another classification includes information gathering, processing, distribution, and intrusion. There have been cases of theft of user’s identity on the internet. Users’ important personal information and credit card numbers are also susceptible to theft. Important personal information such as name, age, and email addresses are mutual between different users. The idea of sharing of private information on the internet seems harmless at first glance. However, such violations of user’s privacy have profound effects that may manifest later. The databases may be misused without the knowledge of the users. The unsuspecting users may never know how their private information is used. Such violations by a third party may have profound effect on their lives. Empirical evidence shows that users’ information is used for commercial purposes, and hence this represents potential misuse of information by third parties (Chiu, 2000). Question 6 Biometric authentication technique RFID on employee clothing’s allows one to view images in the bags and clothing which cause fear among employees about their private life. They will think the company is collecting information which interferes with their privacy or collecting information will be used to decrement against them. The employee movements can be tracked using RFID tags which may be put in person’s cloth when in the company is premises. This will ensure that the management is able track employee which section they at any given time. The system is useful for managing employee productivity and protection from fraud and theft of company’s resources. Moreover, the system promotes improved product and service quality and reduces operational costs. Companies are also able to minimize employee litigations and protect their intellectual property. The remote monitoring depends on global positioning system (GPS), RFID and other telecommunication technologies in order to monitor employee’s movements incessantly and in real time. The system can also monitor employee’s motion outside workplace. Employees’ cell phones, company vehicles, and smartcards are usually monitored. This is not the same privacy concern for cell phone and social networking sites because cell phones is used for communication and us GPS capabilities that can be used to collect information on the whereabouts of person. This tracking cause concerning among employee as their private lives may be interfered with. Social networking sites have also privacy concerning as some information on social networking site like face book may be used by identity thieves. Such personal information is divulged and left by unsuspecting users when browsing and signing up for various websites. Users often reveal personal information, which include full names, contacts, hobbies, and preferences. The information is used by organizations to create a profile of the users. Communication using social networks can also be used by the company if private communication is accessed by the boss as was the case of a woman, Lindsay, who posted ‘I hate my Job’ and was sucked on face book. Question 7: The data classification The information may be classified as “restricted”, “Sensitive” or “Public” depending on who should have access to the asset. The reason why this scheme was selected is that this is the standard practice for classification of documents or databases in most companies and besides this, the classification is simple and will make the people in the organization understand level of importance attached to each database. Table 2: Classification Scheme Asset Classification Description Restricted Information classified as confidential should be accessible only to the senior management and the heads of departments that own the information. Sensitive Information classified as sensitive should be accessible only to the senior management and the members of departments that own the information. Public Accessible to all in the organization and to the public if needed The data will be classified into three classes which are: Restricted, public and private data. The proposed classification of the data is as follows: Restricted Sensitive public Patent- related data Research data Product development data Data related to manufacturing process Competitive bidding data Manufacturing cost Cash flow projection Budget Payroll Tax data Business process system flow chart REA diagrams Cost of capital Stock exchange file lings Financial statement Earning announcement Market share information about the organization Product specification Question 8- Potential privacy problems Potential privacy problems that could arise from the case mentioned is emulated below Data entry Potential privacy problem Correctional action/ control -access of electronic file by unauthorized employee -accessing of paper returns by unauthorized persons - hackers intercepting electronic information -Restricting entry into computer and store room for storing information on tax returns. Entry to rooms should accessed by individuals with badges which can be scan by RFID or biometric scanners. -they will be to log in to system using passwords before being allowed to access any information. -information send encrypted make access hacker difficult Processing Potential privacy problem Correctional action/ control -manipulation of input data by entry clerk or operator to influence output for person gain. -use of wrong attributes in screening -persons who design the programs should not be allowed to work as operators -information should be encrypt by a program that is not under the influence of the operator - carry