Summary of IT Controls Part II,Security and Access.
Summary
This chapter continues the discussion of IT general controls and audit tests begun in Chapter 15. It examined the risks and controls over operating systems, database management systems, networks, and EDI systems. The principal threats to the operating system are (1) unauthorized access, (2) intentional or unintentional insertion of viruses, and (3) loss of data due to system malfunctions.
Unauthorized access to the database can be effectively con- trolled through the use of well-designed user views, authorization rules, user-defined procedures, and data encryption. Backup and recovery techniques can be used to safeguard data against system malfunctions. Networks and communication links are susceptible to exposures from both criminal subversion and equipment failure. Subversive threats can be minimized through a variety of security and access control measures including firewalls, IPS, DPI, data encryption, and call- back devices. Equipment failure usually takes the form of line errors, which noise in communications lines causes. These can be effectively reduced through echo checks and parity checks.
The discussion then turned to EDI, where firms are faced with a variety of exposures that arise in connection with an environment void of human intermediaries to authorize or review transactions. Controls in an EDI environment are achieved primarily through programmed procedures to authorize transactions, limit access to data files, and ensure that transactions the system processes are valid.
Comments
Post a Comment