Auditor's Guide To Information Systems Auditing
User Manual:
Open the PDF directly: View PDF .
Page Count: 511
Download | |
Open PDF In Browser | View PDF |
ch00_FM_4768 1/8/07 2:42 PM Page iii Auditor’s Guide to Information Systems Auditing RICHARD E. CASCARINO John Wiley & Sons, Inc. ch00_FM_4768 1/8/07 2:42 PM Page ii ch00_FM_4768 1/8/07 2:42 PM Page i Auditor’s Guide to Information Systems Auditing ch00_FM_4768 1/8/07 2:42 PM Page ii ch00_FM_4768 1/8/07 2:42 PM Page iii Auditor’s Guide to Information Systems Auditing RICHARD E. CASCARINO John Wiley & Sons, Inc. ch00_FM_4768 1/8/07 2:42 PM Page iv This book is printed on acid-free paper. Copyright © 2007 John Wiley & Sons, Inc. All rights reserved. Wiley Bicentennial Logo: Richard J. Pacifico. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley .com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our Web site at http://www.wiley.com. Library of Congress Cataloging-in-Publication Data Cascarino, Richard. Auditor’s guide to information systems auditing / Richard E. Cascarino. p. cm. Includes index. ISBN: 978-0-470-00989-5 (cloth : alk. paper) 1. Electronic data processing—Auditing. I. Title. QA76.9.A93C37 2007 658’.0558—dc22 2006033470 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 ch00_FM_4768 1/8/07 2:42 PM Page v Dedication wish to take this opportunity to dedicate this book to my wife Max who has, over the last 33 years, put up with my bad temper when the computer would not do what I programmed it to do; my ego when it did eventually work; my despair when the system crashed again and again, and my complacency when the problems were solved. I would also like to thank those who molded my career over the years, particularly Jim Leary for showing me what an IS manager could be and Scotch Duncan Anderson for showing me what an Internal Auditor should be. I v ch00_FM_4768 1/8/07 2:42 PM Page vi ch00_FM_4768 1/8/07 2:42 PM Page vii Contents PREFACE ABOUT THE CD PART I IS Audit Process CHAPTER 1 Technology and Audit Technology and Audit Batch and On-Line Systems CHAPTER 2 IS Audit Function Knowledge Information Systems Auditing What Is Management? Management Process Understanding the Organization’s Business Establishing the Needs Identifying Key Activities Establish Performance Objectives Decide The Control Strategies Implement and Monitor the Controls Executive Management’s Responsibility and Corporate Governance Audit Role Conceptual Foundation Professionalism within the IS Auditing Function Relationship of Internal IS Audit to the External Auditor Relationship of IS Audit to Other Company Audit Activities Audit Charter Charter Content Outsourcing the IS Audit Activity Regulation, Control, and Standards xix xxxiii 1 3 4 9 24 24 25 25 26 26 26 27 27 27 28 28 29 29 30 30 30 31 31 32 vii ch00_FM_4768 1/8/07 2:42 PM Page viii viii Contents CHAPTER 3 IS Risk and Fundamental Auditing Concepts Computer Risks and Exposures Effect of Risk Audit and Risk Audit Evidence Reliability of Audit Evidence Audit Evidence Procedures Responsibilities for Fraud Detection and Prevention CHAPTER 4 Standards and Guidelines for IS Auditing IIA Standards Code of Ethics Advisory Aids Standards for the Professional Performance of Internal Auditing ISACA Standards ISACA Code of Ethics COSO: Internal Control Standards BS 7799 and ISO 17799: IT Security NIST BSI Baselines CHAPTER 5 Internal Controls Concepts Knowledge Internal Controls Cost/Benefit Considerations Internal Control Objectives Types Of Internal Controls Systems of Internal Control Elements of Internal Control Manual and Automated Systems Control Procedures Application Controls Control Objectives and Risks General Control Objectives Data and Transactions Objectives Program Control Objectives Corporate IT Governance CHAPTER 6 Risk Management of the IS Function Nature of Risk Auditing in General 33 33 35 37 39 39 40 41 43 43 44 46 46 47 47 49 49 51 53 54 57 57 59 59 61 62 63 64 65 65 66 67 67 68 69 75 75 76 ch00_FM_4768 1/8/07 2:42 PM Page ix Contents Elements of Risk Analysis Defining the Audit Universe Computer System Threats Risk Management CHAPTER 7 Audit Planning Process Benefits of an Audit Plan Structure of the Plan Types of Audit CHAPTER 8 Audit Management Planning Audit Mission IS Audit Mission Organization of the Function Staffing IS Audit as a Support Function Planning Business Information Systems Integrated IS Auditor vs Integrated IS Audit Auditees as Part of the Audit Team Application Audit Tools Advanced Systems Specialist Auditor IS Audit Quality Assurance CHAPTER 9 Audit Evidence Process Audit Evidence Audit Evidence Procedures Criteria for Success Statistical Sampling Why Sample? Judgmental (or Non-Statistical) Sampling Statistical Approach Sampling Risk Assessing Sampling Risk Planning a Sampling Application Calculating Sample Size Quantitative Methods Project Scheduling Techniques Simulations Computer Assisted Audit Solutions ix 78 79 81 83 88 88 93 96 98 98 99 99 100 101 103 103 104 104 106 107 107 107 108 109 109 109 110 112 112 113 114 114 116 116 119 122 125 127 128 ch00_FM_4768 1/8/07 2:42 PM Page x x Contents Generalized Audit Software Application and Industry-Related Audit Software Customized Audit Software Information Retrieval Software Utilities On-Line Inquiry Conventional Programming Languages Microcomputer-Based Software Test Transaction Techniques CHAPTER 10 Audit Reporting Follow-up Audit Reporting Interim Reporting Closing Conferences Written Reports Clear Writing Techniques Preparing To Write Basic Audit Report Executive Summary Detailed Findings Polishing the Report Distributing the Report Follow-Up Reporting Types of Follow-Up Action PART II Information Systems/Information Technology Governance CHAPTER 11 Management IS Infrastructures Project-Based Functions Quality Control Operations and Production Technical Services Performance Measurement and Reporting Measurement Implementation CHAPTER 12 Strategic Planning Strategic Management Process Strategic Drivers New Audit Revolution 129 130 130 131 131 131 131 132 132 134 134 135 135 135 136 138 139 140 140 142 142 143 144 145 147 147 148 154 155 156 156 158 164 164 165 166 ch00_FM_4768 1/8/07 2:42 PM Page xi Contents Leveraging IS Business Process Re-Engineering Motivation IS as an Enabler of Re-Engineering Dangers of Change System Models Information Resource Management Strategic Planning for IS Decision Support Systems Steering Committees Strategic Focus Auditing Strategic Planning Design the Audit Procedures CHAPTER 13 Management Issues Privacy Copyrights, Trademarks, and Patents Ethical Issues Corporate Codes of Conduct IT Governance Sarbanes-Oxley Act Housekeeping CHAPTER 14 Support Tools and Frameworks General Frameworks COSO: Internal Control Standards Other Standards CHAPTER 15 Governance Techniques Change Control Problem Management Auditing Change Control Operational Reviews Performance Measurement ISO 9000 Reviews xi 166 167 168 168 169 170 171 173 174 174 175 176 177 179 180 181 182 184 186 186 188 188 192 193 196 196 198 199 199 200 201 PART III Systems and Infrastructure Lifecycle Management 205 CHAPTER 16 Information Systems Planning 207 ch00_FM_4768 1/8/07 2:42 PM Page xii xii Contents Stakeholders Operations Systems Development Technical Support Other System Users Segregation of Duties Personnel Practices Object-Oriented Systems Analysis Enterprise Resource Planning CHAPTER 17 Information Management and Usage What Are Advanced Systems? Service Delivery and Management CHAPTER 18 Development, Acquisition, and Maintenance of Information Systems Programming Computers Program Conversions System Failures Systems Development Exposures Systems Development Controls Systems Development Life Cycle Control: Control Objectives Micro-Based Systems CHAPTER 19 Impact of Information Technology on the Business Processes and Solutions Impact Continuous Monitoring Business Process Outsourcing E-Business CHAPTER 20 Software Development Developing a System Change Control Why Do Systems Fail? Auditor’s Role in Software Development 207 208 209 210 212 212 214 215 216 218 218 221 227 227 229 229 232 233 233 235 236 236 237 238 239 241 241 245 247 249 CHAPTER 21 Audit and Control of Purchased Packages 251 Information Systems Vendors Request For Information Requirements Definition Request For Proposal 252 253 254 255 ch00_FM_4768 1/8/07 2:42 PM Page xiii Contents Installation Systems Maintenance Systems Maintenance Review Outsourcing CHAPTER 22 Audit Role in Feasibility Studies and Conversions Feasibility Success Factors Conversion Success Factors CHAPTER 23 Audit and Development of Application Controls What Are Systems? Classifying Systems Controlling Systems Control Stages System Models Information Resource Management Control Objectives of Business Systems General Control Objectives CAATS and their Role in Business Systems Auditing Common Problems Audit Procedures CAAT Use in Non-Computerized Areas Designing an Appropriate Audit Program PART IV Information Technology Service Delivery and Support CHAPTER 24 Technical Infrastructure Auditing the Technical Infrastructure Computer Operations Controls Operations Exposures Operations Controls Personnel Controls Supervisory Controls Operations Audits CHAPTER 25 Service Center Management Continuity Management and Disaster Recovery Managing Service Center Change xiii 256 257 257 258 259 259 263 264 264 265 266 266 266 267 268 269 271 274 274 275 275 277 279 282 284 285 286 286 286 287 289 289 293 ch00_FM_4768 1/8/07 2:42 PM Page xiv xiv Contents PART V Protection of Information Assets CHAPTER 26 Information Assets Security Management What Is Information Systems Security? Control Techniques Workstation Security Physical Security Logical Security User Authentication Communications Security Encryption How Encryption Works Encryption Weaknesses Potential Encryption Data Integrity Double Public Key Encryption Steganography Information Security Policy CHAPTER 27 Logical Information Technology Security Computer Operating Systems Tailoring the Operating System Auditing the Operating System Security Criteria Security Systems: Resource Access Control Facility Auditing RACF Access Control Facility 2 Top Secret User Authentication Bypass Mechanisms CHAPTER 28 Applied Information Technology Security Communications and Network Security Network Protection Hardening the Operating Environment Client Server and Other Environments Firewalls and Other Protection Resources Intrusion Detection Systems 295 297 297 300 301 301 301 302 302 302 303 304 305 305 306 307 308 310 310 311 312 313 314 314 315 316 317 318 319 321 321 323 324 325 326 329 ch00_FM_4768 1/8/07 2:42 PM Page xv Contents xv CHAPTER 29 Physical and Environmental Security 330 Control Mechanisms Implementing the Controls 332 336 PART VI Business Continuity and Disaster Recovery 337 CHAPTER 30 Protection of the Information Technology Architecture and Assets: Disaster Recovery Planning 339 Risk Reassessment Disaster—Before and After Consequences of Disruption Where to Start Testing the Plan Auditing the Plan CHAPTER 31 Insurance Self-Insurance PART VII Advanced IS Auditing CHAPTER 32 Auditing E-commerce Systems E-Commerce and Electronic Data Interchange: What Is It? Opportunities and Threats Risk Factors Threat List Security Technology “Layer” Concept Authentication Encryption Trading Partner Agreements Risks and Controls within EDI and E-Commerce Nonrepudiation E-Commerce and Auditability Compliance Auditing E-Commerce Audit Approach 341 341 343 344 345 346 349 353 355 357 357 358 362 363 363 363 364 364 366 366 367 368 369 370 ch00_FM_4768 1/8/07 2:42 PM Page xvi xvi Contents Audit Tools and Techniques Auditing Security Control Structures Computer Assisted Audit Techniques CHAPTER 33 Auditing UNIX/Linux History Security and Control in a UNIX/Linux System Architecture UNIX Security Services Daemons Auditing UNIX Scrutiny of Logs Audit Tools in the Public Domain UNIX passwd File Auditing UNIX Passwords CHAPTER 34 Auditing Windows History NT and Its Derivatives Auditing Windows 23 Password Protection File Sharing Security Checklist CHAPTER 35 Foiling the System Hackers CHAPTER 36 Investigating Information Technology Fraud Pre-Incident Preparation Detection of Incidents Initial Response Forensic Backups Investigation Network Monitoring Identity Theft 371 372 372 374 374 377 377 378 379 380 380 381 381 382 383 385 385 386 388 389 390 391 393 397 399 401 401 403 404 404 405 ch00_FM_4768 1/8/07 2:42 PM Page xvii xvii Contents APPENDICES APPENDIX A Ethics and Standards for the IS Auditor ISACA Code of Professional Ethics Relationship of Standards to Guidelines and Procedures 407 407 408 APPENDIX B Audit Program for Application Systems Auditing 410 APPENDIX C Logical Access Control Audit Program 432 APPENDIX D Audit Program for Auditing UNIX/Linux Environments 446 APPENDIX E 454 Index Audit Program for Auditing Windows XP/2000 Environments 463 ch00_FM_4768 1/8/07 2:42 PM Page xviii ch00_FM_4768 1/8/07 2:42 PM Page xix Preface n today’s business environment, computers are continuing the revolution started in the 1950s. Size and capacity of the equipment grows on an exponential curve, with the reduction in cost and size ensuring that organizations take advantage of this to develop more effective and responsive systems, which allow them to seek to gain competitive advantage by interfacing more closely with their customers. Net technologies such as electronic data interchange (EDI), electronic funds transfers (EFTs), and E-commerce have fundamentally changed the nature of business itself and, as a result, organizations have become more computer dependent. The radical changes to business are matched only by their impact on society. It has become impossible for today’s enterprises of any size and in any market sector to exist without computers to assist with their fundamental business operations. Even the old adage that “we can always go back to manual operations” is today a fallacy. The nature of today’s business environment obviates that option. Even the smallest businesses have found that the advent of personal computers (PCs) with increased capabilities and processing speed, while at the same time reduced pricing and sophisticated PC software, has revolutionized the concept of what a small business is. In order for organizations to take full advantage of the new facilities that computers can offer, it is important that their systems can be controlled and are dependable. They require that their auditors confirm that this is the case. The modern auditor therefore requires significantly more knowledge of computers and computer auditing than did auditors of earlier years. I xix ch00_FM_4768 1/8/07 2:42 PM Page xx xx Preface CONTROLS IN MODERN COMPUTER SYSTEMS The introduction of the computer has brought fundamental changes to the ways organizations process data. Computer systems: ■ ■ ■ ■ ■ ■ Are frequently much more complex than manual systems, the larger systems at least requiring a number of highly skilled computer technicians to develop and maintain them. Process large volumes of data at high speed, and can transmit data effectively instantaneously over extreme distances, commonly between continents. Hold data in electronic form, which, without the appropriate tools and techniques, is often more complex for the auditor to access than paper records. In addition, modern systems have reduced the volumes of printed outputs by the incorporation of on-line access and on-line inquiry facilities. Indeed, many modern EDI-type systems have no paper audit trail whatsoever. Process data with much less manual intervention than manual systems. In fact large parts of sophisticated systems now process data with no manual intervention at all. In the past, the main justification for computerization was frequently to reduce the number of staff required to operate the business. With modern decision