AUDITING OPERATING

SYSTEMS AND NETWORKS

Operating system

• Computer's control program

• Allow users and their applications to share and access

common computer resources, such as processors, main
memory, database, and printers.
Operating System Objectives

• First, translates high-level languages into machine- level

language that the computer can execute
• Second, allocates computer resources to users,
workgroups, and applications
• Third, manages the tasks o job scheduling and
multiprogramming. Jobs are submitted to the system in 3
ways:
1. Directly by the sysem operator
2. From various batch-job queues
3. Through telecommunications links from remote workstatios
Five Fundamental Control Objectives

1. OS must protect itself from users

2. OS must protect users from each other
3. OS must protect users from themselves
4. OS must be protected from itself
5. OS must be protected from its environment

In order to perform these tasks consistently and reliably

Operating System Security

• Involves policies, procedures, and controls that determine

who can access the OS as to which resources they can
use and what actions they can take.
Components:
Log-on procedure- against unauthorized access
Access Token-contains key information about the user
Access Control List-controls access to the resource
Discretionary Access Privileges-allow them to grant access
privileges to users.
Threats to Operating System Integrity

• Either accidentally (hardware failures, errors) or

intentionally (illegal access data, violate user privacy)
Intentional Threats

1. Privileged personnel who abuse their authority

2. Individuals, both internal and external to the
organization, browse to identify and exploit security flaws
3. Individuals who intentionally (or accidentally) insert
computer viruses or other forms of destructive programs
into the OS
Auditor's Objectives:
• Verify that access privileges are granted in a manner that is
consistent with the need to separate incompatible functions and is
in accordance with the organization's policy.
• Ensure that the organization has an adequate and effective
password policy for controlling access to the OS
• Verify that effective management policies and procedures are in
place to prevent the introduction and spread of destructive
programs.
• Ensure that the established system audit trail is adequate for
preventing and detecting abuses, reconstructing key events that
precede system failures, planning resource allocation.
INTRANET

• Consist of small LANs and large WANs that may contain

thousands of individual nodes.
• Used to connect employees within a single building,
between buildings on the same physical campus and
between geographically dispersed locations.
• Include email routing, transaction processing between
business units,and linking to the outside internet
Internet Risks

• IP Spoofing
• Denial of Service Attack
• Equipment Failure
AUDITING ELECTRONIC
DATA INTERCHANGE
(EDI)
 Electronic Data Interchange (EDI)

General definition:

The intercompany exchange of computer-processible

business information in standard format.
Important features of EDI

1. EDI is an interorganization endeavor

2. the information systems of the trading partners

automatically process the transaction

2. transaction information is transmitted in a

standardized format
Value-added network (VAN) - a private network provider (sometimes called a turnkey communications line)
that is hired by a company to facilitate electronic data interchange (EDI) or provide other network services.
 EDI Standards

US Standards - American National Standards Institute (ANSI) X.12

format

Internationally used standard - EDI for administration, commerce, and

transport (EDIFACT) format
 ➢ electronic address of the receiver
➢ communications protocols, and
➢ control information

Functional Group
● a collection of transaction sets (electronic
documents) for a particular business
application such as group of sales
invoices or purchase orders

Transaction Set
● composed of data segments and data
elements

Data Segment
● an information category on the document,
such as part number, unit price, or vendor
name
Data Elements
● specific items of data related to a
segment
Example of ANSI X.12 Format
Benefits of EDI

1. Data keying.
2. Error reduction.
3. Reduction of paper.
4. Automated procedures.
5. Inventory reduction.
Financial EDI

Electronic Funds Transfer (EFT)

● electronic transfer of money from one bank account to
another, either within a single financial institution or
across multiple institutions, via computer-based
systems, without the direct intervention of bank staff.
● requires intermediary banks between trading partners
Problem arises with the remittance advice information that accompanies the
check. There may be disputed amounts because of price disagreements,
damaged goods, or incomplete deliveries.

Value-added banks (VABs)

● can accept electronic disbursements and remittance advices from its clients
in any format
● converts EDI transactions to the ANSI X.12 and 820 formats for electronic
processing
● In the case of non-EDI transactions, the VAB writes traditional checks to the
creditor.
● Allow clients to employ a single cash disbursement system that can
accommodate both EDI and non-EDI customers
 EDI Controls
Transaction Authorization and Validation
● establish that the transaction being processed is to (or from) a valid trading
partner and is authorized

1. Some VANs have the capability of validating passwords and user ID codes
for the vendor by matching these against a valid customer file. The VAN
rejects any unauthorized trading partner transactions before they reach the
vendor’s system.
2. Before being converted, the translation software can validate the trading
partner’s ID and password against a validation file in the firm’s database.
3. Before processing, the trading partner’s application software references the
valid customer and vendor files to validate the transaction.
 Access Control

EDI trading partners must permit a degree of access to

private data files that would be forbidden in a traditional
environment. The trading partner agreement will determine
the degree of access control in place.

