AUDIT TECHNIQUES FOR PROTECTING AGAINST

Download PDF
0 downloads 0 Views 889KB Size Report
Comment
especially the growth and development of internet, companies have started to ... century, technology has become a very important concept in every field. ... of documents, inquiry technique, substantive procedures and verbal evidences. (Kütük ... Unauthorized access and control of computer systems and services (To access.
AUDIT TECHNIQUES FOR PROTECTING AGAINST CYBER ATTACKS: A BILATERAL APPROACH OF CASE STUDIES AND INTERVIEW

Dr. Cevdet Kızıl Associate Professor of Accounting, [email protected]

Istanbul

Medeniyet

University

-

Emine Doğan Undergraduate student, Yalova University - [email protected]

Abstract Parallel to the developments in communication and information technology, especially the growth and development of internet, companies have started to experience both advantages and disadvantages. Risk based audit and IT audit with COBIT are discussed widely. Besides, integrated audit, corporate governance and the COSO framework are popular topics. Big data in auditing, cloud technologies, internet of things (IOTs), data fraud and theft, classification of data risks, encryption of data, data analytics and log records can be added to the list of contemporary issues related to auditing. Definitely, auditing and ethics relationship is another dimension of the issue. Thus, today’s auditing environment is much more different compared to former years. Besides several benefits and opportunities, communication and information technology improvements have some drawbacks. As an example, cyber attacks have begun to harm organizations. Some measures and auditing techniques are being implemented to protect firms against cyber attacks, but they continue to be a threat. This study stresses the importance of subject, provides information on terminology, presents a literature review, analyzes the types of cyber attacks, software used by companies and the prevention of these cyber attacks. Techniques to protect against cyber attacks are also emphasized. This research also takes advantage of case analysis and an interview with a retired IT professional as a bilateral approach for data and methodology.

Keywords: Auditing, Technologies

Cyber

Attacks,

Technology,

Security,

Information

 The authors provide special thanks to Kemal Tombak, a retired IT manager for contributing to the interview section of this study.

I.

Introduction

In the 21st century, technology has become a very important concept in every field. It is advancing very rapidly, converting yesterday’s rules and principles into today’s reality. However, the fast development of technology is also dangerous for security of organizations. While the technology usage is increasing, companies are more exposed to cyber attacks by many unknown resources. Especially, auditing companies should be careful through their auditing operations (Mallik, 2004). Auditing has deep roots going back to the history of commercial and financial events. Auditing stands for a systematic process that collects evidence and evaluates these mentioned evidence according to previous determined criteria. There are several principles of auditing, which can be listed as completeness, occurrence, truthfulness, regularity and disclosure (Erdoğan, 2002). Audit techniques are mainly realized in two ways and audit evidences are comprised of the following data:  

Financial statements such as balance sheet and income statement as well as all kinds of financial books, account plans and working papers. Physical evidences, observations, confirmation, re-computation, examination of documents, inquiry technique, substantive procedures and verbal evidences (Kütük, 2008).

The main objective of a business is to make profits. Enterprises are classified as commercial, production and service enterprises. Accounting is a discipline that records, classifies, summarizes and reports financial transactions of businesses. Accounting is categorized as general accounting (financial accounting), cost accounting and managerial accounting as a system (Kaygusuz, Aslan and Kepçe, 2012). Internal control, internal auditing and independent auditing (external auditing) are significant components for organizational structure. Internal control is a procedure that provides risk management efficiency, protection of assets or tracing of organization’s financial and operational activities. Purpose of internal control is to execute operations in a regular, ethical and economic manner efficiently and effectively. Also, internal control helps to follow laws and regulations. It also protects resources of organizations against loss, misuse and damage. Internal auditing is an independent determination service for measuring and assessing the effectiveness of the internal control system. External auditing (independent auditing) contributes to impeccable financial administration, helps for the achievement of national and international targets, supports the public administration, improves the performance of the administration, increases transparency, ensures accountability, enables use of public funds, guarantees reliability and fights against corruption (Akyel, 2010).