support and integrated systems, this is becoming a reality not at the clerical level, but at the decision-making and control level. This can have the effect that the fundamental business controls previously relied upon by the auditor, such as segregation of duties or management authorization, may no longer be carried out as previously and must be audited in a different manner. In computer systems, the user profile of the member of staff as defined within the system’s access rights will generally control the division of duties while managerial authorities are, in many cases, built into systems themselves. Process consistently in accordance with their programs providing the computer has been programmed correctly and change control is effective. In large minicomputer and mainframe systems, there is a significant concentration of risk in locating the organization’s information resource in one format although not necessarily in one place. Organizations then become totally reliant on their computer sys- ch00_FM_4768 1/8/07 Preface ■ 2:42 PM Page xxi xxi tem and must be able to recover from failure or the destruction of their computer system swiftly and with minimal business disruption. Are often subject to different legal constraints and burdens of proof than manual systems. These changes brought about by computerization can greatly increase the opportunity for auditors to deliver a quality service by concentrating the risk and allowing the auditors to correspondingly concentrate their efforts. For example, harnessing the power of the computer to analyze large volumes of data in the way the auditor requires is commonly now the only practical way of analyzing corporate data, and this was not only impractical but also impossible while data was spread around the organization in a myriad of forms. In addition, the use of computer systems with built-in programmed procedures permit the auditor to adopt a systems approach to auditing in that the controls within the computer system process in a more consistent manner than a manual system. In manual systems the quality of the control procedure can change on a day-by-day basis, depending on the quality of the staff and their consistency of working. This can result in the auditor having to undertake a substantial amount of checking of transactions, to confirm transactions have processed correctly. Controls within computer systems are commonly classified in two main subdivisions: 1. General controls. The controls governing the environment in which the computer system is developed, maintained, and operated, and within which the application controls operate. These controls include the systems development standards operated by the organization, the controls that apply to the operation of the computer installation, and those governing the functioning of systems software. They have a pervasive effect on all application systems. 2. Application controls. The controls, both manual and computerized, within the business application to ensure that data is processed completely, accurately, and in a timely manner. Application controls are typically specific to the business application and include: ch00_FM_4768 1/8/07 2:42 PM Page xxii xxii Preface ■ Input controls such as data validation and batching Run-to-run controls to check file totals at key stages in processing, and controls over output ■ Ultimately, the auditor’s job is to determine if the application systems function as intended, the integrity, accuracy, and completeness of the data is well controlled, and report any significant discrepancies. The integrity of the data relies on the adequacy of the application controls. However, application controls are totally dependent on the integrity of the general controls over the environment within which the application is developed and run. In the past, the auditor has often assumed a considerable degree of reliance on controls around the computer, that is, in the application controls. This is sometimes referred to as auditing “around” the computer, because the auditor concentrates on the input and output from the computer, rather than what happens in the computer. This has never been truly justified but has become, over recent years, a lethal assumption. With the spread of on-line and real-time working, and of the increasing capacity of fixed disks, all of the organization’s data is commonly permanently loaded on the computer system and accessible from a variety of places, with only systems software controls preventing access to the data. This system is increasing in technical complexity and the ability to utilize any implemented weaknesses is also growing. It is critical that the auditor is assured of the integrity of the computer operational environment within which the applications systems function. This means that the auditor must become knowledgeable in the facilities provided in key systems software in the organization being audited. This book is designed for those who need to gain a practical working knowledge of the risks and control opportunities within an IT environment, and the auditing of that environment. Readers who will find the text particularly useful include professionals and students within the fields of: ■ ■ ■ IT security IT audit Internal audit ch00_FM_4768 1/8/07 2:42 PM Page xxiii Preface ■ ■ ■ xxiii External audit Management information systems General business management Overall, this book contains the information required by anyone who is, or expects to be, accountable to management for the successful implementation and control of information systems. It is intended that the text within this book forms the foundation for learning experience, as well as being your reference manual and student text. The emphasis is therefore on both the principles and techniques as well as the practical implementation through the use of realistic case studies. OVERALL FRAMEWORK Within the book the terms Information Technology (IT) and Information Systems (IS) are both used because both are in common use to mean virtually identical functions. The book is split into eight sections, namely: Part I —IS Audit Process This part covers the introduction to the technology and auditing involved with the modern computer systems. It seeks to establish common frames of reference for all IT students by establishing a baseline of technological understanding as well as an understanding of risks, control objectives, and standards, all concepts essential to the audit function. Internal control concepts and the planning and management of the audit process in order to obtain the appropriate evidence of the achievement of the control objectives is explained as is the audit reporting process. Chapter 1 covers the basics of technology and audit. The chapter is intended to give readers an understanding of the technology in use in business as well as knowledge of the jargon and its meaning. It covers the components of control within an IT environment and explains who the main players are and what their role is within this environment. ch00_FM_4768 1/8/07 xxiv 2:42 PM Page xxiv Preface Chapter 2 looks at the laws and regulations governing IS Audit and the nature and role of the audit charter. It reviews the varying nature of audit and the demand for audits as well as the need for control and audit of computer-based IS. The types of audit and auditor and range of services to be provided is reviewed together with the standards and codes of ethics of both the Institute of Internal Auditors (IIA) and the standards specified by the Information Systems Audit and Control Association (ISACA). Chapter 3 explores the concepts of materiality within the IS Audit function and contracts materiality as it is commonly applied to financial statement audit such as those performed by independent external auditors. In this context, the quality and types of evidence required to meet the definitions of sufficiency, reliability, and relevancy is examined. The risks involved in examining evidence to arrive at an audit conclusion is reviewed as are the need to maintain the independence and objectivity of the auditor and the auditor’s responsibility for fraud detection in both an IT and non-IT setting. Chapter 4 explores in detail the ISACA Code of Professional Ethics and the current ISACA IS Auditing Standards and Guidelines Standards as well as the IIA Code of Ethics, Standards for the Professional Practice of Internal Auditing and Practice Advisories. In addition, standards and guidelines other than the ISACA and IIA models are explored. Chapter 5 introduces the concepts of corporate governance with particular attention to the implications within an IT environment and the impact on IS Auditors. Criteria of Control (COCO), Committee of Sponsoring Organizations of the Treadway Commission (COSO), King, Sarbanes-Oxley Act of 2002, and other recent legislative impacts are examined together with the structuring of controls to achieve conformity to these structures. Control classifications are examined in detail together with both general and application controls. Particular attention is paid to COBIT (Control Objectives for Information and Related Technology) from both a structural and relevance perspective. Chapter 6 introduces the concept of computer risks and exposures and includes the development of an understanding of the major types of risks faced by the IT function including the sources of such risk as well as the causes. It also emphasizes management’s role in adopting a risk position, which itself necessitates a knowledge of the ch00_FM_4768 1/8/07 Preface 2:42 PM Page xxv xxv acceptable management responses to computer risks. One of the most fundamental influencing factors in IT auditing is the issue of corporate risk. This chapter examines risk and its nature within the corporate environment and looks at the internal audit need for the appropriate risk analysis to enable risk-based auditing as an integrated approach. This includes the effect of computer risks, the common risk factors, and the elements required to complete a computer risk analysis Chapter 7 examines the Audit Planning Process at both a strategic and tactical level. The use of risk-based auditing and risk assessment methods and standards are covered. The preliminary evaluation of internal controls via the appropriate information gathering and control evaluation techniques as a fundamental component of the audit plan and the design of the audit plan to achieve a variety of audit scopes is detailed. Chapter 8 looks at audit management and its resource allocation and prioritization in the planning and execution of assignments. The management of IS Audit quality through techniques such as peer reviews and best practice identification is explored. The human aspects of management in the forms of career development and career path planning, performance assessment, counselling, and feedback as well as professional development through certifications, professional involvement, and training (both internal and external) are reviewed. Chapter 9 exposes the fundamental audit evidence process and the gathering of evidence that may be deemed to be sufficient, reliable, relevant, and useful. Evidence gathering techniques such as observation, inquiry, interviewing, and testing are examined and the techniques of compliance versus substantive testing are contrasted. The complex area of statistical and nonstatistical sampling techniques and the design and selection of samples and evaluation of sample results is examined. The essential techniques of computer assisted audit techniques (CAATs) are covered and a case study using the software provided is detailed. Chapter 10 covers audit reporting and follow-up. The form and content of an audit report are detailed and its purpose, structure, content, and style as dictated by the desired effect on its intended recipient for a variety of types of opinion are considered as well as the follow-up to determine management’s actions to implement recommendations. ch00_FM_4768 1/8/07 2:42 PM Page xxvi xxvi Preface Part II—Information Systems/Information Technology Governance This part details the processes involved in planning and managing the IS function and the management issues faced in a modern IS department. The techniques used by management and the support tools and frameworks are examined with respect to the need for control within the processes. Chapter 11 covers IT project management, risk management including economic, social, cultural, and technology risk management as well as software quality control management, the management of IT infrastructure, alternative IT architectures and configuration, and the management of IT delivery (operations) and support (maintenance). Performance measurement and reporting and the IT balanced scorecard are also covered as are the use of outsourcing, the implementation of IT quality assurance, and the sociotechnical and cultural approach to management. Chapter 12 examines IS/IT strategic planning and looks at competitive strategies and business intelligence and their link to corporate strategy. These, in turn, influence the development of strategic information systems frameworks and applications. Strategic planning also includes the management of IT human resources, employee policies, agreements, contracts, segregation of duties within IT, and the implementation of effective IS/IT training and education. Chapter 13 looks at the broader IS/IT management issues including the legal issues relating to the introduction of IT to the enterprise, intellectual property issues in cyberspace: trademarks, copyrights, patents as well as ethical issues, rights to privacy, and the implementation of effective IT governance. Chapter 14 introduces the need for support tools and frameworks such as COBIT: Management Guidelines, a framework for IT/IS managers and COBIT: Audit’s Use in Support of the Business Support Cycle. International standards and good practices such as ISOI7799, ITIL, privacy standards, COSO, COCO, Cadbury, King, and Sarbanes-Oxley also play a vital role in ensuring the appropriate governance. Chapter 15 covers the need for, and use of, techniques such as change control reviews, operational reviews, and ISO 9000 reviews. ch00_FM_4768 1/8/07 2:42 PM Page xxvii Preface xxvii Part III—Systems and Infrastructure Lifecycle Management IT is essential to an organization only in so far as it can effectively assist in the achievement of the business objectives. This means that the business application systems need to be appropriate to the business needs and meet the objectives of the users in an effective and efficient manner. Part VI explores the manner in which application systems are planned, acquired externally or developed internally and ultimately implemented and maintained. In all cases such systems have an objective of being auditable in addition to the other unique business objectives. This part also examines the variety of roles that the auditor could be called on to undertake and the circumstances and controls appropriate to each. Chapter 16 covers the IS planning and managing components and includes developing an understanding of stakeholders and their requirements together with IS planning methods such as system investigation, process integration/reengineering opportunities, risk evaluation, cost-benefit analysis, risk assessment, object-oriented systems analysis, and design. Enterprise Resource Planning (ERP) software to facilitate enterprise applications integration is reviewed. Chapter 17 covers the areas of information management and usage monitoring. Measurement criteria such as evaluating service level performance against service level agreements, quality of service, availability, response time, security and controls, processing integrity, and privacy are examined. The analysis, evaluation, and design