Please enable JavaScript.
Coggle requires JavaScript to display documents.
BUSINESS PROCESS APPLICATIONS AND CONTROLS Part 1 (Business Process (A…
BUSINESS PROCESS APPLICATIONS AND
CONTROLS Part 1
Integrated Application environment > Controls are embedded and designed into business application > it supports process
Business process control assurance involves evaluating controls at the
process and activity levels.
These controls may be a combination of management, programmed and manual controls.
following controls are evaluated
general controls that affect the processes, business process owner-specific controls—such as establishing proper security and segregation of duties (SoD), periodic review and approval of access
and application controls within the business process —are evaluated
Application systems may reside in the various environments that follow.
E-Commerce
buying and selling of goods online
types of e- commerce architectures
Single-tier architecture
client-based application running on a single
computer.
Two-tier architecture
composed of the client and server.
Three-tier architecture
presentation tier
displays information that users can access directly
web page or an operating system’s (OS’s) graphical user interface.
application tier
controls an application’s functionality by performing detailed processing
data tier
the data access layer that encapsulates the persistence mechanisms and exposes the data.
usually comprised of the database servers, file shares, etc.
E- components
component-based systems that use a middleware infrastructure based around an application server.
Ecomponents often seen in a B-to-C system include marketing, sales and customer service components
Application servers
provide services (such as
data management, security and transaction management
) either directly or
through connection to another service or middleware product
Risks involved in E commerce
Availability
system’s failure
Authentication and nonrepudiation
The parties to an electronic transaction should be in a known and trusted business relationship
which requires that they prove their respective identities before executing the transaction
Integrity
both in transit and in storage, could be susceptible to unauthorized alteration or deletion
Hacking in e business system
Power shift to customers
Internet gives consumers unparalleled access to market information and generally makes it
easier to shift between suppliers.
Confidentiality
Internet : whatever is placed on it is routed over wide-ranging and essentially uncontrolled paths. for. e.g placing on credit card details
possible theft of credit card information
Connecting to internet
via browser require
running of software developed by unknown
Outsourced service: outsourcing and hosting services on the cloud increases risk on the side of buyer
Ecommerce Requirements
• Building a business case (IT as an enabler)
Building a business case around the four C’s:,
customers,
costs
competitors
and capabilities
• Developing a clear business purpose
• Using technology to first improve costs
Other requirements
Top-level commitment
Because of the breadth of change required (i.e.,business processes, company culture, technology and customer boundaries),
Business process reconfiguration
Links to legacy systems
organizations
must create online interfaces
and make sure t
hose interfaces communicate with existing databases and systems for customer service and order processing.
IS Auditor’s Role in the Ecommerce Business Process
IS auditor should review the following:
Interconnection agreements
prepared prior to engaging in an ecommerce agreement.
agreements can be as simple as accepting terms of use to detailed terms and conditions to be in place
before the ecommerce interconnections are established.
Security mechanisms and procedures that, taken together, constitute a security architecture for ecommerce (e.g.,
Internet firewalls, public key infrastructure [PKI], encryption, certificates, PCI DSS compliance and password management)
Firewall mechanisms
that are in place to
mediate between the public network (the Internet) and an organization’s private network
A process whereby
participants in an ecommerce transaction can be identified uniquely and positively
(e.g., a process of using some combination of
public and private key encryption and certifying key pairs
)
Procedures in place to
control changes to an ecommerce presence
Ecommerce
application logs,
which are monitored by responsible personnel.
This includes and ,,,
OS logs
console messages,
network management messages
firewall logs and alerts,
router management messages
intrusion detection alarms,
application and server statistics
and system integrity checks.
Methods and procedures
to
recognize security breaches when they occur
(network and host-based intrusion detection systems [IDSs])
Features in ecommerce
applications to reconstruct the activity performed by the application
Protections in place
to ensure that data collected about individuals are not disclosed without the individuals’ consent
nor used for purposes other than that for which they are collected
Means to ensure
confidentiality of data communicated between customers and vendors
(safeguarding resources such as through encrypted Secure Sockets Layer [SSL])
Mechanisms to
protect the presence of ecommerce and supporting private networks
from computer viruses and to prevent them from propagating viruses to customers and vendors
Features within the
ecommerce architecture to keep all components from failing and allow them to repair themselves
, if they should fail
Plans and procedures to continue ecommerce activities
in the event of an extended outage of required resources for normal processing
Commonly understood practices and procedures to define management’s intentions for the security of ecommerce
Shared responsibilities
within an organization for ecommerce security
Communications from vendors to customers
about the level of security in an ecommerce architecture
Regular programs of audit and assessment
of the
security of ecommerce environments and applications to provide assurance that controls are present and effective
An IS auditor must understand and be able to
evaluate the business processes
of the organization they are auditing.
This includes
a test and evaluation of the design and implementation of the operation of controls
and the monitoring and testing of evidence to ensure that the internal controls within the business processes operate effectively.
Business Process
A business process owner is the individual responsible for ,
identifying process requirements,
approving process design
and managing process performance
and should be at an appropriately high level in an organization
to have authority to commit resources to process specific RISK MANAGEMENT ACTIVITIES
.
controlled by
policies, procedures, practices and organizational structures
designed to provide
reasonable assurance that a business process will achieve its objectives.
is an interrelated set of cross-functional activities or events that result in the delivery of a specific product or service to a customer.