Business Environment & Concepts
Terminology
Access Controls
An access control system is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical security, is generally seen as the second layer in the security of a physical structure.
Access control is, in reality, an everyday phenomenon. A lock on a car door is essentially a form of access control. A PIN on an ATM system at a bank is another means of access control. Bouncers standing in front of a night club is perhaps a more primitive mode of access control (given the evident lack of information technology involved). The possession of access control is of prime importance when persons seek to secure important, confidential, or sensitive information and equipment.
Item control or electronic key management is an area within (and possibly integrated with) an access control system which concerns the managing of possession and location of small assets or physical (mechanical) keys.
Physical access
Underground entrance to the New York City Subway system
Physical access by a person may be allowed depending on payment, authorization, etc. Also there may be one-way traffic of people. These can be enforced by personnel such as a border guard, a doorman, a ticket checker, etc., or with a device such as a turnstile. There may be fences to avoid circumventing this access control. An alternative of access control in the strict sense (physically controlling access itself) is a system of checking authorized presence, see e.g. Ticket controller (transportation). A variant is exit control, e.g. of a shop (checkout) or a country.
In physical security, the term access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons. Physical access control can be achieved by a human (a guard, bouncer, or receptionist), through mechanical means such as locks and keys, or through technological means such as access control systems like the Access control vestibule. Within these environments, physical key management may also be employed as a means of further managing and monitoring access to mechanically keyed areas or access to certain small assets.
Physical access control is a matter of who, where, and when. An access control system determines who is allowed to enter or exit, where they are allowed to exit or enter, and when they are allowed to enter or exit. Historically this was partially accomplished through keys and locks. When a door is locked only someone with a key can enter through the door depending on how the lock is configured. Mechanical locks and keys do not allow restriction of the key holder to specific times or dates. Mechanical locks and keys do not provide records of the key used on any specific door and the keys can be easily copied or transferred to an unauthorized person. When a mechanical key is lost or the key holder is no longer authorized to use the protected area, the locks must be re-keyed.
Electronic access control uses computers to solve the limitations of mechanical locks and keys. A wide range of credentials can be used to replace mechanical keys. The electronic access control system grants access based on the credential presented. When access is granted, the door is unlocked for a predetermined time and the transaction is recorded. When access is refused, the door remains locked and the attempted access is recorded. The system will also monitor the door and alarm if the door is forced open or held open too long after being unlocked.
[edit] Access control system operation
When a credential is presented to a reader, the reader sends the credential’s information, usually a number, to a control panel, a highly reliable processor. The control panel compares the credential's number to an access control list, grants or denies the presented request, and sends a transaction log to a database. When access is denied based on the access control list, the door remains locked. If there is a match between the credential and the access control list, the control panel operates a relay that in turn unlocks the door. The control panel also ignores a door open signal to prevent an alarm. Often the reader provides feedback, such as a flashing red LED for an access denied and a flashing green LED for an access granted.
The above description illustrates a single factor transaction. Credentials can be passed around, thus subverting the access control list. For example, Alice has access rights to the server room but Bob does not. Alice either gives Bob her credential or Bob takes it; he now has access to the server room. To prevent this, two-factor authentication can be used. In a two factor transaction, the presented credential and a second factor are needed for access to be granted. The second factor can be a PIN, a second credential, operator intervention, or a biometric input. Often the factors are characterized as
-
something you have, such as an access badge or passcard,
-
something you know, e.g. a PIN, or password.
-
something you are, typically a biometric input.
[edit] Credential
A credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being, that enables an individual access to a given physical facility or computer-based information system. Typically, credentials can be something you know (such as number or PIN), something you have (such as an access badge), something you are (such as a biometric feature) or some combination of these items. The typical credential is an access card, key fob, or other key. There are many card technologies including magnetic stripe, bar code, Wiegand, 125 kHz proximity, 26 bit card-swipe, contact smart cards, and contactless smart cards. Also available are key-fobs which are more compact than ID cards and attach to a key ring. Typical biometric technologies include fingerprint, facial recognition, iris recognition, retinal scan, voice, and hand geometry.
Credentials for an access control system are typically held within a database, which stores access credentials for all staff members of a given firm or organisation. Assigning access control credentials can be derived from the basic tenet of access control, i.e. who has access to a given area, why the person should have access to the given area, and where given persons should have access to. As an example, in a given firm, senior management figures may need general access to all areas of an organisation. ICT staff may need primary access to computer software, hardware and general computer-based information systems. Janitors and maintenance staff may need chief access to service areas, cleaning closets, electrical and heating apparatus, etc.