Information and communication technology are very popular for individuals today. Information technology is the use of any computer, storage, networking, and other physical devices to create, store, secure and exchange all forms of electronic data. Its development is really fast. However, as a result of abuse, a new term has risen called the cyber crime. Cyber crime is a process of entering to the system in an unauthorized way that is against the law. Thus, cyber crime is related to damaging the system, deleting data, adding data, violation of privacy, preventing access and getting involved in unauthorized actions to enter the system (Yıldız, 2014). Cyber attacks cause cyber crimes, which occur in the ways mentioned below:  





 

Unauthorized access and control of computer systems and services (To access personal computers or corporate computers) Computer sabotage, which happens in two ways (1.Deletion, destruction and replacement of information on the computer by using computer technology. 2. Deletion, destruction and replacement of information on the computer by doing it directly and physically). Fraud through computer (creation of a similar credit card with utility programs, transfer money to the account of person with the changes made with programs where financial information is kept, to convince people via email). Forgery through computer (press forged checks, forged documents, false tickets to prepare a website on behalf of somebody else, to send a message for publicity). Unauthorized use of legally protected software (copy, augment, sale, distribution, and use of software via illegal methods) Illegal publications (web sites, electronic mail, newsgroups, forums, and all kinds of communication tools forbidden by government)

There are several types of cyber attacks, web defacements and semantic attacks, domain name server (DNS) attacks, distributed denial of service (DDOS) attacks, malicious code, exploitation of routing vulnerabilities, compound attacks (Vatis, 2002). Security represents existing rules, procedures and technique precaution that are aimed at information systems to hinder unauthorized access, data change, robbery or physical damage. Also internal control is related to methods, rules and organization procedures that protect the assets of an organization, accuracy and reliability of records. Security challenges and weaknesses show up due to technical, organizational and environmental factors that are based on inadequate management decisions. Without strong protection, valuable data can be lost, destroyed, or can be transferred to wrong and dangerous individuals. They may then disclosure very critical data such as significant trade secrets or personal information (Laudon, 2014).

Constant internet addresses create a constant goal for pirates. Vulnerability has also expanded from widespread use of e-mail, instant messaging (IM), and peerto-peer file-sharing programs. E-mail may contain appendix that assist as jumpingoff-point for malicious software or unauthorized entry to internal corporate systems and intranets. Employees may use e-mail messages to convey valuable trade secrets, financial data, or private customer information to unauthorized recipients. Attackers can easily retrieve critical data using packet monitoring programs, which work through WI-FI networks. These programs are used without authorization to access a network resource for finding the necessary address (Laudon, 2014). Table 1: Examples of Malicious Code

Source: Laudon (2014:297) Today, auditing operations are conducted more by the help of information technologies compared to former years. Parallel to this issue, a highering amount of investments are made for information technologies (IT). Using information technologies, risk management problem occurs and at that point, internal control and internal auditing are critical. Auditing of information technologies definitely benefits from sufficiency and

efficiency of internal controls (Hatipoğlu, 2014).

II.