information together with data and application architecture are evaluated as tools for the auditor. Chapter 18 investigates the development, acquisition, and maintenance of information systems through Information Systems project management involving the planning, organization, human resource deployment, project control, monitoring, and execution of the project plan. The traditional methods for the system development life cycle (SDLC) (analysis, evaluation, and design of an entity’s SDLC phases and tasks) are examined as are alternative approaches for system development such as the use of software packages, prototyping, business process reengineering, or computer aided software engineering (CASE). In addition system maintenance and change control pro- ch00_FM_4768 1/8/07 2:42 PM Page xxviii xxviii Preface cedures for system changes together with tools to assess risk and control issues and to aid the analysis and evaluation of project characteristics and risks are discussed. Chapter 19 examines the impact of IT on the business processes and solutions, Business process outsourcing (BPO) and applications of e-business issues and trends. Chapter 20 looks at the software development design process itself and covers the separation of specification and implementation in programming, requirements specification methodologies, and technical process design. In addition database creation and manipulation, principles of good screen and report design, and program language alignment are covered. Chapter 21 looks at the audit and control of purchased packages to introduce readers to those elements critical to the decision taken to make or buy software. This includes a knowledge of the systems development process and an understanding of the user’s role in training required so that the outsource decision on the factors surrounding it may be made to best effect. Chapter 22 looks at the auditor’s role in feasibility studies and conversions. These are perhaps the most critical areas of systems implementation and audit involvement should be compulsory. Chapter 23 looks at the audit and development of applicationlevel controls including input/origination controls, processing control procedures, output controls, application system documentation, and the appropriate use of audit trails. Part IV—Information Technology Service Delivery and Support This part examines the technical infrastructure in a variety of environments and the influence the infrastructure has on the management and control procedures required to attain the business objectives. The nature and methodologies of service center management are exposed for discussion. Chapter 24 examines the complex area of the IS/IT technical infrastructure (planning, implementation and operational practices). IT architecture/standards over hardware including mainframe, mini- ch00_FM_4768 1/8/07 2:42 PM Page xxix Preface xxix computers, client-servers, routers, switches, communications, and PCs as well as software including operating systems, utility software, and database systems are revealed. Network components including communications equipment and services rendered to provide networks, network-related hardware, network-related software, and the use of service providers are covered as are security/testing and validation, performance monitoring, and evaluation tools and IT control monitoring and evaluation tools, such as access control systems monitoring and intrusion detection systems monitoring tools. In addition, the role of managing information resources and information infrastructure through enterprise management software and the implementation of service center management and operations standards/ guidelines within COBIT, ITIL, and ISO 17799 together with the issues and considerations of service center versus proprietary technical infrastructures are explored. Chapter 25 introduces the areas of service center management and the maintenance of Information Systems and technical infrastructures. These involve the use of appropriate tools designed to control the introduction of new and changed products into the service center environment and include such aspects as security management, resource/configuration management, and problem and incident management. In addition, the administration of release and versions of automated systems as well as the achievement of service level management through capacity planning and management of the distribution of automated systems and contingency/backup and recovery management are examined. The key management principles involved in management of operations of the infrastructure (central and distributed), network management, and risk management are outlined as is both the need for customer liaison as well as the management of suppliers. Part V—Protection of Information Assets This part examines the essential area of IT security in all of its manifestations. The administration of security focusing on information as an asset is commonly problematic and may frequently be observed as a patchwork of physical and logical security techniques with little ch00_FM_4768 1/8/07 2:42 PM Page xxx xxx Preface thought to the application and implementation of an integrated approach designed to lead to the achievement of specific control objectives. Chapter 26 looks at the area of Information Assets Security Management. This covers information technology and security basics and the fundamental concepts of IS security. The need for securing IS resources and maintaining an adequate policy framework on IS assets security, the management of IS security, and security training standards are examined as are the major compliance and assurance issues in IS security. Chapter 27 covers the critical area of the components of logical IT security. Logical access control issues and exposures are explored together with access control software. The auditing of logical access to ensure the adequate control of logical security risks using the appropriate logical security features, tools, and procedures is detailed. Chapter 28 looks at the application of IT security including communications and network security. The principles of network security, client-server, Internet and web-based services, and firewall security systems are all detailed together with connectivity protection resources such as cryptography, digital signatures, digital certificates, and key management policies. IT security also encompasses the use of intrusion detection systems and the proper implementation of mainframe security facilities. Security is also a critical element in the development of application systems and involves both the systems development and maintenance processes and the database design. Chapter 29 examines the concepts of physical IT security including physical access exposures and controls. Part VI—Business Continuity and Disaster Recovery In many organizations, the ongoing continuity and availability of an information processing capability is critical to the corporate survival of the entity. This part explores the need for and techniques utilized in the protection of the Information Technology Architecture and Assets through both Disaster Recovery Planning and the transfer of risk by utilizing the appropriate Insurance profile. The auditor’s role in examining corporate continuity plans is examined in detail. ch00_FM_4768 1/8/07 2:42 PM Page xxxi Preface xxxi Chapter 30 introduces the activities required to ensure the protection of the IT architecture and assets. These include backup provisions involving business impact analysis and business continuity planning leading to IT disaster recovery planning, obtaining management support and commitment to the process, plan preparation and documentation, obtaining management approval, and distribution of the plan. In addition, the testing, maintenance, and revision of the plan together with audit’s role in all of these activities are investigated. Chapter 31 looks at insurance and the variety of insurance coverage that can be obtained. Issues such as the valuation of assets, including equipment, people, information processes, and technology are examined. Part VII—Advanced IS Auditing The final part explores the technical auditor’s function and role in auditing specialized areas such as the audit and control of e-commerce systems, auditing operating systems at both micro and mainframe levels, securing systems against outside penetration, and investigating security breaches. Chapter 32 examines the tasks required to establish and optimize the IT audit functions including defining the scope of IP auditing, setting the objectives, staffing, and training. Measuring of the effectiveness of the IT audit and the role of the specialist are critical in producing an effective IT audit function. Chapter 33 introduces readers to the concepts of the paperless society inherent in e-commerce, B2B, B2C, and EDI in general. These concepts change the internal control structure required in such an environment as well as changing the sources of what audit and legal evidence is available. The auditor will be required to implement the correct program to bring the contoured auction line with this changing business environment. Chapter 34 takes the reader through the advanced concepts of auditing within a Linux environment including the major threat categories and control opportunities as well as the use of the appropriate audit tools. Chapter 35 covers in detail the theory and practice of auditing within a Windows 95/98/ME or Windows NT/2000/XP environment. ch00_FM_4768 1/8/07 xxxii 2:42 PM Page xxxii Preface This again includes the major control opportunities, controls to be sought, and audit tools to be used. Chapter 36 addresses the major risk of computer hackers including definitions of how hackers gain entrance and the design of the appropriate security hierarchy in order to effectively manage this critical risk. Chapter 37 examines the problem of computer fraud and countermeasures to prevent, detect, and alleviate the problems. This includes the effect on the risk of fraud on the business control objectives, the techniques applicable for determining higher risk as well as the impact of computer fraud on an organization. The ability to distinguish between types of computer fraud, and the nature and effect as well as identification of likely fraud indicators enables the structuring of an appropriate antifraud security environment. The auditor must be capable of distinguishing between fraud and forensic auditing and applying the appropriate techniques. This involves an understanding of the rules that influence the acceptability of computer evidence as legally acceptable and binding evidence. ch00_FM_4768 1/8/07 2:42 PM Page xxxiii About The CD s part of your purchase of this book, you have been given an education version of IDEA—Data Analysis Software. This software can improve your audit performance and extend your capabilities with IDEA’s powerful functionality. With IDEA, you can lower your cost of analysis, add more quality to your work and meet the new professional requirements regarding fraud and internal control. IDEA can read, display, analyze, manipulate, sample or extract from data files from almost any source—from SAP to QuickBooks— including reports printed to a file. IDEA adds depth and productivity to audits and helps users meet the requirements of SAS 99 and Sarbanes-Oxley 404. Examples of how IDEA can be used to meet audit objectives include: accuracy—checking totals and calculations; analytical review—comparisons, profiling, stratifying; validity—duplicates, exceptions, statistical samples; cut-off-date and number sequence analysis; valuation—A/R and inventory provisions analysis. Included on the CD is a combination of extensive HTML-based Help, Informative User Guide with tutorial, “IDEAssistants”—wizards for key functions, Windows-standard features like right-click and drag and drop, plus a carefully designed user interface make learning and using a breeze. IDEA is a registered trademark of CaseWare IDEA Inc. A xxxiii ch00_FM_4768 1/8/07 2:42 PM Page xxxiv ch01_4768 1/8/07 2:45 PM Page 1 PART I IS Audit Process 1 ch01_4768 1/8/07 2:45 PM Page 2 ch01_4768 1/8/07 2:45 PM Page 3 CHAPTER 1 Technology and Audit his chapter covers the basics of technology and audit. The chapter is intended to provide an understanding of the technology currently in use in business as well as knowledge of the jargon and its meaning. It also covers the components of control within an IT environment and explains who the main players are and what their roles are within this environment. After reading this chapter you should be able to: T ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Understand the technology currently in use in business Understand the jargon and its meaning Define the components of control in an IT environment Briefly explain who the players are and what their roles are Define the fundamental differences between batch and on-line systems Explain the principal business risks within each processing type Describe the components that make up the on-line system and the effect these have on control objectives Explain the controls within each type of computer system Contrast the basics of batch and on-line security Demonstrate an ability to: ● Identify the differing types of database structures ● Identify the principal components of each type of Database Management System (DBMS) ● Identify the primary threats to each of these components ● Relate DBMS components to the operating system environment in which they operate ● Identify potential control opportunities and select among control alternatives ● Identify the principal DBMS products in market 3 ch01_4768 1/8/07 2:45 PM Page 4 4 IS AUDIT PROCESS ● Recognize vulnerabilities in multiple DBMS environments and make appropriate recommendations TECHNOLOGY AND AUDIT Some Computing Jargon Before we can start to discuss the audit and control of computer systems, we must have a common understanding of the jargon used. Hardware consists of those components that can physically be touched and manipulated. Principles among those components are: Hardware ■ ■ ■ CPU. The Central Processing Unit is the heart of the computer. This is the logic unit that handles the arithmetic processing of all calculations. Peripherals. Peripheral devices are those devices that attach to the CPU to handle, typically, inputs and outputs. These include: ● Terminals ● Printers ● Disk and tape devices Memory. Memory takes the form in modern computers of silicon chips capable of storing information. In commercial computers, this information takes the form of 1 and 0 in the notation known as binary. Memory comes in various forms including: ● RAM. Random Access Memory whose contents can be changed but which is vulnerable to loss of power where the contents of memory may also be lost. This type of memory is also known as dynamic or volatile memory. ● ROM. Read-Only Memory is a form of memory whereby instructions are “burned-in” and not lost in the event of a power loss. These programs cannot be changed. This is also known as non-volatile memory. ● PROM. Programmable Read-Only Memory is similar to ROM but can have the contents changed. ● EPROM. Erasable Programmable Read-Only Memory is similar to PROM but the instructions can be erased by ultra-violet light. There is another version of memory known as ch01_4768 1/8/07 2:45 PM Technology and Audit ■ ■ ■ ■ ■ Page 5 5 nonvolatile RAM. This is memory that has been attached to a battery so that, in the event of a power loss, the contents will not be lost. Mainframe. Mainframe computers are the large (physically as well as in power) computers used by companies to carry out large volume processing and concentrated computing. Mini. Minicomputers are physically smaller than mainframes, although the power of many minicomputers exceeds