[edit] Access control system components
An access control point, which can be a door, turnstile, parking gate, elevator, or other physical barrier where granting access can be electrically controlled. Typically the access point is a door. An electronic access control door can contain several elements. At its most basic there is a stand-alone electric lock. The lock is unlocked by an operator with a switch. To automate this, operator intervention is replaced by a reader. The reader could be a keypad where a code is entered, it could be a card reader, or it could be a biometric reader. Readers do not usually make an access decision but send a card number to an access control panel that verifies the number against an access list. To monitor the door position a magnetic door switch is used. In concept the door switch is not unlike those on refrigerators or car doors. Generally only entry is controlled and exit is uncontrolled. In cases where exit is also controlled a second reader is used on the opposite side of the door. In cases where exit is not controlled, free exit, a device called a request-to-exit (REX) is used. Request-to-exit devices can be a pushbutton or a motion detector. When the button is pushed or the motion detector detects motion at the door, the door alarm is temporarily ignored while the door is opened. Exiting a door without having to electrically unlock the door is called mechanical free egress. This is an important safety feature. In cases where the lock must be electrically unlocked on exit, the request-to-exit device also unlocks the door.
Accounting Information System (AIS)
An accounting information system (AIS) is the system of records a business keeps to maintain its accounting system. This includes the purchase, sales, and other financial processes of the business. The purpose of an AIS is to accumulate data and provide decision makers (investors, creditors, and managers) with information.
While this was previously a paper-based process, most businesses now use accounting software. In an electronic financial accounting system, the steps in the accounting cycle are dependent upon the system itself. For example, some systems allow direct journal posting to the various ledgers and others do not.
Accounting Information Systems (AISs) combine the study and practice of accounting with the design, implementation, and monitoring of information systems. Such systems use modern information technology resources together with traditional accounting controls and methods to provide users the financial information necessary to manage their organizations.
AIS TECHNOLOGY Input The input devices commonly associated with AIS include: standard personal computers or workstations running applications; scanning devices for standardized data entry; electronic communication devices for electronic data interchange (EDI) and e-commerce. In addition, many financial systems come "Web-enabled" to allow devices to connect to the World Wide Web.
Process Basic processing is achieved through computer systems ranging from individual personal computers to large-scale enterprise servers. However, conceptually, the underlying processing model is still the "double-entry" accounting system initially introduced in the fifteenth century.
Output Output devices used include computer displays, impact and nonimpact printers, and electronic communication devices for EDI and e-commerce. The output content may encompass almost any type of financial reports from budgets and tax reports to multinational financial statements.
Application Controls
Application controls apply to the processing of individual accounting applications and help ensure the completeness and accuracy of transaction processing, authorization, and validity. Types of application controls include:
-
Data Capture Controls – ensures that all transactions are recorded in the application system, transactions are recorded only once, and rejected transactions are identified, controlled, corrected, and reentered into the system.
-
Data Validation Controls – ensures that all transactions are properly valued.
-
Processing Controls – ensures the proper processing of transactions.
-
Output Controls – ensures that computer output is not distributed or displayed to unauthorized users.
-
Error Controls – ensures that errors are corrected and resubmitted to the application system at the correct point in processing.
Application controls may be compromised by the following application risks:
-
Weak security
-
Unauthorized access to data and unauthorized remote access
-
Inaccurate information and erroneous or falsified data input
-
Misuse by authorized end users
-
Incomplete processing and/or duplicate transactions
-
Untimely processing
-
Communication system failure
-
Inadequate training and support
[edit] Tests of Controls
Tests of controls are audit procedures performed to evaluate the effectiveness of either the design or the operation of an internal control. Tests of controls directed toward the design of the control focuses on evaluating whether the control is suitably designed to prevent material weaknesses. Tests of controls directed toward the operation of the control focuses on assessing how the control was applied, the consistency with which it was applied, and who applied it. In addition to inquiring with appropriate personnel and observation of the application of the control, an IT auditor’s main focus when testing the controls is to do a re-performance of the application of the control themselves
Application Firewall
A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria.
Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques:
-
Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. In addition, it is susceptible to IP spoofing.
-
Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
-
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
-
Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
Application Software
Application software is computer software designed to help the user perform a particular task. Such programs are also called software applications, applications or apps. Typical examples are word processors, spreadsheets, media players and database applications.
Application software should be contrasted with system software (infrastructure) or middleware (computer services/ processes integrators), which is involved in integrating a computer's various capabilities, but typically does not directly apply them in the performance of tasks that benefit the user. A simple, if imperfect analogy in the world of hardware would be the relationship of an electric light bulb (an application) to an electric power generation plant (a system). The power plant merely generates electricity, not itself of any real use until harnessed to an application like the electric light that performs a service that benefits the user.
In computer science, an application is a computer program designed to help people perform a certain type of work. An application thus differs from an operating system (which runs a computer), a utility (which performs maintenance or general-purpose chores), and a programming language (with which computer programs are created). Depending on the work for which it was designed, an application can manipulate text, numbers, graphics, or a combination of these elements. Some application packages offer considerable computing power by focusing on a single task, such as word processing; others, called integrated software, offer somewhat less power but include several applications. [1]
User-written software tailors systems to meet the user's specific needs. User-written software include spreadsheet templates, word processor macros, scientific simulations, graphics and animation scripts. Even email filters are a kind of user software. Users create this software themselves and often overlook how important it is.