out dairy audit on operators work - train operators on system usage -access to the system should be restricted to individual with password and RFID Inquiry services Potential privacy problem Correctional action/ control -access by hacker to information of the tax payer on the web -disposal of hold file without shredding reading disclosing tax payer information wrong individuals -releasing information of taxpayer on telephone conversation and social networking sites -employee should be train proper file of disposal method as such shredding of papers - All online inquires should be made by people with identification reorganized such as pin numbers, passwords and social security number. -encrypt or traffic flow and tax return - limit the information is released in telephone inquires Question 9- Calculate examples of these batch totals: A hash total Employee number Pay rate Hours worked Gross pay deductions Net pay 34567 10.00 40 400.00 105.00 505.00 2178g 11.00 40 440.00 395.00 45.00 12355 10.55 38 400.90 125.00 275.90 24456 95.00 90 8550.00 145.00 8405.00 A hash total 126.55 A financial total Employee number Pay rate Hours worked Gross pay deductions Net pay 34567 10.00 40 400.00 105.00 505.00 2178g 11.00 40 440.00 395.00 45.00 12355 10.55 38 400.90 125.00 275.90 24456 95.00 90 8550.00 145.00 8405.00 Financial total 208 9790.90 770 9,230.90 A record count We have only 4 records which are presented in the 4 rows a. Assume the following rules govern normal data: Field check- the second will be detected to be consistent as it contains a g in its characters. Limit check- a pay rate in row 4 and column 2 will be noted as to exceed the limit for py rates while column 3 rows for showing 90hours will be detected to exceed the limit. Reasonableness test- pay of $440 with deduction of $395 in row 2 Cross-footing balance test- sum of 9230.90 in the last column which is not results of (9790.90) minus sum of deductions (770) Question 10 Controls to mitigate threats a). The accounts receivable file was destroyed because it was accidentally used to update accounts payable. Control: the incoming files should marked clearly using different headers for accounts payable and accounts receivable. The operator should check these labels before processing any transaction. b). error in a payroll transaction record. Control: there should a limit to hours worked and should be checked against. The hours worked should be audited before payroll preparation. c). was mistakenly typed as the letter `o` Control: the program should be programmed to have a column that accepts only numeric. If the program accepts both strings and numerical then a field check should be done for all characters. Once an error is discovered it is corrected and processed again. d). mistakenly entered 50 laser printers instead of 50 laser printer toner cartridges. Control: All quantities order should be checked for reasonableness based on previous records and limits. There should be Closed-loop verification for the stocks ordered and received. e). power brownout caused a mission critical database server to crash, Control: there should installation of uninterruptible power system to reduce chances of loss of data in case power blackout. There should be also alter source of power to provide energy when times of blackouts. f). A fire destroyed the data center Control: there should be back-up files in a safe source away from computer room. There should be a fire prove storage for hardware. There should be Real-time mirroring too system work when one is down and there should be recovery procedures in the event of a disaster. g). negative quantity. Control: program should be designed to reject negative signs inventory is store. Test of signs of stocks should be carried out for stock system that does accepts negative signs. h). the customer’s address Control: Completeness test will reveal the omission. i). the clerk wrong account number Control: there should be review or examination records, documents to verify customer account numbers. J). A visitor entered 400 characters Control: the program should be programs not to accept more that five digits. It should have the ability to do size check. k). Two travelling sales representatives Control: there should be concurrent access notification to sales persons and stock update should be done before customer is promised any stocks. l). special discount coupons Control: a limit date should be date which the computer will not accept beyond. m). The clerk mistakenly typed in a nonexistent account number Control: always validity checks should done credit sales as well as digit verification of customers number n). wrong account number Control: there should customer number verification before credit a customers account. o). A batch of 73 time sheets Control: there should be preparation of batch totals, hash totals and record count to verify. Checking the arithmetical accuracy of accounting records or performing independent calculations. p). Sunspot activity Control: before data is stored it should be decoded checked for any errors during transmission by carrying out Parity checks. References Bélanger, F., & Crossler, R. E. (2011). Privacy in the Digital Age:A Review of Information Privacy Research in Information Systems. MIS Quarterly , 35 (4), 1017-1041. Chiu, A. S. ( 2000, April 7). The Ethics of Internet Privacy. Research Thesis , pp. 1-7. Kizza, J. M. (2010). Ethical and social issues in the information age. London: SpringerLink. Quigley, M. (2008). Encyclopedia of information ethics and security. Hershey: Information Science Reference. Read More