Disaster Recovery and Other Threats and Risk Management

A wide area network (WAN) is a network more geographically dispersed. It uses bridges to connect same-type LANs, and gateways to connect different types of LANs, or LANs to WANs, or PCs to mainframes.

The topology (physical arrangement) may be a star (one server computer in the middle, with an individual link from it to each workstation), a hierarchy (connected like an organization chart), a ring (a circle of equal workstations, also called peer-to-peer), or a bus (a single cable, like a bus going down the street, picking up workstation messages and dropping them off)

Instead of purchasing and maintaining its own transmission media for, say, electronic data interchange with a trading partner, a company may use a VAN (value-added network). This is a public network that adds value to the data communications process by handling the interfacing with multiple types of hardware and software used by different companies, each with its own “mailbox” on the VAN.

Many CPA firms use VPNs (virtual private networks) to allow its associates to use the Internet in a secure, encrypted manner to communicate while working outside the office. The remote worker uses the LAN as if he is in the same office (except for slower response time).

A client-server system distributes processing between a server (a central file storage site which may search for and distribute an individual record requested by a user) and the clients (workstations which may read or update the record). It can work with different topologies. The server stores shared databases and system software, while individual applications (e.g., spreadsheets) and data may reside on the client workstation.

Client-server systems are replacing mainframe systems, because they use cheaper hardware & software, and they are flexible & expandable. Instead of centralizing all data, applications, and expertise, client-server systems distribute them. Empowering users, they also require more skill from users in technology, output design, & controls.

CASE (Computer-aided software engineering) tools are now widely employed to use computer software to build computer software, increasing the productivity of systems professionals. For example, they can take a data flow diagram and lead the developer to create a system based on it.

10-11 x System implementation – conversion to the new system

x Maintenance – This is ongoing throughout the life of the system, and there should be modification controls to prevent a programmer (or anyone else) from making unauthorized changes to a program. All proposed changes should be approved, thoroughly tested and documented. Auditors should gain an understanding of the change process, and review a complete set of final documentation materials for recent program changes.

The auditor should verify that program changes were identified, listed, approved, tested, and documented.

The changes should be implemented by someone independent of the user and programming functions. The auditor can review all programs’ access control tables/lists.

The internal audit function should be involved to ensure adequate system controls.

All systems must be completely documented. Documentation may be classified as:

x Administrative – how to administer the IT department x Systems – includes flowcharts and program listings x Operating – how to input transactions and correct errors

Thorough testing of the programs must occur before implementation. Actual test results are compared with predetermined expectations.

User acceptance testing of the entire system must occur.

In maintenance, all program revisions must have documented need, proper authorization, and thorough testing.

Source program library management system

ƒ This system safeguards source programs, for access by development programmers and by maintenance programmers.

ƒ It enforces password control.

ƒ It has as an objective the separation of the source program test libraries from the application load module library.

ƒ It maintains sequential program version numbers.

ƒ It automatically produces audit trails & management reports

ƒ It has specially controlled access to maintenance commands (e.g., over passwords or version numbers).

HARDWARE CONTROLS

x Restricted physical access (locked doors, guards, limited entry, magnetic cards, biometric ID [e.g., fingerprint, retina, iris], back-ups stored off-site) as well as logical access (passwords). Certainly, these physical access controls are general controls that benefit all applications, and they should not be overlooked.

x Diagnostic routines, in which the computer checks its connections to peripheral devices and internal memory, perhaps, upon starting up.

x Echo checks, in which receiving hardware sends the same message back for comparison x Tape file protection rings & write-protect tabs on disks, to physically prevent writing.

x Parity checks (extra 9^th bit – odd or even parity, added to a byte to make the total number of “on”

bits odd or even, whichever is the standard in that installation, so that the 9^th bit may be checked upon the next reading)

x Preventive maintenance, to replace older components before they fail x Fault tolerance, such as …

ƒ Redundant arrays of independent disks (RAID) among which data are stored and updated simultaneously on several disks

ƒ Uninterruptible power supplies providing back-up power in an emergency

ƒ Multiprocessing, so that a back-up processor is available in case of a failure

PROTECTION OF PROGRAMS AND DATABASES

x User views (subschema) to restrict users to a subset of the entire database

x Database (or file, or device) authorization table (listing, for each file & each user, separate authority to – read, insert, modify, delete)

x Data encrypted when stored

x Software & hardware monitors to detect & report usage of data, programs, and devices (by whom, from where, when, how long, for what)

x Back-ups performed regularly (grandparent-parent-child for sequential batch processing, under which three generations of master files are kept), with back-ups stored securely, off-site. This is helpful in case of disaster or error. Other forms of storage controls include the use of a data librarian.

