A Member State requiring statutory audit may impose more stringent requirements, unless otherwise provided for by this Directive. It should therefore no longer be possible for Member States to insist that a majority of the voting rights in an audit firm must be held by locally approved auditors or that a majority of the members of the administrative or management body of an audit firm must be locally approved. Such knowledge should be tested before a statutory auditor from another Member State can be approved. They should therefore be subject to professional ethics, covering at least their public-interest function, their integrity and objectivity and their professional competence and due care.
Chairman, Subcommittee on National Security, International Affairs and Criminal Justice Committee on Government Reform and Oversight House of Representatives In view of the increasing threat of unauthorized intrusions into Department of Defense computer systems, you asked us to report on the extent to which Defense computer systems are being attacked, the actual and potential damage to its information and systems, and the challenges Defense is facing in securing sensitive information.
This report identifies opportunities and makes recommendations to the Secretary of Defense to improve Defense's efforts to counter attacks on its computer systems. Copies will also be made available to others upon request.
If you have any questions about this report, please call me at Other major contributors to this report are listed in appendix I. Given the threats the attacks pose to military operations and national security, GAO was asked to report on the extent to which Defense systems are being attacked, the potential for further damage to information and systems, and the challenges Defense faces in securing sensitive information.
The exact number of attacks cannot be readily determined because only a small portion are actually detected and reported. At a minimum, these attacks are a multimillion dollar nuisance to Defense.
At worst, they are a serious threat to national security. Attackers have seized control of entire Defense systems, many of which support critical functions, such as weapons systems research and development, logistics, and finance.
Attackers have also stolen, modified, and destroyed data and software. In a well-publicized attack on Rome Laboratory, the Air Force's premier command and control research facility, two hackers took control of laboratory support systems, established links to foreign Internet sites, and stole tactical and artificial intelligence research data.
The potential for catastrophic damage is great. Organized foreign nationals or terrorists could use "information warfare" techniques to disrupt military operations by harming command and control systems, the public switch network, and other systems or networks Defense relies on.
Defense is taking action to address this growing problem, but faces significant challenges in controlling unauthorized access to its computer systems.
Currently, Defense is attempting to react to successful attacks as it learns of them, but it has no uniform policy for assessing risks, protecting its systems, responding to incidents, or assessing damage.
Training of users and system and network administrators is inconsistent and constrained by limited resources. However, the success of these measures depends on whether Defense implements them in tandem with better policy and personnel solutions.
Hackers were at one time persons who explored the inner workings of computer systems to expand their capabilities, as opposed to those who simply used computer systems. Today the term generally refers to unauthorized individuals who attempt to penetrate information systems; browse, steal, or modify data; deny access or service to others; or cause damage or harm in some other way.
See chapter 3 for a discussion of firewalls. Defense also critically depends on information technology--it uses computers to help design weapons, identify and track enemy targets, pay soldiers, mobilize reservists, and manage supplies.
Indeed, its very warfighting capability is dependent on computer-based telecommunications networks and information systems. Defense's computer systems are particularly susceptible to attack through connections on the Internet, which Defense uses to enhance communication and information sharing.
In turning to the Internet, Defense has increased its own exposure to attacks. More and more computer users--currently over 40 million worldwide--are connecting to the Internet.
This increases the risks of unauthorized access to information and disruption of service by outsiders. Defense systems connected to outside networks contain information that, while unclassified, is nevertheless sensitive and warrants protection because of the role it plays in Defense missions.
However, the exact number is not known because, according to DISA, only about 1 in attacks is actually detected and reported. In addition, in testing its systems, DISA attacks and successfully penetrates Defense systems 65 percent of the time.
According to Defense officials, attackers have obtained and corrupted sensitive information--they have stolen, modified, and destroyed both data and software. They have installed unwanted files and "back doors" which circumvent normal system protection and allow attackers unauthorized access in the future.
They have shut down and crashed entire systems and networks, denying service to users who depend on automated systems to help meet critical missions. Numerous Defense functions have been adversely affected, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll.
In addition to the security breaches and service disruptions they cause, these attacks are expensive. Although Defense has not estimated the total cost of repairing damage caused by the thousands of attacks experienced each year, it believes they are costing tens or possibly even hundreds of millions of dollars.
Internet connections make it possible for enemies armed with less equipment and weapons to gain a competitive edge at a small price. As a result, this will become an increasingly attractive way for terrorist or adversaries to wage attacks against Defense.
For example, major disruptions to military operations and readiness could threaten national security if attackers successfully corrupted sensitive information and systems or denied service from vital communications backbones or power systems.
The National Security Agency has acknowledged that potential adversaries are developing a body of knowledge about Defense's and other U. According to Defense officials, these methods, which include sophisticated computer viruses and automated attack routines, allow adversaries to launch untraceable attacks from anywhere in the world.
In some extreme scenarios, studies show that terrorists or other adversaries could seize control of Defense information systems and seriously degrade the nation's ability to deploy and sustain military forces. Official estimates show that more than countries already have or are developing such computer attack capabilities.
Defense is taking actions to strengthen information systems security and counter computer attacks, but increased resources, and management commitment are needed.The DNS Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems.
The requirements are derived from the NIST SP rev 4, NIST SP rev 2 and related documents. Auditing Standard No. 5 the auditor should follow the same communication responsibilities that are described in paragraphs through of AU sec access to programs, and computer operations are effective and continue to be tested, and if the auditor verifies that the automated application control has not changed since the.
Identifying events that may prevent reliance on auditing through the computer will also be presented to Kudler for review (Apollo Group, ). Types of Audits The types of information technology audits are attestation, findings and.
This paper is about the types of audits, the most appropriate audit for each process, conducting the audits, and the events that may prevent reliance on auditing through the computer.
Types of Audits There are four types of audits: attestation, findings and recommendations, SAS 70 audit, and SAS Audit Chapter 12 Questions.
STUDY. PLAY. Which of the following is not an enhancement to internal control that will occur as a consequence of increased reliance on IT? a. Computer controls replace manual controls. Which of the following is not one of the three categories of testing strategies when auditing through the computer?
a. . Finally, this paper identifies events that might prevent reliance on auditing through the computer. Types of Audits Team B recommends Kudler use the following types of audits described by Hunton, Bryant, & Bagranoff (): SAS 70, SAS 94, Attestation, and Findings and Recommendations.