Centnet Pty. Ltd. is a public electronic funds transfer network that operates switches in the capital cities of all states in Australia (see case 12-1). Because much of the data transmitted throughout the network is sensitive, the data must be encrypted to preserve its privacy and to prevent and detect any unauthorized alterations to the data.

To implement encryption facilities throughout the network, Centnet uses secure encryption devices. These devices are placed at each end of a communication line. They store the encryption key, and they perform encryption and decryption functions. Before a new customer can use the network, Centnet must install a black box at the customer's site. Thus, when the customer transmits data to a Centnet switch, it is encrypted by the black box before transmission. Similarly, when the customer receives data from a Centnet switch, it is decrypted before it is processed on the customer's computer.

Each customer in the network chooses his or her own encryption key. During the initial installation of a customer on the network, the customer is asked to generate randomly a 16 -digit key. The customer is advised strongly to generate the key as two separate 8 -digit parts. Each part should be known only by one customer employee, that is, no customer employee should be privy to the full key. When the key has been generated, each part should be securely stored at different locations by the customer.

To install the key in the black boxes, the two customer employees who know the separate parts of the key must attend a Centnet office. The key is installed using a secure terminal to which a black box is first attached. Behind closed doors, one customer employee enters the first part of the key into the secure terminal. After the entry is completed, the second customer employee enters the second part of the key in the same manner. Thus, Centnet employees do not know the keys entered by customers, nor does any customer employee know the full key.

After key entry has been completed, the contents of the black box are copied securely into two other black boxes. Thus, three black boxes ultimately hold the encryption key. One is then installed at the Centnet switch, the second is installed at the customer site, and the third is kept for backup purposes.

Required: You have just been hired as the external auditor of Centnet. As a basis for undertaking your first audit, write a brief report outlining (a) the exposures you will consider in your evaluation of the key management system and (b) the tests you will undertake to evaluate the reliability of controls within the key management system.