Literature Review

Kızıl, Çelik, Akman and Şener’s research conducted in 2016 titled Creative Accounting Methods and Manipulation of Financial Data: A Sample Application on Accounting Professionals (Yaratıcı Muhasebe Yöntemleri ve Finansal Bilgilerin Manipülasyonu: Profesyonel Muhasebe Meslek Mensupları Üzerinde Örnek Bir Uygulama) indicated that creative accounting practices and the manipulation of financial information had a significant position today, since they affected several business stakeholders seriously. In this study, firstly the concepts such as manipulation, fraud, accounting manipulation and creative accounting practices were mentioned. Then, the research concentrated on types as well as methods of creative accounting practices and manipulation of financial information. This was followed by the investigation of literature on creative accounting practices and manipulation of financial information. As a part of research, interview questions on creative accounting practices and manipulation of financial information were directed to a certified public accountant (CPA) and an internal auditor as a model. The study reflected some important results. It was determined that reasons of accounting manipulation vary such as inefficiency of internal control system, inadequacy of independent audit team, interests of managers, weak management structure, expectations of accounting professionals, career and monetary concerns of accounting professionals, low professional knowledge and experience, willingness of firms to reflect positive financial statements and financial resource allocation concerns of firms (Kızıl, Çelik, Akman and Şener, 2016). In Kavcı’s study dated 2016 and titled Internal Audit Application Example for Detection of Cyber Crimes (Siber Suçların Tespitinde İç Denetim Uygulama Örneği), developments of information and communication technology were mentioned. It was also emphasized that, information and communication technology lead to cyber crimes, new firm threats and new victims. To fight against these cyber crimes, legal regulations were developed and security standards were introduced. Companies had to prioritize investments to reduce their cybercrime risk by structuring their internal control systems. Also, through auditing operations, department of information systems and internal audit team had to work together. After a detailed audit, within the scope of obtained information, they had to compose and present a report on audit and cyber crimes. Companies also had to prepare and create scenarios against possible threats. They always had to develop control mechanisms as well. Therefore, it was necessary to set up an effective team for internal audit (Kavcı, 2016). Another study run by Özbilgin in 2016 titled Information Technologies Auditing and International Standards (Bilgi Teknolojileri Denetimi ve Uluslararası Standartlar) discussed the developments in communication and information technology, especially the growth and improvement of internet. Author argued that, this issue had a significant impact on the public and private sectors. The

developments concerned with communication and information technology allowed for faster and more efficient processing. However, there were some drawbacks as well as benefits of this rapid change in technology and communication. Audit practices had undergone many changes parallel to technological developments. Thus, organizations definitely had to consider information technology auditing (Özbilgin, 2016). Aytekin emphasized and discussed in his study and presentation titled Cyber Security in Auditing Committee (Denetim Komitesinde Siber Güvenlik) that, KPMG Auditing Committee Institute had published a report in 2016 titled Auditing Committee Trends. This report had mentioned that, auditing committees should show interest in financial risks. According to the report, there was still an important role for audit committees although companies have a strong cyber security system. Also, auditing committees had to ensure the reliability of financial reports (Aytekin, 2016). According to Kessel and Allan’s study in 2015 titled Creating trust in the digital world: EY’s Global Information Security Survey 2015, the digital world was bringing a great number benefits as well as damages. The digital world was a very powerful resource for communicating with the world. Unfortunately, many risks were observed in the digital environment. Audit firms had to scrutiny their works, in terms of cyber security (Kessel and Allan, 2015). Another study conducted by Karslıoğlu in 2014 and titled Cyber Surveillance: The Transformation of the Internet into a Tool of Social Governance (Siber Gözetim: Toplamsal Denetim Aracı Olarak İnternetin Dönüşümü) also discussed the interrelationship between cyber issues and auditing. According to Karslıoğlu, technology was now much more significant in the recent years. However, cyber attacks and threats had also increased parallel to the usage of technology. Also, control and monitoring of internet as well as cyber attacks had become more critical (Karslıoğlu,2014). According to Kırlar’s study in 2014 named Global Cyber Security Executive Information Report (Global Siber Güvenlik Yönetici Bilgilendirme Raporu), more and more corporations were opening their doors to the digital world. However, parallel to the new digital world, security needs were also arising. As an example, important information assets of firms resulting from entering the digital world were facing new threats. Security requirements had to be dynamic as well as getting armed with digital innovations. This paper also indicated that, security violations were inevitable. Every company could be exposed to cyber attacks. Still, the issue of cyber attacks was a controllable problem (Kırlar, 2014). In Taşkın’s study dated 2010 and titled Computer Based Auditing Techniques to Determine and Prevent Corruption (Yolsuzluğun Tespit ve Önlenmesinde Bilgisayar Destekli Denetim Teknikleri), two kinds of crimes committed in the electronic (computer) environment were mentioned. For the first one, computer was

