Bournemouth Manufacturing Plc: Audit and Internal Control - Case Study Example

Introduction With the expansion of its operations and the opening of more branches, Bournemouth Manufacturing Plc is planning to install a new computerized system to merge all its activities. All accounting data is going to be input into the computer from workstations. Data from remote factories and branches is going to be transmitted to the server through the British Telecom telephone system. By connecting oneself to the internet, an individual is opening himself to attacks on his computer and unauthorized access to his computer from people on the internet or others from within the company. A computer system is at risk of been accessed illegally and data that is held there within put at risk. Given the sensitive nature of accounting data, the finance director has asked for an audit report detailing the security status of the system. Data will be input in the computers from workstations, and there is risk of unauthorized access to this data at this point. Data from satellite stations will be transmitted through the internet, and there is the risk of this data getting accessed by unauthorized individuals either remotely or otherwise. The finance director has specifically asked for a description of the general controls that can be exercised to avert unauthorized access to the computer system from remote workstations. These may be the remote workstations of the company's staff or the remote workstation of a computer hacker. The director also asked for procedures that can be applied to avert unauthorized access to the computer through the service provider. Controls to be employed in the purchases and payroll systems over retrieval of information, input of transaction data and updating of standing data files has also been requested. Controls to Prevent Unauthorized Access from Remote Workstations It has been noted that a large number of unauthorized access to a company's computer system is from within, rather than from without (Wilkinson: 2009). What this means is that there are some members of the staff who are errant enough to access the computers of their employer without the relevant authorization. The reasons why they do this are varied. Some are interested in sabotaging the activities of the company while others are just curious about the contents of the computer. There are several procedures that have been developed that ensure that this does not happen. Use of Password and User ID Control Password is the most common form of control that is used to ensure that there is no unauthorized access to a computer and the computer system (Nikoltos: 2008). In this case, every user of the computer or system is given an identity, or ID. The ID might be his name or other such identifications. He accesses the system by using that ID, since it is the name that the system knows him with. A password is then given to each and every of these ids. The user is supposed to provide the computer with his identity and the accompanying password for him to be allowed access to the system. Every password is specific to a particular ID. A wrong combination of the two will not allow the user to gain access to the system (Nikoltos: 2008). When there is more than one user with identical names and information, a special ID called the User Specific ID is used (Marie: 2007). Windows will utilize Security ID or SID for each and every of those accounts (Marie: 2007). The best thing about this ID is that it is a very unique key. When a user is creating an account, the security identity is generated, giving all his details (Wilkinson: 2009). Passwords and user IDs have some strength that makes them effective in dealing with a remote unauthorized access. For starters, the computer system is set such that there is no access that can be permitted if the correct combination between ID and password is not made (Wilkinson: 2009). This makes it possible for the computer system to alert the administrator when an unauthorized access had been attempted. It is also very hard for a password to be replicated. The user can create a very complicated password that is unique to him only and not to anybody else. The combination of characters makes it impossible for it to be copied. Strength is that the password is known only to the user and the administrator (Smith: 2009). No third party is aware of the combination of characters that make up the password. But there are also some limitations that are associated with passwords and User IDs. With the sophistication of the remote accesses, a simple password becomes inefficient (Smith: 2009). When the users of the computer are using a modem, there is a possibility that they will remain anonymous. This anonymity means that the person who was trying to access the system illegally will not be known. These people who access the computers unauthorized are also very patient. They will try and time their access to nights or when the office is vacated. Under these circumstances, they have the opportunity to try various combinations of characters and may succeed in coming up with the correct password (Marie: 2007). Encryption Encryption is another method that is employed to control the access of the computer and the computer system by an unauthorized individual. When a remote access is made to the computer, the person who is behind the access can read or access very sensitive data that was not meant for him (Wilkinson: 2009). In remote unauthorized access, a computer which is targeted is controlled remotely by the hacker. It is a fact that the actual data that is been transmitted is retained between the target computer and the authorized receiver of the data (Wilkinson: 2009). The hacker is able to see the images displayed on the monitor, together with the key strokes that the user is making and the movement of the mouse. When the data is encrypted, the hacker will not make sense of the images that he receives from the computer. For example, the hacker might access an image of the accounting sheet that the user was sending via the internet. If the data in that sheet were encrypted, the hacker will not be able to decipher it unless he has the codes (Smith: 2009). The hacker may also get access to the key strokes that the user was making. The data that was been transmitted will be saved if the key strokes happened to be those of the encryption, rather that the document itself. The major limitation of encryption is that there are chances of compromising the data (Smith: 2009). This happens when the keys for decrypting the data are not handled effectively and they end up in