that of recent mainframes. Micro. Microcomputers are physically small computers with limited processing power and storage. Having said that, the power and capacity of today’s micro is equivalent to that of a mainframe only five years ago. LANs. Local Areas Networks are collections of computers linked together within a comparatively small area. WANs. Wide Area Networks are collections of computers spread over a large geographical area. Storage Data is stored in a variety of forms for both permanent and temporary retention: ■ ■ ■ ■ ■ ■ ■ Bits. Binary Digits, individual ones and zeros Bytes. Collections of Bits making up individual characters Disks. Large-capacity storage devices containing anything from 10 Mb to 150 Gb of data Diskettes. Small-capacity removable disks containing from 360 k to 100 Mb of data Optical Disks. Laser-encoded disks containing between 650 Mb and 9 GB of data Tapes. Reel-to-Reel or cassette Memory. As above Communications In order to maximize the potential of the effective use of the information on computers it is essential that isolated computers be able to communicate and share data, programs, and hardware devices. ■ Terminals. Remote devices allowing the input and output to and from the computer of data and programs. ch01_4768 1/8/07 6 2:45 PM Page 6 IS AUDIT PROCESS ■ ■ ■ ■ ■ Modem. MOdulator/DEModulator, which translates digital computer signals into analog signals for telephone wires and retranslates them at the other end. Multiplexer. Combining signals from a variety of devices to maximize utilization of expensive communication lines. Cable. Metallic cable, usually copper, which can carry the signal between computers. These may come in the form of “twisted pair,” where two or more cables are strung together within a plastic sleeve, or in the form of coaxial, where a cable runs within a metallic braiding in the same manner as a television aerial cable. Fiber Optics. These consist of fine strands of fiberglass or plastic filaments that carry light signals without the need for electrical insulation. They have extremely high capacity and transfer rates but are expensive. Microwave. This form of communication involves sending highpower signals from a transmitter to a receiver. They work on a direct line-of-sight basis but require no cabling. Input Inputs to computer systems have developed rapidly over the years. The IS Auditor will still occasionally encounter some of the earlier types: ■ ■ ■ ■ ■ Cards. Rarely seen nowadays, punch cards were among the first input and output media and consisted of cardboard sheets, some 8 inches by 4 inches with 80 columns, where rectangular holes could be punched in combinations to represent numeric, alphabetic, and special characters. Paper Tape. Another early input/output medium, paper tape was a low-cost alternative to punch cards and consisted of a 1-inch wide paper tape with circular holes punched to form the same range of characters. Keyboards. The most common input device today (although that is changing). Most keyboards are still based on the original typist’s QWERTY keyboard design. Mouse. An electromechanical pointing device used for inputting instructions in real time. Scanners. Optical devices that can scan pictures into a digitized computer-readable form. These devices may be used in combination with OCR (Optical Character Recognition) software to ch01_4768 1/8/07 2:45 PM Technology and Audit ■ ■ Page 7 7 allow the computer to interpret the pictures of data into actual characters. Bar Codes. Optically recognizable printing that can be interpreted by low-cost scanners. Common in retail operations. Voice. Perhaps the future of computer input whereby the computer user, programmer, or auditor simply dictates into a microphone and the computer responds appropriately. As with inputs, outputs are changing rapidly. In the earliest of computing times, output came in three basic forms. The most common of these was paper; however, quantities of cards and paper tape were output for subsequent reprocessing. Nowadays most outputs are via screens or directly onto magnetic media. Output ■ ■ ■ ■ ■ ■ Paper. Still a popular output medium, paper may be in continuous stationery form, cut sheet form, or preprinted business stock such as invoices or negotiable instruments such as checks. Computer. Output directly to another computer is a growing trend with the coming of age of electronic data interchange (EDI). Screen. Output to screen is the current norm for the majority of outputs with graphics, tables, and charts, and three-dimensional forms possible. Microfilm/fiche. For permanent, readable recording of outputs with a small storage space required, microfilm is a popular output medium. Each frame contains one page of printed output. An alternative is the creation of microfiche measuring approximately 6 inches by 4 inches and containing some 200 pages of printout. Magnetic Media. Output to disks, diskettes, and tapes is commonly used to store large volumes of information. Voice. Another new output medium is voice, where a permanent record is not required. Within the computer systems, control is exercised at a variety of points within the overall architecture. At each stage, opportunities exist to vary the manner in which the computer systems perform to meet the needs of the users. Control ■ Operating System. The Operating System is the set of programs that control the basic operations of the computer. All other soft- ch01_4768 1/8/07 8 2:45 PM Page 8 IS AUDIT PROCESS ■ ■ ■ ■ ■ ware runs under the direction of the Operating System and rely on its services for all of the work they undertake. Applications. These systems perform the business functions required of the computer. They run under the direct control of the Operating System but may contain many powerful control elements themselves. Parameters. These are user-defined variations adjusting the manner in which programs normally operate. Run Instructions. These are instructions to operators of computers instructing them on the jobs to be run and responses to machine questions to be entered. JCL. Job Control Language is a means of automating the job-running process by giving the computer the instructions in a form of batch programming language. Human Element. Ultimately control is exercised by the people who use, operate, program, and manage computers. As pointed out in the Criteria of Control (CoCo) report referenced in Chapter 15, control is exercised by people and, as such, the auditor must understand the roles and responsibilities of the individuals involved in the development and processing of computer systems. People ■ ■ ■ ■ ■ ■ ■ Operators. Run the computers on a day-to-day basis. Programmers. Write the application programs that run on the computer. Systems Designers. Design the overall structure of the application systems and specify the programs required. Systems Analysts. Analyze the business structures, applications, and procedures to determine what, if any, contribution IS can make. They will also design the outline business specifications of new systems. Systems Programmers. Are responsible for the well-being of the Operating Systems and programmers, the related systems software components. Database Analysts. Are responsible for maintaining the Database Management System (DBMS), which is the systems software controlling access to and format of the data. Network Analysts. Are responsible for ensuring availability; performance standards and security are achieved on networks. ch01_4768 1/8/07 2:45 PM Page 9 Technology and Audit ■ Data ■ 9 Management. Plan, organize, and direct to ensure corporate objectives are achieved. Data consists of: Fields held in ● Records held in ■ Files held on ● Disks BATCH AND ON-LINE SYSTEMS Batch versus On-line In the early days of commercial computing, and up to the late 1960s, most processing took place on a batch basis only. This meant that all inputs were collected centrally and input together in “batches” of documents. This would typically take place using a centralized data preparation function to convert the data from written form into holes punched into either cards or continuous paper tape. The process was highly error prone and the input medium was fragile. In later batch systems the data was entered via a terminal onto a file, which would later be processed in batch mode. In this type of system, the primary control objectives were the accuracy and completeness of capture. Many highly effective controls were designed and implemented to ensure completeness of data capture of batches of data, complete capture of all batches, and accurate capturing of batches of input data. These controls included the manual preparation of batch header documents for later comparison to computer-generated information, and double keystroke verification, whereby an operator entered the data into a batch of cards or directly onto a file containing a batch of input transactions. This data was then re-input by an independent data capture clerk and system-compared to ensure accuracy and completeness. With the advent of on-line systems such controls fell away because they were deemed to be no longer appropriate. In many cases within an on-line environment very few alternative controls were implemented and frequently the auditor would find that large ch01_4768 1/8/07 2:45 PM Page 10 10 IS AUDIT PROCESS assumptions were made as to the adequacy of the controls surrounding the accuracy and completeness of data input. In today’s systems, capture and processing will normally take place using on-line, real-time data capture with a small batch component. Input is typically via a terminal with instantaneous update. Overnight report production in batch mode is common. The terminals may be local or remote and the remote terminals may be either dial-up or dedicated. The terminals themselves may be of differing types but the principal control objectives remain: ■ ■ ■ ■ Availability Security Confidentiality Accuracy In on-line systems there is an additional component to the system that comes complete with its own concerns and that is the Communications component. This may take the forms of microwave links, satellite hook-ups, or the more basic cables, which themselves may be either dedicated or dial-up. Computers communicate in a digital form where a signal is either on or off, whereas normal telephone cables operate in an analog mode where the signal is moderated either by changing the height of the curve (amplitude modulation or AM) or by changing the frequency of the signal (frequency modulation or FM). Communications may operate in a Simplex mode where traffic is one way only. This means effectively that a circuit must make a complete circle to get there and get a reply back. This form of circuit is inexpensive but vulnerable. Half-duplex communications allows two-way traffic, but only one way at a time. This is the type of signal used in CB radio. Duplex communications involves simultaneous two-way communication. Computer systems typically use half-duplex communications. Other communication concepts that will be of interest to the auditor are: ■ ■ Synchronous communications. High-speed transmission and reception of long groups of characters Asynchronous communications. Slow, irregular transmissions, one character at a time with start and stop bits ch01_4768 1/8/07 2:45 PM Page 11 Technology and Audit ■ ■ 11 Encryption. Scrambling of data into unreadable forms such that it can be unscrambled Protocol. A set of rules for message transmission in the network Networks themselves may be of varying types including Private Networks; Public Switched Networks (PSNs), such as the telephone systems; Value Added Networks (VANs), such as Beltel, where the service provider adds on additional services to simply providing point-to-point connection; and Local Area Networks (LANs), where the connections are both private and nearby. Where there is a significant physical distance involved the network may be referred to as a Wide Area Network (WAN). In recent years, the Internet has become of increasing concern as well as use to the Internal Auditor. The Internet is a collection of computers worldwide connected together loosely and provides both a source of information as well as a source of external risk. Networks may be configured as point-to-point with separate direct links. An alternative configuration could be a multidrop configuration with multiple terminals sharing a single line. Ring Networks have no central computer; each machine is classed as a “node” on the network, and Star Networks have a single, central computer coordinating all communications. Where an on-line system exists, there may be capabilities for: ■ ■ ■ On-line inquiry, which allows a remote user to retrieve data directly. In this case the primary concern should be Confidentiality of information. On-line data entry permits remote entry of data and allows concurrent processing of data. In this case the primary concerns would be Transaction Authenticity as well as Accuracy and Completeness. On-line update is similar to on-line data entry but with immediate effect of transactions. The primary concerns here would be Concurrency Control (prevention of two users updating the same record at the same time) and Availability. The basic on-line concerns are: ■ ■ Availability Security ch01_4768 1/8/07 2:45 PM Page 12 12 ■ ■ IS AUDIT PROCESS Unauthorized access Accidental or intentional changes Security-threatened areas would include the operating system and particularly its management features, intercomputer communication including dial-up access and gateways, as well as poor network performance. In any networked operation, availability is a major concern. This includes availability of the hardware components, the software, the data, the networking capability, and the human resources. Typical controls in this area to protect against unavailability are the ensuring of: ■ ■ ■ ■ ■ ■ An adequate physical environment Adequate backups Multiple redundancies in equipment to ensure no reliance on a single piece Peer-to-peer networking to permit mutual back-up Adequate disaster recovery planning Training of the appropriate sort Security itself is a factor of the hardware, the software, and the human element. Hardware is liable to theft, sabotage, and penetration. On the software side, the operating system software may itself be stolen, corrupted, or bypassed, while applications software may suffer a similar fate and may additionally be substituted by an alternative application. Data is one of the organization’s most valuable assets and may be liable to theft, corruption, substitution, or manipulation. Such security threats may come from normal users of the systems, deliberately or accidentally, specialist insiders such as the IT staff, legitimate outsiders such as computer engineers, or even customers and suppliers who have been granted access to the site, or outside hackers who attempt to penetrate the organization’s security for fun or profit. Database Management Systems A Database Management System is a software or hardware structure controlling the nature of, and access to the information required by a ch01_4768 1/8/07 2:45 PM Page 13 Technology and Audit 13 user application system. Given the manner in which the systems developed over the years, it helps to have a clear understanding of what each component is. Definition of Terms Access Methods: Software logic procedures used to retrieve, insert, modify, and delete data on a storage device. Data Dictionary/Data Directory Systems (DD/DS): The software that manages a repository of information about data and the database environment. Data Independence and Data Sharing: Data independence is a technique allowing diverse users with different logical views to access the same data in different ways. This is achieved by divorcing the