indicated as the target and for the second one, computer was indicated as a tool. When the computer was a target, attacks were directed to local area network or to the computer, causing the crash of computer. Also, when the computer was used as a tool, it was desired to obtain confidential data. Evidences in the digital environment could be destroyed easily. Thus, technology was named as the enemy of audit in this study. Computer Assisted Audit Tools and Techniques (CAATTs) were used to prevent abuse. This was identified as control of data on computer tools and techniques within the scope of the audit (Taşkın,2010). Ünver and Canbay’s study dated 2010 and titled Cyber Security in National and International Dimensions (Ulusal ve Uluslararası Boyutlarıyla Siber Güvenlik) discussed that first aim of individuals, societies and governments was to ensure security. E-government and e-commerce applications had made commercial and public processes connected and dependent on electronic affairs. Connections and dependence had also increased parallel to the usage of technology. Thus, significant precautions had to be implemented mainly in the auditing field to guarantee security. Accordingly, these precautions had to be global (Ünver and Canbay, 2009). Vatis’s study dated 2002 and titled Cyber Attacks: Protecting America’s Security against Digital Threats discussed cyber attackers’ aim at banking and financial institutions. It was mentioned that, the weak and missing points in banks’ systems were making cyber attacks easier and more frequent. Insider threats were occurring frequently as well. Stealing system data was so easy, if an individual worked within the company. Politically-motivated hackers would seek to attack highvalue points, containing networks, servers, or routers whose disturbance and damage could have financial, political or tactical results (Vatis, 2002).

III.

Data and Methodology

Data and Methodology section of this study firstly includes cases concerning cyber attacks and relevant audit techniques. Secondly, data and methodology part includes an interview with a retired Information Technologies (IT) manager. Thus, the research benefits from two different techniques in terms of data and methodology. a) Case Studies on Cyber Attacks and Relevant Audit Techniques Banking Regulation and Supervision Agency (BRSA) is an institution that also carries out studies on banking cyber attacks in Turkey. They warned and shared a report about the Society for Worldwide Interbank Financial Telecommunication (SWIFT) issue. SWIFT attacks become active after entering the system and viruses are involved with Microsoft Office programs. Through these viruses, changes are made in accounts and addresses. Such cyber attacks have been observed for several

banks in Turkey. BRSA warns the banks to be careful for these cyber attacks. First of all, taking precaution is very important. In regards to Akbank case, hackers attempted a cyber attack and tried to pass security measures. But the security wall of Akbank was very strong, so the attempt failed (Nebil, 2016). At the Uludağ Economic Summit, a statement was made about the cyber attack on Ziraat Bank. The summit emphasized that banks must take the necessary measures against cyber attacks. Banking Regulation and Supervision Agency (BRSA) also conducts inspection on banks, so that they will be prepared for cyber attacks (Hürriyet Ekonomi, 2016). There was a cyber attack on Akbank as well. Because of the mentioned cyber attack, Akbank had to make an explanation and present a report to Istanbul Stock Exchange (ISE – Borsa Istanbul). This cyber attack had caused damages, but was limited before becoming a major problem and crisis. Akbank made an announcement to the public that, all of its losses were in the scope of insurance company. Bank was exposed to a financial risk in a total sum of 4 million USD. However, Akbank took precaution for the all kind of cyber attacks. With powerful software, this kind of cyber attack attempts has currently been made ineffective (Habertürk, 2016). In February 2016, Bangladesh Central Bank experienced a cyber attack. The $100 million stealing is one of the largest cyber banking burgles in history. Banks need to excel their defense systems to protect their businesses and clients. At the present time, technological innovation is pretty developed, so banks need to use current and new software systems. Old systems and software have become a major security risk for commercial banks, insurance companies and their consumers (Siber Bülten, 2016) . Nowadays, the events related to July 15 coup attempt in Turkey are also said to increase cyber attack risks for Turkish banks. There is an increase in notices related to this coup attempt. Due to these notifications, Banking Regulation and Supervision Agency (BRSA) conducted a meeting with 10 banks in Turkey and took important decisions. As a result, Turkish banks have strengthened their security systems and measures to become more prepared against cyber attacks (Gazete Vatan, 2016). b) Interview with a retired Information Technologies (IT) Manager 1- In general, what kind of cyber attacks you experienced and what are your opinions about the damage of these attacks to your organization? We experienced some of the most popular cyber attacks up to this date. However, some organizations are informed about these attacks while some others are not. As an example, we experienced the Brute Force, Distributed Denial of Service (DDOS) and ransomware attacks. Since we had made a great deal of investment beforehand