the wrong hands. Also, it is burdensome to distribute the keys of the decryption. This is because they are difficult to transmit due to their nature. Encryption is also not effective in preventing the actual illegal access to the computer through a remote. It does not then provide security against remote access. The hacker has already accessed the computer system. The only thing that he cannot do is read the files. Audits These are systems' security audits that are carried out occasionally (Nikoltos: 2008). The aim of these audits is to determine whether all the security procedures are been followed when it comes to accessing the computer system. It also determines the vulnerability of the system to remote access. The security audit may find out that the computer system has been accessed remotely. To control this access in the future, the audit team reconfigures the computers such that the passwords or such things that the remote accessing subject was using are disabled (Wilkinson: 2009). The weakness of this procedure is that it is carried out periodically, not continuously. As such, the computer system is at risk, and is been accessed remotely until the security audit is carried out and it is sensed. A lot of damage could have been done already. Prevention of Access through British Telecom's Telephone Line An unauthorized access to the computer system can also be achieved through the use of the communication lines of the service provider. There are some measures that had been exercised before that aims at curbing this access or mitigating its damage. The first is the use of the Windows 2000 Encrypting File System (EFS). This program allows the person using the system to encrypt certain data from the computer (Marie: 2008). This means that any person, who accessed the data, either through remote access or physically, cannot read anything. The public key and symmetric encryption algorithms are the ones that are utilized to carry this operation out. The effectiveness of this process is that it discourages those people that are tempted to steal the data. There is nobody who wants to access files from a computer through the internet only for him to end up with data that he cannot use. There is also the automatic call back system form of control to unauthorized access (Nikoltos: 2008). This is used when the computer system is been accessed externally. The user supplies the computer system a pre-authorized telephone number. This is the number through which they are supposed to call the system if they need to access it externally (Nikoltos: 2008). After calling the system, he is supposed to identify himself. The system then verifies the number form which it was called in from and the authenticity of the user. This is before it has allowed him access. It then calls the user back using another of those authorized numbers. It is only then that the user can access the system (Nikoltos: 2008). Controls in Purchases and Payroll Systems Every form of information is vital to the operation of the company and should be controlled in terms of access. However, the purchases and payroll information is vital to the operation of the finance department. There should be a control in the new computer system to ensure that information pertaining to the purchases and payroll activities of the company is safeguarded. Retrieval of Information There should be measures to ensure that retrieval of information pertaining to these two fields is controlled. One of the controls will be the requirement to provide a password that is accompanied by a user ID. This way, it will be ensured that only users who have been authorized by the finance department can access and retrieve this in formation (Nikoltos: 2008). Every individual wishes to retrieve information will have to be registered with the system. It is the work of the system administrator to ensure that every individual who is authorized to access the information is registered with the system and has a corresponding ID. When there are more than one person with the same name and data, the Specific User ID will be utilized. Input of Transaction Data It will be imprudent to allow each and every individual to be able to input transaction data in the systems of these two departments. It is not only the output of the computer system that is controlled, but also the input (Smith: 2009). The only way that this can be done is by use of the encryption of data method. This means that the user of the system will be given the characters that he will use in encrypting the data that he wishes to send. This encryption code is only known to a few people. Without encrypting the data, the user will not be able to input it. What this means is that the user must first convert the data into its encrypted form before he can input it or send it. Updating of Standing Data Files When updating or editing data files that is to be found within the system, the user will be required to use the Windows Encrypting File System. It is important to note that most of the files will already have been encrypted when they were been input. The files have already been encrypted so that they could not be accessed by unauthorized elements. The user of the system will be required to provide it with a private key component. This is the one that is used to decrypt the file encryption key that had been randomly generated to the file when it was encrypted (Wilkinson: 2009). The user is the only person who has the private key. So he is the only one who can log to the system and update the standing data files. Conclusion When Bournemouth Manufacturing Plc adopts the computer system that has been proposed, it will put itself at risk of having its computer systems been accessed by unauthorized elements. The only way that this access can be averted is by adopting a control mechanism that will safeguard the security of the company's data. These mechanisms involve registering accounts with passwords for the users of the system. Only a person who has an appropriate identity and who has a valid password will be allowed access to the computer system. Others that will be adopted include the encryption of the data and security audits. References Marie, B. L. 2008. Controlling Physical and Remote Control to Your Computer. 2nd ed. London: McGraw-Hill, 23-25. Nikoltos, I. K. 2008. Averting Computer Crimes in Banking. Computer Crime Research Centre, 23(6), 9-10. Smith, H. D. 2009. How to Prevent Unauthorized Computer Access. New York: Willy & Sons, 78-84. Wilkinson, F. S. 2009. Computer Security in a Risk Society. 4th ed. Cambridge: Cambridge University Press, 57-59. Read More