definition of the nature and location of the data from the programs using it. The definitions, views, access rules, locations, logical views, and other information describing the actual data are located in one file of Metadata, or data about the data. This enables new users with new logical views to be accommodated as well as changing logical views and changing physical representation. Data Structure: The interrelationships of data. Database: A collection of data logically organized to meet the information requirements of a universe of users. Database Administration: A human function involved in the coordination and control of data-related activities. Database Management System (DBMS): A hardware/software system that manages data by providing organization, access, and control functions. Storage Structures: Methods and techniques used to physically represent data structures on storage devices. User System Interfaces: Components of the database environment that request, manipulate, and transform data into information for an end user. Conceptual Level of Database Design Individual Database Management Systems vary widely in data structuring capabilities. Selection among these will depend on both the Entry Access Methods (Randomizing, ch01_4768 1/8/07 2:45 PM Page 14 14 IS AUDIT PROCESS Indexing) and the Navigational Access Methods (Read the First, Read the Next, Embedded Links, Inverted Index). Data Structures are used to model a business (function) in terms of information and follow the general business structure, namely: Principals of Data Structures ■ ■ ■ ■ Sequential Hierarchical Network Relational Model Data Structures then become the basis for Database Type selection: ■ ■ ■ ■ Sequential Hierarchical Network Relational Model All of these database types have generic components although each component is different for each branded product: ■ ■ ■ ■ Data Definition Language (DDL) Storage Structure Definition Language (SSDL) Data Manipulation Language (DML) DBMS Nucleus and Utilities Over the years the form in which we have looked at data has evolved from the original sequential approach to today’s relational approach. The auditor may still find examples of all such database approaches in the course of auditing. Database Structuring Approaches Sequential Approach ■ Fundamental Assumption There is a Direct Relationship between data: ch01_4768 1/8/07 2:45 PM Page 15 15 Technology and Audit Employee Number Employee Name Hierarchical Approach ■ Fundamental Assumption There is some Hierarchical Relationship between data Employee Number Employee Name Employee Pay Employee Deductions Pay Details January Pay Details February Deductions January Deductions February Terminology ■ ■ ■ ■ Root Segment Parent Segment Child Segment Twins Network Approach ■ Fundamental Assumption There is some General Relationship between data: ch01_4768 1/8/07 2:45 PM Page 16 16 IS AUDIT PROCESS Employee Number Employee Name Employee Pay Employee Deductions Pay Details January Pay Details February Deductions January Deductions February Terminology ■ ■ Records Pointers Note ■ ■ Any structure may be defined Records may contain multiple fields Relational Model ■ Fundamental Assumption There is some Mathematical Relationship between data: Emp No Dept No Name 12 25 15 43 F Bloggs J Smith Employee Table Dept No Dept Name 43 47 Internal Audit IT ch01_4768 1/8/07 2:45 PM Page 17 17 Technology and Audit Department Table Data Manipulation SELECT UPDATE INSERT DELETE FROM WHERE AND OR — All Retrieval — Change — Create new Tuple — Delete Tuple — Specifies Table — Conditions — Conjunction of Conditions — Disjunction of Conditions Example SELECT — EMPLOYEE = NAME FROM EMPLOYEE-DB WHERE —DEPT = “B03” AND POSITION = “MANAGER” The result is always a table: Packages and Vendors DB2 DATACOM —IBM —ADR Inverted List Record Make Color Model 1 2 3 4 BMW Ford Ford BMW Red Blue Red Blue 528I Laser Laser 328i Can be indexed by Make, Color, Model Make Records BMW Ford 1,4 2,3 ch01_4768 1/8/07 2:45 PM Page 18 18 IS AUDIT PROCESS Color Records Red Blue 1,3 2,4 Model Records 328I 528I Laser 4 1 2,3 Terminology ■ Indexes and Pointers Data Dictionary/Directory Systems The Data Dictionary tells “what” is in a database/file. It deals with the description of the logical view (that is, the partial view of the data that a user has and includes such items as the data Name, Description, Synonym, etc.). The Data Directory tells “where and how to access” data. It deals with the description of the physical aspects of data such as Location, Address, and Physical Representation. Entities of the DD/DS are defined by Attributes, which describe data’s: ■ ■ ■ ■ ■ ■ Identification Source Classification Usage Qualification Relationship A DD/DS can be a useful tool independent of the need for a DBMS in the areas of documentation support, coordination of shared data usage, and control over modification of programs and files. The DD/DS has become popular with the advent of DBMS packages with the greater recognition of opportunities to share data, leading to a greater need to control data usage, the future introduction of computer privacy legislation, as well as the complexity of relationships involved. ch01_4768 1/8/07 2:45 PM Page 19 Technology and Audit 19 Who Looks After the Database System? Database Administrator Functions of the DBA include coordinating the information content of the database. This does not mean that the actual data itself is the DBA’s concern, but rather that the DBA is responsible for deciding the storage structure and access strategy. The DBA will liaise with computer users and, following their business requirements, will define authorization checks and validation procedures as well as a strategy for back-up and recovery. The DBA is also responsible for monitoring performance and responding to changes in requirements. In order to achieve all these objectives DBAs have at their disposal tools specifically designed to facilitate these tasks. These tools include utility programs to permit the loading of raw data onto the database, reorganization routines to keep the database access efficient as well as effective, and statistical analysis to determine when maintenance is required. In addition journaling (e.g., logs) can keep records of who did what and when on the database. Although these logs are optional, they can be of major assistance to the DBA in database recovery in the event of problems. The Data Dictionary itself, in addition to database analyzers, will also assist in recovery. The objective of database recovery is to reinstate databases to a known state while minimizing lost work. This means that it must permit recovery on a transaction basis and provide fast recovery in order to minimize manual work while ensuring the safety of recovery data. At the same time, it is inevitable in such a process that some data will eventually go missing and recovery must provide a mechanism to inform users of “lost” transactions. Recovery must cater for various types of failures including hardware as well as software disasters. Recovery procedures come in various forms to cater for the various forms of failure and include: Database Recovery ■ Checkpoints. The DBMS will either determine or force a point in time where all transactions have been effected, committed to disk, and all memory buffers have been flushed. At this point a record is made that the database is “quiet” or has been “quiessed” and that any recovery only needs to go back this far. It is used to define a “stable” state of the database for recovery. ch01_4768 1/8/07 2:45 PM Page 20 20 IS AUDIT PROCESS ■ Roll Back. The log is processed backward and completed transactions are rolled out to the last checkpoint. Roll Forward. Log is processed forward to reinstate the system. Update Back-up copy. (e.g., Media Failure) Compensating Transactions. (e.g., Journal Entries) Salvation Routine. ■ ■ ■ ■ For effective log recovery, before the database is updated a log of the before image is made to enable undoing the change if necessary (e.g., failure before update). After the database is updated a log of the after image is made to redo change if necessary (e.g., media failure). These logs contain audit trail information—for manual follow-up (e.g., Program Id, Transaction Id). With the advent of DBMSs, these have been a migration of controls from individual application to the general database environment. This migration of controls improves control opportunities overall and permits the centralized administration of the control environment. In order to review relevant database designs, the auditor would: Auditing Databases ■ ■ ■ ■ ■ ■ ■ List all the record types Read and analyze their descriptions and names Identify the key of each record and verify requirement for uniqueness Study the relationships (and sets) Identify all the relationships, which are: ● One:Many ● Many:Many Evaluate the strength of each relationship Verify consistency of the design with business information needs Documentation of the Database Environment The Data Dictionary/Directory system can be used to accept, record, and generate a variety of documentation, including: ■ ■ ■ Requirements and specifications Data documentation Metadata generation ch01_4768 1/8/07 2:45 PM Page 21 Technology and Audit 21 It can automate the documentation process and enable cross-referencing of programs to individual data elements as well as report generation. It can also assist in enforcing change control. The Data Dictionary can be effective in active or passive mode. In active mode, all database access must be made via the DD/DS. In passive mode the DD/DS is there as a record, but has very little effective control. The obvious advantages of an Active DD/DS include improved accuracy, timeliness, completeness, and control over updates. The auditor would also review the Administration and Coordination Functions by examining the review and monitoring activities of the DBA, which would include reviews of database designs, reviews of system design, reviews of program design, and coding, monitoring the general quality of data, and monitoring overall database performance. Organizational issues such as the roles that require segregation would also be examined. These would typically include: Administration and Coordination Functions ■ ■ ■ ■ ■ ■ Database Administration Systems Development Programming Operations End Users Internal Audit This can only be effectively done by assigning responsibility for data ownership. This can mitigate the control concern of uncoordinated sharing of data update responsibility by assigning definitional responsibility. Such coordinating of shared usage ensures the uniform application of appropriate level of controls. In the operation of a database-structured business system the auditor must ensure the existence and effectiveness of controls for ensuring against unauthorized access, controls over ensuring accuracy and completeness, Recovery and Restart tools and techniques, and controls over access to data. The impact of a database environment on privacy and security is complicated by the need for the assessing of requirements among mulOperational Controls for the Database Environment ch01_4768 1/8/07 22 2:45 PM Page 22 IS AUDIT PROCESS tiple users. Sharing of data may cause control concerns; however, it is possible to describe security specifications using the Declarative Data Definition Language (DDL), thus centrally ensuring clearer specifications and making the environment easier to audit. This is brought about by the migration of the implementation of controls from the application to the environment. Impact of Database on Completeness and Accuracy Issues Database technology can have a marked effect on the quality of information provided. This is a concentration of risk due to sharing of data and an increased cost of error correction due to the system’s complexity. In addition, there can be a deteriorating effect on user reliance and confidence due to database erosion and cascading errors. Mitigating the concerns involving completeness and accuracy means that not only the risks but also the controls must migrate. These may be generalized in the environment and implemented in the DBMS, DD/DS, and so on. The benefits from the auditor’s viewpoint include the potential for: ■ ■ ■ ■ ■ Consistency of data Enhance quality of audit by increased accessibility More accurate systems development process Data resource management will accrue benefits through formalized discipline Migration of controls Disadvantages from the auditor’s viewpoint include: ■ ■ ■ ■ ■ New Technology/Pioneer syndrome (technology lust) Implementation cost control Access to DBMS managed data Data Integrity trade-offs Change in scope/timing of audit The role of the auditor in such a changed environment is to consult with the database user on requirements, check the edit and validation rules, determine whether there is partial acceptance or rejection on error, and who has the responsibility for correctness and to consult with DBA on the implementation plan. ch01_4768 1/8/07 2:45 PM Page 23 Technology and Audit 23 Qualities that assist the auditor in these tasks include the capability for edit and validation element by element, the error response, the procedures for edit and validation maintenance, and the procedures for adding new data elements. Common DBMS edit and validation controls include: ■ ■ ■ ■ Uniqueness checking for Key and Nonkey Structural/Relational checking Picture string and simple format checking Edit and validation performed according to declaratively specified criteria Metadata generation can provide the desired control environment. Usually the user is responsible for providing initial database content and should spot-check loaded database for correctness. The auditor will determine whether there has been sufficient checking using statistical methods when appropriate. Controlling Initial Database Content ch02_4768 1/8/07 2:47 PM Page 24 CHAPTER 2 IS Audit Function Knowledge his chapter looks at the laws and regulations governing Information Systems (IS) audit and the nature and role of the audit charter. It reviews the varying nature of audits and the demand for audits as well as the need for control and audit of computer-based IS. The types of audit and auditor and range of services to be provided is reviewed together with the standards and codes of ethics of both the Institute of Internal Auditors (IIA) and the standards specified by the Information Systems Audit and Control Association (ISACA). T INFORMATION SYSTEMS AUDITING Effective management of information and related Information Technology (IT) has become of critical importance to the survival and long-term success of any organization. This has arisen because of the increasing dependence on information and the associated systems that deliver this information, together with the costs and size of future use of IT. As a result, management has a heightened expectation of delivery from IT functions and demands improved quality with a decreased delivery time and improved service levels at reduced costs. In addition, the increasing potential from threats such as information warfare or cyber terrorism has added a new awareness. At the same time, the potential for technology to revolutionize organizations and their business practices create new business opportunities and offer the potential to massively reduce costs. IS Audit has traditionally been based upon the paradigms that control = management control, that management control starts with governance, that top management can control everything, and that control is imposed. 