The delineation between system software such as operating systems and application software is not exact, however, and is occasionally the object of controversy. For example, one of the key questions in the United States v. Microsoft antitrust trial was whether Microsoft's Internet Explorer web browser was part of its Windows operating system or a separable piece of application software. As another example, the GNU/Linux naming controversy is, in part, due to disagreement about the relationship between the Linux kernel and the operating systems built over this kernel. In some types of embedded systems, the application software and the operating system software may be indistinguishable to the user, as in the case of software used to control a VCR, DVD player or microwave oven.
Audit Software
Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS), also known as Computer Assisted Audit Tools and Techniques (CAATTs), is a growing field within the Financial audit profession. CAATTs is the practice of using computers to automate or simplify the audit process. In the broadest sense of the term, CAATTs can refer to any use of a computer during the audit. This would include utilizing basic software packages such as SAS, Excel, Access, Crystal Reports, Cognos, Business Objects, and also word processors. In practice, however, CAATTs has become synonymous with incorporating Data analytics into the audit process. This is one of the emerging fields within the audit profession.
Traditional Audit Example
Traditionally auditors have been criticized because they reach conclusions based upon limited samples. It is not uncommon for an auditor to sample 30-50 transactions and declare a problem or conclude that "controls appear to be effective." Management upon hearing the verdict of the auditors may question the validity of the audit conclusions. Management realizes that they conduct thousands or perhaps millions of transactions a year and the auditor only sampled a handful. The auditor will then state that the conducted the sample based upon Generally Accepted Audit Standards (GAAS) and that their sample was statistically valid. The auditor is then forced to defend their methodology.
Another common criticism of the audit profession occurs after a problem emerges. Whenever a problem emerges within a department, management might ask, "Where were the auditors?" If the audit department had reviewed the area recently it becomes a sticky situation as the Audit Manager attempts to explain that the reason the problem wasn't identified was because the problem was outside of the scope of the audit. The Audit manager might also try to explain that the sample was "a statistically valid sample with a 95% confidence level." The Audit Committee doesn't care that the audit was conducted according to GAAS, they only care that a problem went unnoted by the audit department.
[edit] CAATTs Alternative
CAATTs addresses these problems. CAATTs, as it is commonly used, is the practice of analyzing large volumes of data looking for anomalies. A well designed CAATTs audit will not be a sample, but rather a complete review of all transactions. Using CAATTs the auditor will extract every transaction the business unit performed during the period reviewed. The auditor will then test that data to determine if there are any problems in the data. For example, using CAATTs the auditor can find invalid Social Security Numbers (SSN) by comparing the SSN to the issuing criteria of the Social Security Administration. The CAATTs auditor could also easily look for duplicate vendors or transactions. When such a duplicate is identified, they can approach management with the knowledge that they tested 100% of the transactions and that they identified 100% of the exceptions.
[edit] Traditional Audit vs CAATTs on Specific Risks
Another advantage of CAATTs is that it allows auditors to test for specific risks. For example, an insurance company may want to ensure that it doesn't pay any claims after a policy is terminated. Using traditional audit techniques this risk would be very difficult to test. The auditor would "randomly select" a "statistically valid" sample of claims (usually 30-50.) They would then check to see if any of those claims were processed after a policy was terminated. Since the insurance company might process millions of claims the odds that any of those 30-50 "randomly selected" claims occurred after the policy was terminated is extremely unlikely. Even if one or two of those claims was for a date of service after the policy termination date, what does that tell the auditor?
Using CAATTs the auditor can select every claim that had a date of service after the policy termination date. The auditor then can determine if any claims were inappropriately paid. If they were, the auditor can then figure out why the controls to prevent this failed. In a real life audit, the CAATTs auditor noted that a number of claims had been paid after policies were terminated. Using CAATTs the auditor was able to identify every claim that was paid and the exact dollar amount incorrectly paid by the insurance company. Furthermore, the auditor was able to identify the reason why these claims were paid. The reason why they were paid was because the participant paid their premium. The insurance company, having received a payment, paid the claims. Then after paying the claim the participant's check bounced. When the check bounced, the participant's policy was retroactively terminated, but the claim was still paid costing the company hundreds of thousands of dollars per year.
Which looks better in an audit report:
"Audit reviewed 50 transactions and noted one transaction that was processed incorrectly"
or
"Audit utilized CAATTS and tested every transaction over the past year. We noted XXX exceptions wherein the company paid YYY dollars on terminated policies."
However, the CAATTs driven review is limited only to the data saved on files in accordance with a systematic pattern. Much data is never documented this way. In addition saved data often contains deficiencies, is poorly classified, is not easy to get, and it might be hard to become convinced about its integrity. So, for the present CAATTs is complement to an auditor's tools and techniques. In certain audits CAATTs can't be used at all. But there are also audits which simply can't be made with due care and efficiently without CAATTs.
Share with your friends: |