● To guard against unauthorized access, each company

must establish valid vendor and customer files.
● User authority tables can also be established, which
specify the degree of access a trading partner is
allowed.
 EDI Audit Trail

● maintain a control log,

which records the
transaction’s flow
through each phase of
the EDI system.
Audit Objectives Relating to EDI

1. all EDI transactions are authorized, validated, and in

compliance with the trading partner agreement;
2. no unauthorized organizations gain access to database
records;
3. authorized trading partners have access only to
approved data;
4. adequate controls are in place to ensure a complete
audit trail of all EDI transactions.
 Audit Procedures Relating to EDI

Perform the following tests of controls:

1. Tests of Authorization and Validation Controls.

2. Tests of Access Controls.
3. Tests of Audit Trail Controls.
Tests of Authorization and Validation Controls

1. review agreements with the VAN facility to validate

transactions and ensure that information regarding valid
trading partners is complete and correct, and
2. examine the organization’s valid trading partner file for
accuracy and completeness.
Tests of Access Controls
Verify control adequacy in the following ways:

1. The auditor should determine that access to the valid vendor or customer file
is limited to authorized employees only. The auditor should verify that
passwords and authority tables control access to this file and that the data
are encrypted.
2. The trading agreement will determine the degree of access a trading
partner should have to the firm’s database records (such as inventory levels
and price lists). The auditor should reconcile the terms of the trading
agreement against the trading partner’s access privileges stated in the
database authority table.
3. The auditor should simulate access by a sample of trading partners and
attempt to violate access privileges.
Tests of Audit Trail Controls

● verify that the EDI system produces a transaction log

that tracks transactions through all stages of processing
● selecting a sample of transactions and tracing these
through the process
Internet Technologies
Appendix Section A
 Packet Switching

Internet employs
communications
technologies based on
packet switching.
Virtual Private Networks (VPN)

● a private network within a public network

Extranets
● a password-controlled network for private users rather than the general public
● used to provide access between trading partner internal databases

World Wide Web (WWW)

● an Internet facility that links user sites locally and around the world
● fundamental format for the Web is a text document called a Web page
Internet Addresses

1. E-mail addresses (ex. sweetemogurl@yahoo.com)

Standard format : USERNAME@DOMAINNAME)

1. Web site URL addresses (ex. www.facebook.com)

1. Internet protocol (IP) addresses of individual computers attached to a

network (ex. 192.168.254.254)
Protocols
● the rules and standards governing the design of hardware and software that permit users of networks,
which different vendors have manufactured, to communicate and share data

What Functions Do Protocols Perform?

● they facilitate the physical connection between the network devices
● protocols synchronize the transfer of data between physical devices
● protocols provide a basis for error checking and measuring network performance
● protocols promote compatibility among network devices
● protocols promote network designs that are flexible, expandable, and cost effective
Layered Protocols

The International Standards Organization, has developed a layered set of protocols called the open system
interface (OSI).

OSI Model - provides standards by which the products of different manufacturers can interface with one
another in a seamless interconnection at the user level

Purpose: create a modular environment that reduces complexity and permits changes to one layer without
adversely affecting another
Internet Protocols
Transfer control protocol/Internet protocol (TCP/IP)
● the basic protocol that permits communication between Internet sites
● controls how individual packets of data are formatted, transmitted, and received
● known as a reliable protocol because delivery of all the packets to a destination is guaranteed

File Transfer Protocols

● used to transfer text files, programs, spreadsheets, and databases across the Internet
● useful for downloading entire files from the Internet
Mail Protocols
Simple network mail protocol (SNMP)
● the most popular protocol for transmitting e-mail messages

Security Protocols
Secure sockets layer (SSL)
● a low-level encryption scheme used to secure transmissions in higher-level HTTP format

Private communications technology (PCT)

● a security protocol that provides secure transactions over the Web
● encrypts and decrypts a message for transmission
Secure electronic transmission (SET)
● an encryption scheme developed by a consortium of technology firms and banks to secure
credit card transactions

Privacy enhanced mail (PEM)

● A standard for secure e-mail on the Internet
● supports encryption, digital signatures, and digital certificates as well as both private and
public key methods

Network News Transfer Protocol

Network news transfer protocol (NNTP)
● used to connect to Usenet groups on the Internet
● Usenet newsreader software supports the NNTP protocol
HTTP and HTTP-NG

● HTTP controls Web browsers that access the Web.

Hypertext transport protocol–next generation (HTTP-NG)

● an enhanced version of the HTTP protocol that maintains the simplicity of
HTTP while adding important features such as security and authentication.

HTML
Hypertext markup language (HTML)
● the document format used to produce Webpages.
● defines the page layout, fonts, and graphic elements as well as hypertext
links to other documents on the Web
● used to lay out information for display in an appealing manner