Problems on IT Controls Part II,Security and Access.
Problems
1. OPERATING SYSTEM AND NETWORK CONTROL
Describe a well-controlled system in terms of access controls for a major insurance company that equips each salesperson (life, property, and investments) with a lap- top. Each salesperson must transmit sales data daily to corporate headquarters. Further, the salespeople use their laptops to connect to the company’s e-mail system.
2. OPERATION SYSTEM CONTROLS
In 2002, Mr. Rollerball started Mighty Mouse, Inc., a small, 75-employee firm that produces and sells wire- less keyboards and other devices to vendors through its manufacturing plant in Little Rock, Arkansas. In its first 2 years of business, MM saw a substantial growth in sales and at current capacity was unable to keep up with demand. To compete, MM enlarged its manufacturing facilities. The new facility increased to 250 employees. During this period of expansion, MM has paid little attention to internal control procedures.
Security
Recently, systems problems and hardware failures have caused the operating system to crash. Mr. Rollerball was extremely concerned to discover that confidential company information had been printed out on the print- ers as a result of these crashes. Also, important digital documents were erased from storage media.
Malicious programs such as viruses, worms, and Trojan horses have plagued the company and caused significant data corruption. MM has devoted significant funds and time trying to fix the damage caused to its operating system.
Out of necessity to get the job done, as well as for philosophical reasons, system administrators and programmers have provided users relatively free access to the operating system. Restricting access was found to inhibit business and impede recovery from systems failures. From the outset, an open approach was regarded as an efficient and effective way to ensure that everyone obtained the information they needed to per- form their jobs.
Required
a. What internal control problems do you find?
b. How can MM improve internal controls?
3. INTERNAL CONTROL AND FRAUD
Charles Hart, an accounts payable clerk, is an hourly employee. He never works a minute past 5 PM unless the overtime has been approved. Charles has recently found himself faced with some severe financial difficulties. He has been accessing the system from his home during the evening and setting up an embezzlement scheme. As his boss, what control technique(s) discussed in this chapter could you use to help detect this type of fraud?
4. INTERNAL CONTROL AND FRAUD
Stephanie Baskill, an unemployed accounting clerk, lives one block from Cleaver Manufacturing Company. While walking her dog last year, she noticed some ERP manuals in the dumpsters. Curious, she took the manuals home with her. She found that the documentation in the manual was dated 2 months previous, so she thought that the in- formation must be fairly current. Over the next month, Stephanie continued to collect all types of manuals from the dumpster during her dog-walking excursions. Cleaver Manufacturing Company was apparently updating all of its documentation manuals and placing them online. Eventually, Stephanie found manuals about critical in- ventory reorder formulas, the billing system, the sales order system, the payables system, and the operating sys- tem. Stephanie went to the local library and read as much as she could about this particular operating system.
To gain access to the organization, she took a low- profile position as a cleaning woman, giving her access to all areas in the building. While working, Stephanie snooped through offices, watched people who were working late type in their passwords, and guessed pass- words. She ultimately printed out lists of user IDs and passwords using a Trojan horse virus, thus obtaining all the necessary passwords to set herself up as a supplier, customer, systems operator, and systems librarian.
As a customer, she ordered enough goods to trigger the automatic inventory procurement system to purchase more raw materials. Then, as a supplier, Stephanie would deliver the goods at the specified price. She then adjusted the transaction logs once the bills were paid to cover her tracks. Stephanie was able to embezzle, on average, $125,000 a month. About 16 months after she began working at Cleaver, the controller saw her at a very ex- pensive French restaurant one evening, driving a Jaguar. He told the internal auditors to keep a close watch on her, and they were able to catch her in the act.
Required
a. What weaknesses in the organization’s control struc- ture must have existed to permit this type of embez- zlement?
b. What specific control techniques and procedures could have helped prevent or detect this fraud?
5. INPUT CONTROLS AND NETWORKING
A global manufacturing company has over 100 subsidiaries worldwide reporting to it each month. The reporting units prepare the basic financial statements and other key financial data on prescribed forms, which are reporting period by 3 days. He is, however, concerned about security and data integrity during the transmis- sion. He has scheduled a meeting with key personnel from the systems department to discuss these concerns.
Required
The company could experience data security and integ- rity problems when transmitting data between the reporting units and corporate headquarters.
a. Identify and explain the data security and integrity problems that could occur.
b. For each problem identified, describe a control procedure that could be employed to minimize or eliminate the problem. Use the following format to present your answer.
e-mailed or faxed to the corporate headquarters. The financial data are then entered into the corporate database from which consolidated statements are prepared for internal planning and decision making.
Problem Identification and Explanation
Control Procedure and Explanation
Current reporting policy requires that the subsidiaries provide the previous month’s reports by the tenth work- ing day of each new month. Accounting department staff log and enter the reports into the database. Approximately 15 percent of the reporting units are delinquent in submit- ting their reports, and 3 to 4 days are required to enter all the data into the database. After the data are loaded into the system, data verification programs are run to check footings, cross-statement consistency, and dollar range limits. Any errors in the data are traced and corrected, and reporting units are notified of all errors via e-mail.
The company has decided to upgrade its computer communications network with a new system that will support more timely receipt of data at corporate head- quarters. The systems department at corporate head- quarters is responsible for the overall design and implementation of the new system. It will use current computer communications technology and install LANs, PCs, and servers at all reporting units.
