Page 249 - CA Final PARAM Digital Book.
P. 249
- Assessing bot performance: response times, scalability.
- Analyzing logs and audit trails for unusual activities.
- Examining data handling processes for encryption, storage, and data protection.
- Conducting penetration testing or vulnerability assessments.
3. Identify & Assess Risk:
- Identify and assess potential risks associated with the ticket booking bot, such as unauthorized access,
system failures, or inaccurate booking info.
4. Sampling Methodology:
- Decide on the appropriate sampling methodology for bot evaluation. This may involve selecting
representative booking transactions or data for analysis.
5. Execution of Audit:
- Conduct the audit based on defined procedures, adhering to best practices and standards.
- Document findings, noting any issues or areas of improvement.
6. Audit Reporting:
- Compile the audit findings into a comprehensive report.
- Provide recommendations for addressing identified weaknesses, risks, or non-compliance issues.
- Present the report to relevant stakeholders.
7. Post-Audit Activities:
- Track the implementation of recommended actions.
- Ensure appropriate measures are taken to address any identified weaknesses.
- Periodically review and monitor the bot for performance, security, and compliance.
QNO Case Study on Phishing Attack New Course – (SM23)
DAA.980 TITANIUM CNO – Unique
The CEO of a hotel realized their business had become the victim of wire fraud when the accounts payable
executive began to receive insufficient fund notifications for regularly recurring bills. A review of the
accounting records exposed a serious problem. Upon investigating it was noted that the CEO had clicked
on a link in an email that he thought was from the trusted source. However, it wasn’t and when he clicked
the link and entered his credentials, the cyber criminals captured the CEO’s login information, giving them
full access to intimate business and personal details.
Answer Type of Attack: Social engineering, phishing attack.
A phishing attack is a form of social engineering by which cyber criminals attempt to trick individuals by
creating and sending fake emails that appear to be from an authentic source, such as a business or colleague.
The email might ask you to confirm personal account information such as a password or prompt you to open
a malicious attachment that infects your computer with malware.
Result: The hotel’s cash reserves were depleted. The fraudulent transfers amounted to more than ₹ 1 million.
The hotel also contacted a cybersecurity firm to help them mitigate the risk of a repeat attack.
Impact: The business lost ₹ 1 million, and the funds were not recovered. Further there was loss of business
reputation too.
Lessons Learned:
− Train the staff about the dangers of clicking on unsolicited email links and attachments, and the need
to stay alert for warning signs of fraudulent emails. Engage in regular email security training.
− Implement stringent wire transfer protocols and include a secondary form of validation (Multi Factor
Authentication)
− Have a cyber incident response plan ready to implement.
www.auditguru.in PARAM 12.8 | P a g e