against such cyber attacks, we were not seriously damaged. On the other hand, this should not mean that were not harmed a bit. There were damages for sure. But, we always continued our Advanced Persistent Threats (APT) audits and checks on risky points. Finally, social engineering cyber attacks were so observed and experienced by our organization. 2- What kind of measures and security precautions you took in your organization against cyber attacks? My organization always evaluated security measures and precautions as a two step process during my service in the firm. These were categorized as traditional and modern security measures. Our traditional measures included common methods such as IPS and IDS antivirus as precautions used in different platforms. In terms of modern measures, we benefited from anti-malware, sandbox solutions and DLP solutions. While I was working as an IT manager, we used to work together with my team mates and manage all these measures. We especially gave importance to the harmonization and adaptation of all measures we used. Another important point here is the human factor. In my opinion, human capital is the most critical component of modern cyber security measures. Thus, I used to focus on the education of personnel for cyber attacks during my service years. Our organization’s employees were subject to continual and periodical training. According to my observations, these training programs also increased the awareness of personnel on cyber security risks and cyber attacks. Finally, our organization always used security software and programs of different firms in order to decrease cyber attack risks. For example, our antivirus and firewall software were products of different companies. We always believed that this also lowered the risks and threats. 3- What are the popular and contemporary cyber attack types today? Which security measures are taken against these cyber attack types? Two of the most popular and contemporary cyber attacks of recent years are definitely ransomware and Advanced Persistent Threats (APT). Although a complete technical solution doesn’t exist for Ransomware attacks, technical measures are possible and personnel awareness training programs can be integrated to get the best results. Also, I believe that sandbox solutions and instant traffic analysis solutions are effective for Advanced Persistent Threats (APT). All of such solutions and ideal defense mechanisms should be used at an optimum level considering the budget of organizations. 4- What are your opinions about the future of cyber attacks and related security measures? Cyber attacks are evolving and developing every passing day. Defense and security systems are improving as well. However, if we consider the fact that a measure can’t be taken before a new threat and attack is developed, we can say that threats and

attacks are always one step ahead. Besides, cyber security experts agree that Internet of Things (IOT) security will cause serious problems in the future. Internet of Things (IOT) becomes a part of our daily lives rapidly. Plus, manufacturers are more focused on the commercial returns and operations of products subject to IOT. Thus, we can assume that security risks associated with IOTs will continue to be a threat for a long time.

IV.