24 ch02_4768 1/8/07 2:47 PM Page 25 IS Audit Function Knowledge 25 Today’s business environment suggests that a more appropriate re-engineered paradigm might be that continuous improvement focuses control with owners of the process. The role of IS Audit must change to reflect this new reality. That IS Audit is ultimately responsible to the organization will not change; however, the owners of the process are becoming the custodians of internal control and not necessarily traditional management structures. IS Auditors frequently become experts at describing the best design and implementation of all types of controls. IS Auditors are not, however, expected to equal—let alone exceed—the technical and operational expertise pertaining to the various activities of the organization. Nevertheless, they may help the responsible individuals achieve more effective results by appraising the existing controls and providing a basis for helping to improve those controls. WHAT IS MANAGEMENT? Management has been described as the optimization of utilization of corporate resources through the planning, organizing, leading, and controlling of the members of any organization. It is a process of continuous improvement whereby the business itself is constantly adapting to its environment and management must change in like order. MANAGEMENT PROCESS The management process begins with an understanding of the organization’s business. Until this is achieved, any attempt to determine organizational need will be at best misleading and at worst disastrous. Once the overall objectives and environment of the business have been established, establishing the needs becomes a comparatively easy task. The organization’s needs may be determined by identifying and examining the key activities whose effective performance can make or break the organization. These key activities must themselves be monitored and therefore ambitious performance objectives must be established early in the planning process. For every performance objective there will be a range of threats which, if fulfilled, will either reduce the effectiveness or totally negate the objective. These must be ch02_4768 1/8/07 2:47 PM Page 26 26 IS AUDIT PROCESS assessed in a formal risk assessment to determine the appropriate corporate coping strategy. The coping or control strategies must be determined by management and the appropriate controls themselves selected. The actual controls must be implemented and monitored and there should exist controls to ensure this happens. Controls, once implemented, must be effective in performance and periodically management must evaluate and review performance with this in mind. UNDERSTANDING THE ORGANIZATION’S BUSINESS This is a combination of a theoretical approach utilizing literature searches on the organization and its functions on the business press, if possible, combined with a reading of annual reports in order to obtain the whole picture. This theory will be combined with a more practical approach involving interviewing staff in order to both evaluate their understanding of the business as well as to confirm the auditor’s understanding. Site visits to observe the operation of specific business functions will also assist. Further information and confirmation may be derived by comparing the current understandings to those in effect during previous reviews. ESTABLISHING THE NEEDS Once the overall objectives and environment of the business have been established, the overall needs must be determined. A study of the organizational mission statement permits the general performance objectives to be derived. Management should have established strategic plans and objectives in order to ensure these are achieved. By interviewing executive management, employees, and perhaps even customers and suppliers, the business needs for the successful accomplishment of the objectives may be determined. IDENTIFYING KEY ACTIVITIES The major products and services provided to meet the business objectives need to be identified. Once again this will involve determining ch02_4768 1/8/07 2:47 PM Page 27 IS Audit Function Knowledge 27 the level of management’s understanding of customer needs and sizes, the competition and their probable response patterns, as well as their understanding of which are their own key performance areas (KPAs). The KPAs are those activities that will make or break those activities. ESTABLISH PERFORMANCE OBJECTIVES For each KPA, Performance Objectives must be established. This involves seeking core activity targets that are both achievable and stretching. Key Performance Indicators (KPIs) will be required to measure performance appropriately. The risks and threats that could lead to non/under-achievement must be assessed including both external and internal threats. DECIDE THE CONTROL STRATEGIES Once the full risk analysis is complete, management is in a position to decide what activities must be ensured, which risks must be managed, and which transferred. This, in turn, will dictate which risks can be cost-effectively prevented, which must be detected, and how a materialized risk can be corrected. Business risks must be prioritized and trade-offs will be required because control measures are commonly contradictory, so that efficiency may trade-off against effectiveness. IMPLEMENT AND MONITOR THE CONTROLS For controls to be effective, they must be monitored and wishing them into existence will not accomplish the fact. Controls result from the planned and thoughtful intervention of management to achieve a specific end. Monitoring may take several forms including self-assessment, the use of regular audits, and the introduction of continuous improvement programs. Controls must be frequently reviewed for ongoing relevance as well as for their effectiveness and must be modified and adapted where required. ch02_4768 1/8/07 2:47 PM Page 28 28 IS AUDIT PROCESS EXECUTIVE MANAGEMENT’S RESPONSIBILITY AND CORPORATE GOVERNANCE Corporate Governance may be defined as the relationship among various participants in determining the direction and performance of companies and includes: ■ ■ ■ ■ Shareholders Management Board of Directors Employees Under this definition, the objectives of a corporation may be further defined as including the attainment of human satisfaction in a social structure. Efficiency and effectiveness, flexibility, and continuity then form a significant part of fulfilling a corporation’s objectives. Management then becomes the link between the providers of capital (owners and shareholders) and users of capital (operational or functional management). The review and approve financial and operating objectives are normally carried out by executive management. They will also offer advice to general management, recommend board candidates, and review of the adequacy of internal controls. AUDIT ROLE Auditing may take the form of IS, internal, external, and public sector auditing. Internal auditing examines the adequacy and effectiveness of the management system of internal control. The role of the external auditor is primarily one of ensuring the fairness of representation of the financial accounts of the entity audited. Within the public sector, much auditing is aimed at ensuring the effectiveness and efficiency of management processes in order to ensure service delivery. IS Auditing may be used in any of the other areas. The auditing process is also designed to determine where to audit as well as what to audit, and may use any and all of: ■ ■ Control Strategy Assessment Control Adequacy and Effectiveness ch02_4768 1/8/07 2:47 PM Page 29 IS Audit Function Knowledge ■ ■ ■ 29 Performance Quality Assessment Unit Performance Reporting Following Up Overall the standards of audit performance must be up to a professional level. For IS Audit, this typically means to a level laid down in the ISACA standards. CONCEPTUAL FOUNDATION The Conceptual Foundation is provided by implementing a structured Risk Analysis. This involves the assessment of the risk of expressing an incorrect audit opinion that comprises both the risk of audit misstatement as well as the risk of failure to discover. In addition, this includes the evaluation of business risk that comprises risks to both the auditee as well as to third parties. PROFESSIONALISM WITHIN THE IS AUDITING FUNCTION IS Auditing responsibilities include the development and implementation of a risk-based IS Audit strategy and objectives in compliance with generally accepted audit standards (GAAS) in order to provide a statement of assurance that the organization’s information technology and business processes are controlled, monitored, and assessed adequately, and are aligned with the organization’s business objectives. This would also facilitate the monitoring of the implementation of risk management and control practices within the organization. In addition, IS Auditing involves the planning of specific audit to ensure that the IS Audit strategy and objectives are achieved and that information is obtained that is sufficient, reliable, relevant, and useful in order to achieve the audit objectives. This will typically involve the analysis of information gathered in order to identify reportable conditions and reach appropriate conclusions. IS management will be required to review the work performed in order to provide a reasonable assurance that objectives have been achieved. A critical function within IS Auditing is the communication of audit results to key managers and stakeholders. ch02_4768 1/8/07 2:47 PM Page 30 30 IS AUDIT PROCESS The professionalism of IS Auditing is demonstrated by adherence to both the ISACA Code of Professional Ethics and the ISACA IS Auditing Standards. (See Chapter 4.) RELATIONSHIP OF INTERNAL IS AUDIT TO THE EXTERNAL AUDITOR The external auditor is primarily responsible to the organization and all of its stakeholders. While the external auditor has a statutory responsibility to report on financial matters, IS Auditing forms a key role in achieving that statutory responsibility. As such, while IS Auditing is an integral part of an internal audit function, that must also be seen as an integrated function within the execution of the work of the independent external auditor. RELATIONSHIP OF IS AUDIT TO OTHER COMPANY AUDIT ACTIVITIES An understanding of the relationship between IS Auditing and other company audit activities are required in order to fully understand the nature of IS Auditing. The IS Auditor may be seen as an integral part of the IS Audit function, playing an external consultant’s role or playing an internal role but independent of the IS Audit function. Overall, the roles and responsibilities of the audit function typically are found within the audit charter. AUDIT CHARTER Charters tend to be common in approach although individual charters are tailored to meet the unique needs for the organization for which they are designed. Because of its role, to define the relationship and responsibilities that should exist between the Chief Executive, the head of IS Audit, and the line managers, it is normally seen to be highly desirable that the Chief Executive takes a close interest in the drafting of the charter. In practice, many audit functions draw up their own charter and seek ratification from the Chief Executive and ch02_4768 1/8/07 2:47 PM Page 31 IS Audit Function Knowledge 31 audit committee. In most organizations, it is commonly perceived to be the defining terms of reference for the head of the audit function and provides top management with a measurement of the level of assurance regarding the reliability and quality of internal control within the organization. It also acts as a point of reference when the audit function’s structure, plans, or reports are being reviewed. To the operational managers of an organization, the charter indicates the level of authority to act delegated to the audit function in reviewing each of their systems of internal control over the computer and manual systems. They may expect to see constraints within the body of the document, which preserves their own rights as decision makers. CHARTER CONTENT The form, content, and wording of the charter will normally be selected by the audit function itself. These will typically be influenced by IS Audit standards and should encourage best professional practice as defined by the appropriate professional bodies. The IS Audit charter may be an independent publication or, in the case of a formerly constituted IS Audit function, be part of the IS Audit charter. The document is normally signed-off by both the Chief Executive and the Chairman of the Audit Committee. The document itself would typically consist of: ■ ■ ■ A formal definition of IS Audit within the organization and its key objectives. The authority under which the head of IS Audit acts, including the line of reporting as well as rights of access to people, properties, assets, and records. Terms of reference describing, at a detailed level, the role and working objectives of the head of IS Audit. OUTSOURCING THE IS AUDIT ACTIVITY Many organizations have decided to outsource the IS Audit function. In some cases, this decision has been made because of a lack of exper- ch02_4768 1/8/07 2:47 PM Page 32 32 IS AUDIT PROCESS tise within the internal audit function. In other cases it is not costeffective for the organization to maintain internally the skills and disciplines required to keep the IS Audit function up to date and effective. In all cases where the function has been outsourced, management requires assurance that the control of the function is being maintained at a professional level. The method of achieving this is the same as if the function were internal, in compliance with international accepted standards for professional practice. Ensuring compliance with such standards is part of the role of the audit committee and is normally achieved by commissioning of a quality assurance review to be carried out on the IS Audit function. REGULATION, CONTROL, AND STANDARDS Increasingly, accreditation and audit of IT services must be provided by internal or third parties to ensure that adequate security and control exists. Several evaluation methods exist that can be used to determine adequacy including ITSEC, TCSEC, and IS0 9000 evaluations using standards such as COBIT (Control Objectives for Information and Related Technology), ISO 17799, ITIL (IT Infrastructure Library), COSO Internal Control—Integrated Framework and COSO Enterprise Risk Management—Integrated Framework, and so forth. ch03_4768 1/8/07 2:49 PM Page 33 CHAPTER 3 IS Risk and Fundamental Auditing Concepts his chapter explores the concepts of materiality within the Information Systems (IS) Audit function and contracts materiality as it is commonly applied to financial statement audits such as those performed by independent external auditors. In this context, the quality and types of evidence required to meet the definitions of sufficiency, reliability, and relevancy are examined. The risks involved in examining evidence to arrive at an audit conclusion are reviewed as are the need to maintain the independence and objectivity of the auditor and the auditor’s responsibility for fraud detection in both an Information Technology (IT) and non-IT setting. T COMPUTER RISKS AND EXPOSURES “Control” comprises all the elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organization’s objectives. Control is “effective” to the extent that it provides reasonable assurance that the organization will achieve its objectives reliably. Leadership involves making choices in the face of uncertainty. “Risk” is the possibility that one or more individuals or organizations will experience adverse consequences from those choices. Risk is the mirror image of opportunity.1 All entities encounter risk regardless of their size, structure, nature, or industry. In common with this, all business decisions involve elements of risk including such elements as financing, product lines or sources, and methods of supply. 