Evaluation of Network Operating System Security Controls

Article excerpt

ABSTRACT: Systems and financial statement auditors are often responsible for evaluating compliance with system security controls as part of their annual audit procedures. This assignment provides a practical learning experience that relates your course material to actual tasks practitioners perform. You are provided with simulated data from a realistic company example and are asked practitioner-relevant questions covering a variety of issues related to network operating system access. Monitoring and limiting network operating system access and mitigating the related risk is crucial since any application (including accounting applications) can be accessed, and potentially compromised, through the network operating system.

Data Availability: Student feedback data are available upon request from the first author. Data files to complete the assignment are available on the Issues in Accounting Education Teaching Notes website.

INTRODUCTION

With the advent of computer-based accounting and business information systems, the need for evaluating controls surrounding the information systems infrastructure has become critical. Because financial statement auditors tender opinions based on information and testing performed against data extracted from client accounting systems (in the form of reports and system-generated financial statements), controls underlying these systems must be evaluated. Without adequate system controls, auditors cannot rely on the integrity of the information generated by the system, nor can they perform an effective audit. Effective system control evaluation requires audit professionals who comprehend information systems. Statement of Auditing Standards (SAS) No. 94 (Auditing Standards Board 2001) stipulates that practitioners must gain an understanding of the client's internal control structure as part of the audit-planning phase. SAS No. 94 emphasizes the necessity to understand how an entity's use of information technology affects audit-relevant risks.

Because the term "risk" has multiple definitions, it is important that we clarify our use of the term for this assignment. We define risk as the possibility of loss or damage. The internal controls over an entity's information systems area vital component of the internal control structure, particularly for those systems that store and process financial transactions. Auditors utilize their assessment of the client's internal control structure to assess their level of controls reliance. Controls reliance is the amount of "faith" of reliance that the auditor is willing to place on the internal control structure to prevent, correct, or detect material misstatements in the financial statements. As such, assessing the strength of the client controls over the information systems influences the auditor's assessment of the internal control structure as a whole. For example, if an auditor's preliminary testing of controls indicates a strong control environment, then the auditor may be able to reduce the amount of substantive testing.

One type of information system control auditors need to consider is logical security over systems, programs, and data. SAS No. 94 specifically mentions the risk associated with a lack of control at a single entry point to a system, which compromises the integrity of the entire database, and potentially results in improper changes to or destruction of data. The network operating system (NOS) is typically the first layer of security in controlling user access from a logical security perspective, especially in a distributed system. The NOS controls user identification, authentication, authorization, and many security and permissions settings for all users and resources on the network. In user identification, the user tells the NOS who he or she is. The NOS authenticates the user by mapping user-supplied credentials, such as user IDs and passwords, to a centralized user store of networked systems. …