Results and Conclusion

Analyzing case studies and conducting an interview on cyber attacks signal that, information technology has developed seriously in the last years. Even though several precautions exist, cyber attackers are able to pass firewall systems. This threat causes material and non-material damages in addition to leading firms to lose their reputation. Thus, cyber attack risks and threats increase parallel to developments in information technology. Concerning the increase in cyber attacks, the audits of institutions have increased and audit techniques have improved. This is because, attacks are carried out over the internet and the controls also require that they be executed via computers. There are cyber threats created by some particular software. On the opposite side, precautions are possible against them. There is also some counter software used to detect these threats as well. Many organizations benefit from one or more of such software. The software used in the audit field are generally ACL, Idea 5, Applaud, Prospector, Sage Sterling, CA Panaudit Plus, and CAP. Almost every institution encounters cyber attacks. They use some techniques to prevent such critical threats. Some of these techniques and methods can be listed as firewall, IPS and IDS antivirus. It is very easy to create a strong security system for the firm. But the security measures should be integrated with each other as well. Having a strong security system is very important. It has many advantages for the company, such as a positive image in the eye of customers, partners, and competitors. A variety of auditing techniques are used to protect against cyber attacks. However, the first step at this point is significant. The reason is that, the type and kind of cyber attack must be clearly detected. Possible cyber attacks are malware, phishing, cross-site request forgery (CSRF), sniffing, denial of service (DOS) and worms. After detecting the type and kind of cyber attack, the next step is to decide which software should be used against a particular cyber attack. To determine cyber attacks, software is the most preferred technique. If the current auditing software of an organization is not sufficient, extra and special auditing software should be used.

Software and programs used by companies against cyber attacks are numerous. As an example, ACL is a computer-aided auditing program. This program is preferred to detect cyber attacks and solve the related problems. It also includes many features. Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are the most common software used against cyber attacks and they are very expensive. Also, they are software that detects and blocks malicious links, which cause serious harm to large and medium-sized institutions. IDS and IPS are often integrated with each other. Therefore, they are also known as IDPS. IDPS is a powerful cleaning tool used against anti-malware viruses, so it is preferred by many companies. Another security measure is the firewall. It prevents those who want to harm or infiltrate the network. Firewall increases the security of the local network and prevents data traffic. Actually, the clear path of data traffic can be determined and sometimes data are directed to flow through a different IP address. It is a highly effective software type. Vulnerability Analysis reveals the vulnerabilities that damage the flow of processes. That method enables to detect and eliminate vulnerabilities before the attacker. A vulnerability scan provides and lists alerts about all possible security threats. It is a widely used method. Data Lost Prevention (DLP) is utilized to prevent data that is important to the organization from being passed on to other people. Threats are reported as well. As a result, this study first made an introduction and provided information on terminology. Then, literature review was presented on the subject. This was followed by the data and methodology section, which adapted a bilateral approach. Data and methodology section covered case studies and an interview with a retired information technologies (IT) manager. Several importing findings were gathered as a result of case analysis and the interview method. Future studies can definitely take advantage of new and recent case analysis besides additional interviews with professionals.

References Akyel, R. (2010). Yönetimde İç Kontrol, İç Denetim ve Dış Denetim Fonksiyonlarının Birbirleri ile İlişkileri ve Türk Kamu Yönetiminde Uygulanmaların Değerlendirilmesi. Ç.Ü. Sosyal Bilimler Enstitüsü Dergisi. Cilt: 19, Sayı: 3 , 1-22. Aytekin, H. (2016). KPMG Türkiye Denetim Komitesi Enstitüsü. Denetim Komitesinde Siber Güvenlik . Türkiye: KPMG. Erdoğan, M. (2002). Muhasebe, Denetim ve Bağımsız Denetimin Gerekliliği. Doğuş Üniversitesi Dergisi , 51-63.

