Bull and Bear Ltd. is a new, aggressive, Boston-based, medium-sized brokerage firm. It specializes in offering high-quality, personalized service to clients who have a relatively high level of wealth. It is managed by a few individuals who are young, highly motivated, highly educated, and dynamic.

You are an information systems auditor in a firm of public accountants that has just taken over the audit of Bull and Bear from another firm. During an interview with the managing director of Bull and Bear, she emphasizes the extensive use that the company makes of information technology to support its operations. She states that systems within the company have been designed to allow individual professionals to offer a full range of services to each client. Clients do not have to be passed to different individuals to obtain the advice they need on various aspects of their portfolio of investments. The managing director also points out that the previous auditors had not been reappointed because they had failed to come to grips with how Bull and Bear uses information technology to support its operations.

When you ask about the reliability of controls over Bull and Bear's information systems, the managing director boasts that the Board has total commitment to control over the company's operations. In particular, she points out that the operating system used on Bull and Bear's main computer has been certified at level C1 by the National Computer Security Center. She remarks, however, that other controls have been implemented in the operating system in addition to those required for a \(\mathrm{C} 1\) rating.

The requirements that an operating system must meet for it to be given a C1 rating (discretionary security protection) are as follows:

a. A discretionary access control policy must be supported.

b. Identification and authentication must be implemented on the basis of individual persons or groups of persons. In other words, identification and authentication can occur at the level of groups rather than individuals. Authentication data must be protected from unauthorized access.

c. Security-relevant events do not have to be recorded in a protected audit trail.

d. Objects that are reused (e.g., memory) might not be cleared prior to their assignment to another user. Thus, browsing or scavenging can occur.

e. The operating system must be developed using principles of modularity, layering, data abstraction, and information hiding. It must be tested by qualified persons.

f. The kernel of the operating system must be protected from other processes to ensure its integrity is maintained.

g. The design of the operating system must be documented, especially its security features. Test documentation also must be available.

h. There are no requirements to be met in terms of covert channel analysis, design verification, separation of duties relating to system operators and security administrators, configuration management, correct operation of security features after a system failure, and prevention of unauthorized modifications when the system is distributed to the customer by the vendor.

Required: Outline how the \(\mathrm{C} 1\) rating for the operating system is likely to affect the conduct of the audit. In particular, what are the likely implications for the design of tests of controls and substantive tests?