The new system will allow clerks at the remote sites to send financial data to the corporate office via the Inter- net. The required form templates will be downloaded to the remote sites along with the data verification pro- grams. The clerks will enter data into the forms to create a temporary file, which data verification programs will check for errors. All corrections can thus be made before transmitting the data to headquarters. The data would be either transmitted to corporate headquarters immediately or the corporate headquarters computer would retrieve it from disk storage at the remote site as needed. Data used at corporate headquarters would therefore be free from errors and ready for consolidation.
The company’s controller is pleased with the pros- pects of the new system, which should shorten the
6. PREVENTIVE CONTROLS
Listed here are five scenarios. For each scenario, dis- cuss the possible damages that can occur. Suggest a preventive control.
a. An intruder taps into a telecommunications device and retrieves the identifying codes and personal identification numbers for ATM cardholders. (The user subsequently codes this information onto
a magnetic coding device and places this strip on a piece of cardboard.)
b. Because of occasional noise on a transmission line, electronic messages received are extremely garbled.
c. Because of occasional noise on a transmission line, data being transferred is lost or garbled.
d. An intruder is temporarily delaying important strate- gic messages over the telecommunications lines.
e. An intruder is altering electronic messages before the user receives them.
7. OPERATING SYSTEM EXPOSURES AND CONTROLS
Listed here are five scenarios. For each scenario, dis- cuss the potential consequences and give a prevention technique.
a. The systems operator opened a bag of burned micro- wave popcorn directly under a smoke detector in the computing room where two mainframes, three high- speed printers, and approximately 40 tapes are housed. The extremely sensitive smoke detector triggered the sprinkler system. Three minutes passed before the sprinklers could be turned off.
b. A system programmer intentionally placed an error into a program that causes the operating system to fail and dump certain confidential information to disks and printers.
c. Jane’s employer told her she would be laid off in 3 weeks. After 2 weeks, Jane realized that finding another secretarial job was going to be very tough. She became bitter. Her son told her about a virus that had infected his school’s computers and that one of his disks had been infected. Jane took the infected disk to work and copied it onto the network server, which is connected to the company’s mainframe. One month later, the company realized that some data and application programs had been destroyed.
d. Robert discovered a new sensitivity analysis public- domain program on the Internet. He downloaded the software to his microcomputer at home, then took the application to work and placed it onto his net- worked personal computer. The program had a virus on it that eventually spread to the company’s mainframe.
e. Murray, a trusted employee and a systems engineer, had access to both the computer access control list and user passwords. The firm’s competitor recently hired him for twice his salary. After leaving, Murray continued to browse through his old employer’s data, such as price lists, customer lists, bids on jobs, and so on. He passed this information on to his new employer.
8. DATABASE AUTHORIZATION TABLE
The following information is stored in two relational database files:
9. SECURITY AND CONTROL ASSESSMENT
Brew Bottle Company (BBC) is in the process of planning a more advanced computer-based information sys- tem. Slavish & Moore, LLP, BBC’s consulting firm, have recently been provided with an overview of their proposed plan:
The Brew Bottle Company Information System (BBCIS) will be created with the help of its employees so that the system will function effectively. This helps ensure that the end product will perform the tasks that the user wants. System construction will begin with proto- typing, computer-aided software engineering (CASE) technology, and Gantt charts. From here, systems professionals and a systems administrator who will work full- time for BBC will create data models of the business process, define conceptual user views, design database tables, and specify system controls. Each user in each department will submit a written description of his or her needs and business problems to the systems professionals. Systems professionals will then perform analysis of feasibility and system design. Each aspect of the sys- tem will be properly documented for control reasons; this will help if problems arise in the future stages of development and is essential to long-term system success.
The new systems administrator will determine access privileges, maintain the access control list, and maintain the database authorization table. Anyone requesting access will fill out a petition, which the systems administrator must approve and sign. The administrator will have sole access to the transaction log, which will be used to record all changes made to a file or database. This infor- mation will help detect unauthorized access, reconstruct events if needed, and promote personal accountability. The systems administrator will also be responsible for updating virus protection weekly so that viruses planted intentionally or accidentally will not damage the system. One of the most important tasks of the systems administrator will be to copy databases and system documentation for critical applications to tape or disk on a daily basis. These disks and tapes will be stored in a secure location away from the company property.
Employees requiring computer access will be given
a user name and password that will be entered when logging on to their computer terminal. A dialog box will appear when the system is turned on and this information will be entered. Correct entry of information will give the user access; if information is entered
incorrectly, the user will not be granted access. Further- more, if a computer terminal is left idle for more than 5 minutes, a password will be needed to regain access. For security reasons, users will be required to change their passwords once every year.
Hardware will be purchased from Bell Computer
Company with the advice of in-house systems developers. With the exception of basic applications, user departments will purchase computer software, which will be added to the system.
BBCIS will run off of a computing center located in the company’s administration building adjacent to the factory. Access to the computing center will require for- mal authorization. When entering the room, there will be two security guards. Authorized employees will need to swipe their ID cards to pass though security. Times will be recorded when employees swipe their cards for entrance and exit. The actual room that houses the computer systems will have an advanced air-conditioning and air filtration system to eliminate dust and pollens. There will also be a sprinkler system to minimize dam- ages in case of a fire.
Required
Based on BBC’s plans for the implementation of a new computer system, describe the potential risks and needed controls. Classify these according to the relevant areas of the COSO framework.
Comments
Post a Comment