33 ch03_4768 1/8/07 2:49 PM 34 Page 34 IS AUDIT PROCESS All businesses, products, and processes involve some degree of risk. Risk management involves assessing a product, process, or business by: ■ ■ ■ ■ ■ ■ Identifying processes Identifying the types of risks associated with each process Identifying the controls associated with each process Evaluating the adequacy of the system of control in mitigating risk Determining the key controls associated with each process Determining the effectiveness of the key controls Three types of risk are normally considered when using a riskbased audit approach. They are inherent risk, control risk, and audit risk. Inherent Risk Inherent risk is the likelihood of a significant loss occurring before taking into account any risk-reducing factors. In evaluating inherent risk, the auditor must consider what are the types of and nature of risks as well as what factors indicate a risk exists. To achieve this the auditor must be familiar with the environment in which the entity operates. Control Risk Control risk measures the likelihood that the control processes established to limit or manage inherent risk are ineffective. In order to ensure that internal audit evaluates the controls properly, the auditor must understand how to measure which controls are effective. This will involve identifying those controls that provide the greatest degree of assurance to minimize risks within the business. Control effectiveness is strongly impacted by the quality of work and control supervision. Controls in business operations provide the major line of defense against inherent risk. In general, the auditor may assume that stronger controls reduce the amount of risk; however, at some point the cost ch03_4768 1/8/07 2:49 PM Page 35 IS Risk and Fundamental Auditing Concepts 35 of control may become prohibitive (in terms of both monetary and staff resources as well as customer satisfaction). Audit Risk Audit risk is the risk that audit coverage will not address significant business exposures. Pro-forma audit programs may be developed in order to reduce audit risk. These provide guidance as to which key controls should exist to address the risk, and the recommended compliance and/or substantive test steps to be performed. These programs should be used with care and modified to reflect the current business risk profile. EFFECT OF RISK In general, business risks may affect a company’s ability to successfully compete, to maintain financial strength, a positive public image, and ultimately, its ability to survive. Risks will impact the overall quality of an organization’s products, people, or services. Risks cannot be eliminated—only managed. Auditors have traditionally been tasked with gaining and confirming an understanding of the system of internal control as fundamental to evaluating the adequacy and effectiveness of management’s internal controls. Internal control has been presumed to be a response to business risk. In order to evaluate the effectiveness of risk control measures, the auditor must have a comprehensive understanding of the underlying business risks. Within a heavily computerized organization, such an understanding requires, initially, a thorough understanding of the business process in order to identify critical processes where less than optimum performance could have severe consequences. In addition, an understanding of the risks inherent within a computerized environment is essential in order to assess the appropriateness and mitigating effects of the control environment. Such understandings of both the business process and the IT environment imply a collaborative approach because the internal auditor is rarely as knowledgeable about the process as the manager who rou- ch03_4768 1/8/07 36 2:49 PM Page 36 IS AUDIT PROCESS tinely controls it or the IT staff implementing the IT control environment. By the same token, the management and IT teams who are involved in a business or IT process on a day-to-day basis will normally lack the independent perspective an internal auditor can bring to risk evaluation. One of the major cornerstones of IS governance is the management of risks. This is increasingly being seen as a strategic issue to be addressed at board level in order to ensure the ongoing viability of the organization because failure within IS can have a catastrophic effect on the organization. For many business executives, understanding the risks relating to the use of IS remains a challenge. In some cases, this results from a basic lack of understanding of the uses and potential abuses of such information systems. Many executives derive their understanding of IS risk from the popular media, who tend to focus on risk areas of high visibility and human interest and neglect the underlying flaws in control strategies that allowed those risks to materialize. Elimination of risk is neither possible nor desirable because it is by careful management of risks that organizations achieve their objectives. The risk of not using IT in an appropriate way is as great or possibly greater than the risk of the existing technology failing or being penetrated. Because of the increasingly complex business environment coupled with the growth in the use of advanced technological solutions, the management of information risks has become one of the most challenging areas within which management must operate. Conducting business, particularly at an international level, requires the demonstration of high levels of good governance. As a result of this requirement for good governance, organizations place a growing emphasis on enterprise risk management (ERM). Enterprise risks come in a variety of forms including operational, financial, and systemic risk. Within these, technology risk and the risk of failures with an information security are critical. COSO has defined the ERM Framework as encompassing: ■ ■ ■ “Strategic. High level goals, aligned with and supporting its mission Operations. Effective and efficient use of its resources Reporting. Reliability of reporting ch03_4768 1/8/07 2:49 PM Page 37 IS Risk and Fundamental Auditing Concepts ■ 37 Compliance. Compliance with applicable laws and regulations”2 As can be seen, IS plays an important role in all of these areas. As such, IS risks could be defined as: ■ ■ ■ ■ Strategic. The risk that IS either developed in-house or purchased are not aligned with the organization’s goals and do not support the achievement of its mission. Operations. The risk that the information systems in use by the organization impose unacceptable overheads on the organization or result in sub-optimal service levels. At the same time, the dependency of organizations on the information systems means that unavailability of those systems within appropriate timescales can also prove a major operational risk. Reporting. The risk that IS cannot be relied on to produce information in an accurate, complete, and timely manner. Compliance. The risk that IS, in themselves, lead to breaches of laws and regulations with a result of losses to the organization, either financial or in reputation. AUDIT AND RISK The Institute of Internal Auditors (IIA) Practice Advisory 2100-6: Control and Audit Implications of E-commerce Activities highlights the challenges facing internal auditors in organizations that increasingly use IT in business operations and provides guidance as to the role and responsibilities of internal audit. Continuous changes in technology offer the internal auditing profession both great opportunity and risk. Before attempting to provide assurance on the systems and processes, an internal auditor should understand the changes in business and information systems, the related risks, and the alignment of strategies with the enterprise’s design and market requirements. The internal auditor should review management’s strategic planning and risk assessment processes and its decisions.3 It is the responsibility of operational management to identify, assess, and manage risk. It is IS Audit’s responsibility to assist man- ch03_4768 1/8/07 38 2:49 PM Page 38 IS AUDIT PROCESS agement in this process by facilitating the identification and assessment of risk and by assisting management monitor how well risks are actually being managed by the business. Many organizations do not have the resources available to identify, analyze, and control all business risks from an IS perspective. Implementing a formal risk assessment process assists by providing a consistent method for selecting high-impact risks on which to focus audit resources. During the risk assessment, IS Auditors develop an understanding of the operation’s business in order to facilitate the identification and assessment of significant risks to and from the information systems. This assessment is then used to allocate audit resources to areas within the organization that provide executive management and the Audit Committee with the most efficient and effective level of audit coverage. Auditors must always keep in mind that individual managers have differing attitudes toward risk. Some managers or even organizations see the acceptance of risk as fundamental to the making of profits, whereas others are highly risk-averse and consider reducing risk a fundamental component of the business. This is referred to as risk tolerance. Unless the auditor understands this concept, it is likely that management and auditors will talk at cross purposes on risk and that audit recommendations may be deemed impractical or unacceptable. Based upon the individual risk positions adopted, companies will have many different risk mitigation interventions, such as insurance coverage, financial instruments, compliance, and internal audit functions. Management must understand that internal audit does not replace management’s responsibility to control its own risk to acceptable levels. Risks themselves are commonly categorized based on the organization’s response, thus: ■ ■ Controllable risks. Risks that exist within the processes of an organization and that are wholly in the hands of the organization to mitigate. Uncontrollable risks. Risks that can arise externally to the organization and that cannot be directly controlled or influenced but that nevertheless call for a risk position to be taken by the organization. ch03_4768 1/8/07 2:49 PM Page 39 IS Risk and Fundamental Auditing Concepts ■ 39 Influenceable risks. Risks that arise externally to the organization but that can be influenced by the organization. AUDIT EVIDENCE IS Auditors are frequently expected to express an opinion on the adequacy and effectiveness of internal controls in mitigating risk. For this the auditor must gather audit evidence. Evidence may be defined as information intended to prove or support a belief. Individually, items of evidence may be flawed by a personal bias or by a potential error of measurement and each piece may be less competent than desirable so the auditor will look in total at the “body of evidence,” which should provide a factual basis for audit opinions. RELIABILITY OF AUDIT EVIDENCE Audit evidence may be classified as: ■ ■ ■ ■ Sufficient. Factual, adequate and convincing such that a prudent person would reach the same conclusions as the auditor Competent. Reliable and the best attainable through the use of appropriate audit techniques Relevant. Supports audit findings and recommendations and is consistent with the objectives for the audit Useful. Helps the organization meet its goals Evidence, for the IS Auditor, is frequently thought of as being obtained by direct interrogation of computer data files. Although this is a common technique, evidence may also be obtained by observing conditions, interviewing people, and examining records. Such evidence is typically classified as: ■ Physical evidence. Generally obtained by observation of people, property, or events, and may be in the form of photographs, maps, and so on. Where the evidence is from observation, it should be supported by documented examples or, if not possible, by corroborating observation. ch03_4768 1/8/07 2:49 PM Page 40 40 IS AUDIT PROCESS ■ Testimonial evidence. May take the form of letters, statements in response to inquiries, or interviews, and are not conclusive in themselves because they are only another person’s opinion. They should be supported by documentation where possible. Documentary evidence. The most common form of audit evidence and includes letters, agreements, contracts, directives, memoranda, and other business documents. Such documented evidence may also be derived from computerized records using the appropriate audit tools and techniques. The source of the document will affect its reliability and the trust we place on it. The quality of internal control procedures will also be taken into account. Analytical evidence. Commonly derived from computations, comparisons to standards, past operations, and similar operations. Once again, in this area, computerized tools will normally prove a highly effective aid to the auditor. Regulations and common reasoning will also produce such evidence. ■ ■ It is worth noting that a common concept within the gathering of evidence, namely “materiality,” may differ among the varying types of audit. For financial auditing, materiality is generally taken to be a sum of money and is used to determine levels of significance in assessing audit evidence. From an internal audit perspective, materiality relates rather to weaknesses or failures within the internal control structures of the organization. Any evidence, however small, indicating a failure within a major control relied upon by management would be deemed significant evidence. AUDIT EVIDENCE PROCEDURES The auditor relies heavily on gathering evidence. This is done in a variety of ways and follows the Audit Program. The Audit Program is a set of detailed steps that the auditor will follow in order to gain the appropriate evidence and, for the IS Auditor, may well include the use of computerized techniques, although this is not always the case. The actual program used will vary from audit to audit depending on what the auditor wishes to find out and must always include a degree of flexibility to allow for changes based on the evidence ch03_4768 1/8/07 2:49 PM Page 41 IS Risk and Fundamental Auditing Concepts 41 already acquired. For example, the auditor may wish to examine data files in order to determine that the printouts relied upon by management match the live data files. In such a case, the use of computerassisted tools and techniques would be appropriate. In a different scenario, an auditor wishing to examine the authorization of transactions may use such tools to do extractions of records in order to do a follow-up on the documentary evidence of original documents seeking authorize signatures. In gathering evidence, auditors must ensure that they maintain an independent and objective attitude both in fact and in appearance. Such independence is normally taken to be in jeopardy when an auditor is charged with auditing an area where there has been line responsibility within the previous year. Many auditors interpret this as indicating that they cannot be too detailed in making recommendations because this would preclude their conducting subsequent audits due to a perceived lack of independence and objectivity. This may indeed be the case, and both management and auditors must understand that, where detailed assistance is given in designing audit implementing control structures, the auditor is functioning primarily as an internal control consultant. Subsequent auditing of these structures should be done independently of the consultant. RESPONSIBILITIES FOR FRAUD DETECTION AND PREVENTION It must be clearly understood that the primary responsibility for the prevention and detection of all frauds, including IS frauds, is the responsibility of operational management. Nevertheless, the auditor has a role to play in assisting management in establishing a control environment in which fraud is unlikely to occur, but where it does occur, it will be quickly detected. This contrasts to the approach of the forensic auditor whose primary obligation is the resolution of fraud with sufficient proof to prove or disprove allegations of fraud. Forensic auditors must presume that all cases eventually will end up in litigation and the quality of evidence gathered must take this into account. Forensic IS Auditing is covered in more detail in Chapter 37. ch03_4768 1/8/07 2:49 PM 42 Page 42 IS AUDIT PROCESS ENDNOTES 1. W. Bradshaw and A. Willis, Learning about Risk: Choices, Connections and Competencies. Toronto: Canadian Institute for Chartered Accountants, 1998. 