DISASTER RECOVERY PLAN

Essentially, the plan is based on management’s cost-benefit analysis of potential disasters. Its objectives are to minimize the extent of loss, quickly (if temporarily) establish means of processing information, and resume normal operations quickly. Business interruption insurance is necessary, but not sufficient. Steps in developing the plan include:

¾Identify “mission-critical” applications, establish the priority for business continuity

¾Ensure availability of data, programs, & documentation o Database and program copies stored off-site

o Data recovery procedures, e.g., to bring the most recent database copy to current status by re-processing transactions that have occurred since the back-up

¾There should be specific assignments and access to phone numbers of team members, and the order in which they should be called. The major players will have specific responsibilities for arranging for new facilities, operating the computer, installing software, establishing communication capability, recovering vital records, and arranging for supplies.

¾Alternative processing:

o Hot site (completely equipped)

o Cold site (space available, but not fully equipped)

¾Manual operations if no power

¾Test the plan (as with a fire drill), and regularly assess the need for revision.

All of these are basically general controls. In addition, application controls (sometimes also called transaction controls or accounting controls) must be incorporated into each application’s input, processing, & output. Following are some examples of application controls.

INPUT CONTROLS:

- Edit checks, or validation controls, intended to detect errors in transaction data before the data are processed. These might be designed to check at varying levels of detail.

o Character – the most detailed, a single character

o Field – such as a customer number. Examples of field checks are listed below.

o Record – such as the customer record, containing all of the fields about the customer (e.g., customer number, name, address, etc.). The program might look for unusual interrelationships among the fields in the record. For example, in a relationship check, if an employee is not a salesperson (employee position field), there should be no sales bonus in the pay fields.

o Array, or file – Is this the correct file? The program could look at the internal label (often the first record on the file) to confirm the file name, version, or date.

10-13 Examples of field checks:

- Validity – Is this a valid member of a set, such as a valid customer number?

- Field type – Is this properly numeric, or alphabetic, or a proper date?

- Limit – Is this less than the upper limit, or greater than the lower limit allowed?

- Completeness or missing-data – Is this field incorrectly left blank?

- Echo – When the user types in an account number, the system echoes back on the screen the corresponding account name so that the user can confirm.

- Sequence – The program could look for records incorrectly out of sequence, or for missing numbers in a sequence.

- Sign – A given field, for example, might get an error warning if it becomes negative.

- Self-checking digit – Here an additional, redundant, digit is added to, for example a customer number. For example, a fifth digit might be a number that is computable from the previous four digits when the computer performs an internal algorithm (predefined calculation). Then, if the proper fifth digit is not in agreement with the calculation, the computer signals an error in the input of that field.

- If using paper input documents, they should be prenumbered and well-designed.

- Any errors found should be corrected before posting.

ƒ Batch control totals (record count, financial / amount totals, hash totals) should be verified. These can then be compared to control totals on output.

Record count: The number of records (transactions) in a batch

Financial / amount total: A meaningful total of a batch (total dollars, or total hours worked)

Hash total: A meaningless total in itself (such as total of the social security numbers of employees in a batch). Still, like the other batch totals, it can be useful to detect transactions that were lost, or wrongly included, or incorrectly keyed.

PROCESSING CONTROLS:

- Equality of debits & credits should be checked after posting (trial balances) - Posting references should be used to provide an audit trail

- Standardized adjusting entries should be used.

- Subsidiary ledgers should be reconciled to the general ledger.

OUTPUT CONTROLS:

- Reports should be reviewed by managers, accountants, and internal auditors. They should not be accessible by anyone not authorized to see them. And paper reports should be shredded before disposal.