Gazete Vatan (2016). Bankalara Siber Saldırı İhbarları Arttı. http://www.gazetevatan.com/bankalara-siber-saldiri-ihbarlari-artti-974717-gundem/ Habertürk (2016). Akbank'tan Siber saldırı açıklaması. Habertürk, http://www.haberturk.com/ekonomi/is-yasam/haber/1337008-akbanktan-siber-saldiriaciklamasi Hatipoğlu, İ. (2014). Kamu Bilgi Teknolojileri. Ankara: İç Denetim Koordinasyon Kurulu. Hürriyet Ekonomi (2016). Ziraat Bankası’ndan siber saldırı açıklaması. Hürriyet Ekonomi, http://www.hurriyet.com.tr/ziraat-bankasindan-siber-saldiri-aciklamasi-40076848. Karslıoğlu, F. (2014). Siber Gözetim: Toplamsal Denetim Aracı Olarak İnternetin Dönüşümü (Cyber Surveillance:The Transformation of the Internet Into a Tool of Social Governance). İstanbu Bilgi Üniversitesi Yüksek Lisans Tezi. Kavcı, R. (2016). Siber Suçların Tespitinde İç Denetim Uygulama Örneği. T.C. İstanbul Ticaret Üniversitesi, Dış Ticaret Enstitüsü, Tartışma Metinleri, İstanbul. Kaygusuz, S., Aslan, Ü., & Kepçe, N. (2012). Genel Muhasebe-I. Eskişehir: Web-Ofset. Kessel, P. V., Allan, K. (2015). Creating trust in the digital world: EY’s Global Information Security Survey 2015. http://www.ey.com/Publication/vwLUAssets/ey-global-informationsecurity-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf Kırlar, C. (2014). Global Siber Güvenlik Yönetici Bilgilendirme Raporu (Global Cyber Security Executive Information Report). Deloitte. İstanbul. Kızıl, C., Çelik, İ. E., Akman, V., Şener, S. (2016). Yaratıcı Muhasebe Yöntemleri ve Finansal Bilgilerin Manipülasyonu: Profesyonel Muhasebe Meslek Mensupları Üzerinde Örnek Bir Uygulama, (Creative Accounting Methods and Manipulation of Financial Data: A Sample Application on Accounting Professional), Beykent Üniversitesi Sosyal Bilimler Dergisi, (Beykent University Journal of Social Sciences), Volume: 9, Number: 1, 118,http://dergipark.ulakbim.gov.tr/bujss/article/download/5000145590/ 5000161141. Kütük, İ. (2008). Kamu we Bağımsız Muhasebe Denetiminde Kanıt Toplam Teknikleri. Trakya Üniversitesi Sosyal Bilimler Enstitüsü Yüksek Lisans Tezi. Edirne. Laudon, K. C. (2014). Management Information Systems-Managing the Digital Firm. Pearson. Mallik, A. (2004). Technology and Security in the 21st Century: A Demand-Side Perspective. Oxford University Press. Nebil, F. S. (2016). Swift saldırısı 3 Türk bankasında yaşanmış, BDDK bankaları uyardı. T24. http://t24.com.tr/yazarlar/fusun-sarp-nebil/swift-saldirisi-3-turk-bankasinda-yasanmisbddk-bankalari-uyardi,16136

Siber Bülten (2016). Bangladeş Merkez Bankasına Siber Soygun Vurgunu. https://siberbulten.com/strateji-guvenlik/banglades-merkez-bankasina-siber-soygunvurgunu/ Özbilgin, İ. G. (2016). Bilgi Teknolojileri Denetimi ve Uluslararası Standartlar. Sayıştay Dergisi , 124-127. Taşkın, K. (2010). Yolsuzluğun Tespit ve Önlenmesinde Bilgisayar Destekli Denetim Teknikleri. 3.Ulusal Kurumsal Yönetim, Yolsuzluk, Etik ve Sosyal Sorumluluk Konferansı, (s. 34). Nevşehir. Ünver, M. and Canbay, C. (2010). Ulusal ve Uluslararası Boyutlarıyla Siber Güvenlik. Elektrik Mühendisliği Dergisi, 438, 94-103. Vatis, M. (2002). Cyber Attacks: Protecting America’s Security Against Digital Threats, ESDP Discussion Paper ESDP 2002-04, John F. Kennedy School of Government, Harvard University. Yıldız, M. (2014). Siber Suçlar ve Kurum Güvenliği. T.C. Ulaştırma Denizcilik ve Haberleşme Bakanlığı Uzmanlık Tezi, Kasım 2014, http://www.udhb.gov.tr/images/hizlierisim/efcecbe1f21e9fe.pdf