Скачать презентацию Output Controls Ensure that system output is Скачать презентацию Output Controls Ensure that system output is

51bf69842027dbd8b4f68bbff622bf80.ppt

  • Количество слайдов: 17

Output Controls • Ensure that system output is not lost, misdirected, or corrupted and Output Controls • Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. • Exposures of this sort can cause serious disruptions to operations and may result in financial losses to a firm. • For example, if the checks produced by a firm’s cash disbursements system are lost, misdirected, or destroyed, trade accounts and other bills may go unpaid. 1

Controlling Batch Systems Output • See Figure 6 -12 for an illustration • Each Controlling Batch Systems Output • See Figure 6 -12 for an illustration • Each stage in this process is a point of potential exposure where the output could be reviewed, stolen, copied, or misdirected. 2

Output Spooling • Output from different applications are directed to disk rather than printer Output Spooling • Output from different applications are directed to disk rather than printer directly to avoid bottleneck; Later, when printer resources become available, the output files are printed. • Exposure: a computer criminal may use this opportunity to perform any of the unauthorized acts listed in page 232. • Auditors should be aware of these exposures and ensure that proper access control is in place to protect output files. 3

Print Program Controls • aims to deal with two types of exposures – production Print Program Controls • aims to deal with two types of exposures – production of unauthorized copies of output (this can be controlled if output documents are pre-numbered, otherwise, supervision is needed) – employee browsing of sensitive data (can use multipart paper with the top copy colored black to prevent the print from being read) 4

Bursting • When output reports are removed from the printer, they go to the Bursting • When output reports are removed from the printer, they go to the bursting stage to have their pages separated and collated. • The primary control is supervision. 5

Waste • Computer output waste represents a potential exposure. • Passing sensitive output through Waste • Computer output waste represents a potential exposure. • Passing sensitive output through a paper shredder is one possible solution. 6

Controlling Real-Time Systems Output • Real-time systems direct their output to the user’s computer Controlling Real-Time Systems Output • Real-time systems direct their output to the user’s computer screen, terminal, or printer. • The primary threat to real-time output is the interception, disruption, destruction, or corruption of the output message as it passes along the communication link. 7

Controlling Real-Time Systems Output • Two types of exposures: – exposures from equipment failure Controlling Real-Time Systems Output • Two types of exposures: – exposures from equipment failure • Solutions: Parity/ECC (e. g. , Hamming code) – exposures from subversive acts, where by a computer criminal intercepts the output message transmitted between the sender and the receiver • Solution: encryption/decryption 8

Testing Computer Application Controls • Designed to provide information about the accuracy and completeness Testing Computer Application Controls • Designed to provide information about the accuracy and completeness of an application’s processes • Two general approaches: – black box approach: do not rely on detailed knowledge of application’s internal logic – white box approach: relies on in-depth understanding of internal logic of application being tested 9

Black Box Approach • Seek to understand functional characteristics of application by analyzing flowcharts Black Box Approach • Seek to understand functional characteristics of application by analyzing flowcharts and interviewing knowledgeable personnel in client’s organization • Auditors tests application by reconciling production input transactions processed by the application with output results • Output results are analyzed to verify application’s compliance with its functional requirements 10

White Box Approach • These techniques use small number of specially created test transactions White Box Approach • These techniques use small number of specially created test transactions to verify specific aspects of application’s logic and controls • Some common types of tests of controls: – authenticity tests: verify that an individual, a programmed procedure, or a message attempting to access a system is authentic – accuracy tests: ensure that system processes only data values that conform to specified tolerances, e. g. , range tests, field tests, and limit tests 11

White Box Approach (cont) • Some common types of tests of controls: – completeness White Box Approach (cont) • Some common types of tests of controls: – completeness tests: identify missing data within a single record and entire records missing from a batch, e. g. , field tests, record sequence tests, hash totals, and control totals. – redundancy test: determine that an application processes each record only once – access test: ensure that application prevents authorized users from unauthorized access to data 12

White Box Approach (cont) • Some common types of tests of controls: – audit White Box Approach (cont) • Some common types of tests of controls: – audit trail test: ensure that application creates an adequate audit trail (this includes evidence that application records all transactions in a transaction log) – rounding error tests: verify the correctness of rounding procedures (Salami fraud: takes its name from the analogy of slicing a large salami into many thin pieces; each victim assumes one of the small pieces and is unaware of being defrauded. • See Software testing from Wikipedia in relevant links 13

Test Data Method • Used to establish application integrity by processing specially prepared sets Test Data Method • Used to establish application integrity by processing specially prepared sets of input data through production applications that are under review • The results of each test are compared to predetermined expectations to obtain an objective evaluation of application logic • See Figures 6 -16 and 6 -17 14

Creating Test Data • When creating test data, auditors must prepare a complete set Creating Test Data • When creating test data, auditors must prepare a complete set of both valid and invalid transactions. • If test data are incomplete, auditors might fail to examine critical branches of application logic and error-checking routines • Test transactions should test every possible input error, logical process, and irregularity 15

Tracing • Walk through application’s logic • See page 241 for an example 16 Tracing • Walk through application’s logic • See page 241 for an example 16

Integrated Test Facility (ITF) • An automatic technique that enables auditor to test an Integrated Test Facility (ITF) • An automatic technique that enables auditor to test an application’s logic and controls during normal operation • ITF is one or more audit modules designed into the application during system development • ITF audit modules are designed to discriminate between ITF transactions and routine production data. • See Figure 6 -19 on page 243 17