2. Committee of Sponsoring Organizations, Enterprise Risk Management, September, 2004, executive summary. 3. Institute of Internal Auditors: Advisory 2100-6: Control and Audit Implications of E-commerce Activities: Altemonte Springs, FL 2001. ch04_4768 1/8/07 2:50 PM Page 43 CHAPTER 4 Standards and Guidelines for IS Auditing his chapter explores in detail the Information Systems Audit and Control Association (ISACA) Code of Professional Ethics and the current ISACA IS Auditing Standards and Guidelines Standards as well as the Institute of Internal Auditors (IIA) Code of Ethics, Standards for the Professional Practice of Internal Auditing and Practice Advisories. In addition, standards and guidelines other than the ISACA and IIA models are explored. T IIA STANDARDS In 1978 the IIA introduced the Standards for the Professional Practice of Internal Auditing to be used around the world in order to provide international consistency and as a measurement tool for audit quality assurance. These consisted of 5 general and 25 specific standards together with numerous Statements on Auditing Standards. Standards were considered mandatory while non-mandatory Guidelines were also included. The IIA standards were intended to establish a yardstick for consistent measurement of Internal Auditing operations. This allowed the unification of internal auditing worldwide by improving internal audit practice, proclaiming the role, scope, performance, and objectives of internal auditing, promoting the recognition of internal auditing as a profession, and promoting responsibility within the internal auditing profession. As part of its ongoing research into the evolving role of internal auditing, an extensive research project known as the Competency Framework for Internal Auditing (CFIA) was undertaken by the IIA. 43 ch04_4768 1/8/07 2:50 PM 44 Page 44 IS AUDIT PROCESS It was intended to update the Common Body of Knowledge (CBOK) expected from a professional Internal Auditor. The CFIA included not only the competencies needed by auditors, but also how these competencies would be assessed. Based upon this research, the IIA brought together an international group of audit professionals, the Guidance Task Force (GTF), to formulate a guidance framework for the future. This resulted in the Professional Practices Framework, which comprises mandatory, advisory, and practical guidance in the forms of the Standards, Practice Advisories, and Development and Practice Aids, respectively. In January 2002, the IIA adopted revised standards. Included within these revisions is the new definition of internal auditing. Since 2002, internal auditing has been defined as: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.1 CODE OF ETHICS In general, Internal Auditors are expected to apply and uphold the following principles: Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. ch04_4768 1/8/07 2:50 PM Page 45 Standards and Guidelines for IS Auditing Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.2 Their rules of conduct cover: 1. Integrity Internal auditors: 1.1. Shall perform their work with honesty, diligence, and responsibility. 1.2. Shall observe the law and make disclosures expected by the law and the profession. 1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization. 1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization. 2. Objectivity Internal auditors: 2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 2.2 Shall not accept anything that may impair or be presumed to impair their professional judgment. 2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. 3. Confidentiality Internal auditors: 3.1 Shall be prudent in the use and protection of information acquired in the course of their duties. 3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. 4. Competency Internal auditors: 45 ch04_4768 1/8/07 2:50 PM 46 Page 46 IS AUDIT PROCESS 4.1 Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 4.2 Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing. 4.3 Shall continually improve their proficiency and the effectiveness and quality of their services.3 Compliance with both the Code of Ethics and the Standards are mandatory. All mandatory statements are first promulgated for discussion by the entire profession through the issuance of exposure drafts. Compliance with these statements is considered essential to the delivery of professional services by both the individual auditor and the internal audit function. ADVISORY The Guidelines were replaced with Practice Advisories representing the best approaches to implementation of the Standards. Essentially, the Practice Advisories are designed to assist the auditor by interpreting the Standards in a variety of internal auditing environments. Practice Advisories will continue to be issued from time to time, both as general aids as well as to meet specialized needs within a given industry, geographic location, or audit specialty. AIDS The IIA has also developed or endorsed Development and Practice Aids. These include educational products, research studies, seminars, conferences, and other aids related to the professional practice of internal auditing. These are not intended to be either compulsory as are the Standards, nor advisory as are the Practice Advisories. They are intended solely to assist in the development of Internal Audit staff by introducing them to techniques and processes developed by a variety of experts in their fields. ch04_4768 1/8/07 2:50 PM Page 47 Standards and Guidelines for IS Auditing 47 STANDARDS FOR THE PROFESSIONAL PERFORMANCE OF INTERNAL AUDITING The Standards themselves have been regrouped and redefined into Attribute, Performance, and Implementation Standards: ■ ■ ■ Attribute Standards. These address the attributes of organizations and individuals performing internal audit services and apply to all internal audit services. Performance Standards. These describe the nature of internal audit services provided and provide quality criteria against which the performance of these services can be measured. Implementation Standards. These prescribe Standards applicable to specific types of engagements in a variety of industries as well as specialist areas of service delivery. Full details of the Standards for the Professional Practice of Internal Auditing can be found at www.theiia.org. ISACA STANDARDS The framework for the IS Auditing Standards provides multiple levels of guidance: ■ Standards define mandatory requirements for IS Auditing and reporting. They inform: ● IS Auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS Auditors ● Management and other interested parties of the profession’s expectations concerning the work of practitioners ● Holders of the Certified Information Systems Auditor™ (CISA®) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action. ch04_4768 1/8/07 2:50 PM Page 48 48 IS AUDIT PROCESS ■ Guidelines provide guidance in applying IS Auditing Standards. The IS Auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application, and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards. Procedures provide examples of procedures an IS Auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS Auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards. ■ Control Objectives for Information and related Technology (COBIT®) resources should be used as a source of best practice guidance. Each of the following is organized by IT management process, as defined in the COBIT Framework. COBIT is intended for use by business and IT management as well as IS Auditors, therefore its usage enables the understanding of business objectives and communication of best practices and recommendations, to be made around a commonly understood and well-respected standard reference. COBIT includes: ■ ■ ■ ■ Control objectives. High-level and detailed generic statements of minimum good control Control practices. Practical rationales and how-to-implement guidance for the control objectives Audit guidelines. Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance, and substantiate the risk of controls not being met Management guidelines. Guidance on how to assess and improve IT process performance, using maturity models, metrics, and critical success factors Full details of the IS Standards, Guidelines and Procedures for Auditing and Control Professionals can be found at www.isaca.org. ch04_4768 1/8/07 2:50 PM Page 49 Standards and Guidelines for IS Auditing 49 ISACA CODE OF ETHICS ISACA also has its own code of ethics, which requires that members, CISMs, and CISAs shall: ■ ■ ■ ■ ■ ■ ■ Support the implementation of, and encourage compliance with, appropriate standards, procedures, and controls for information systems. Perform their duties with due diligence and professional care, in accordance with professional standards and best practices. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. Maintain competency in their respective fields and agree to undertake only those activities that they can reasonably expect to complete with professional competence. Inform appropriate parties of the results of work performed; revealing all significant facts known to them. Support the professional education of stakeholders in enhancing their understanding of information systems security and control. Failure to comply with this Code of Professional Ethics can result in an investigation into a member’s or certification holder’s conduct and, ultimately, in disciplinary measures. Full details of the Code of Professional Ethics can be found at www.isaca.org. COSO: INTERNAL CONTROL STANDARDS In 1992, the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the American Accounting Association, the Institute of Management Accountants, and the Financial Executives Institute issued a jointly prepared study entitled Internal ch04_4768 1/8/07 50 2:50 PM Page 50 IS AUDIT PROCESS Control—An Integrated Framework. This document identifies the fundamental objectives of any business or government entity. These included economy and efficiency of operations, safeguarding of assets, achievement of desired outcomes, reliability of financial and management reports, and compliance with laws and regulations. Internal control was defined by the Committee of Sponsoring Organizations (COSO) as a broadly defined process, effected by people, designed to provide reasonable assurance regarding the achievement of the three objectives that all businesses strive for, namely: 1. Economy and efficiency of operations, including achievement of performance goals and safeguarding of assets against loss; 2. Reliable financial and operational data and reports; and 3. Compliance with laws and regulations. In order to achieve these objectives, COSO defined five components that would assist management in achieving these objectives. These consisted of: ■ ■ ■ Sound Control Environment. A sound control requires the correct level of attention and direction from senior management. The control environment is implemented by employing managers and employees who possess integrity, ethical values, and competence. It is a function of management’s philosophy and operating style. For this to be effective, proper assignment of authority and responsibility coupled with the proper organization of available resources is required. The training and development of people to the required standard is essential in ensuring the competence of people in exercising control. Sound Risk Assessment Process. A sound risk assessment process requires the implementation of an awareness of the risks and obstacles to successful achievement of business objectives and the development of an ability to deal with them. As such management must establish a set of objectives that integrate all the organization’s resources so that the organization operates in unison. The risk assessment itself involves the identification, analysis, and management of the risks and obstacles to successful achievement of the three primary business objectives. Sound Operational Control Activities. Sound operational control activities involve the establishment and execution of sound poli- ch04_4768 1/8/07 2:50 PM Page 51 Standards and Guidelines for IS Auditing ■ ■ 51 cies and procedures. These help ensure effective implementation of actions identified by management as being required to address risks and obstacles to achievement of business objectives. These would include such concepts as authorization, reviews of operating performance, security of assets, and segregation of duties. Sound Information and Communications Systems. Information systems facilitate the running and control of a business by producing reports containing financial-, operational-, and compliancerelated information. They deal with both internally generated data as well as with the external activities, conditions, and events necessary to make informed business decision making and external reporting. For this to happen, appropriate information must be identified, captured, and communicated in a manner and time frame that enables people to carry out their responsibilities Effective communication must flow down, up, and across the organization. (This includes a clear message from top management to all personnel that control responsibilities must be taken seriously.) This means that all personnel must understand their own role in the internal control system, as well as how their individual activities relate to the work of others. Personnel also require a means of communicating significant information upward as well as with external parties. Effective Monitoring. To ensure the effectivity of the control process, the entire control system must be monitored to assess the quality of the system’s performance over time. Deficiencies must be reported, with serious matters reported directly to top management. In addition, there should be separate, independent evaluations of the internal control system. The scope and frequency of these independent evaluations depend primarily on the assessment of risks and obstacles, and the effectiveness of ongoing monitoring procedures. BS 7799 AND ISO 17799: IT SECURITY Both British Standard 7799 and International Standards Organization 19977 were developed to assist companies by ensuring that, ch04_4768 1/8/07 2:50 PM Page 52 52 IS AUDIT PROCESS when electronic commerce is entered into, some degree of assurance regarding the security and control is implemented at either end within the trading partners’ own systems. The standards break down IS security into ten main areas, namely: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Security Policy Security Organization Asset Classification and Control Personnel Security Physical and Environmental Security Computer and Network Management Systems Access Control System Development and Maintenance Business Continuity Planning Compliance Within each of these areas, key controls are identified to be considered mandatory and additional controls considered optional dependent on the level of risk sustainable by the organization. The detailed standard explains what is required to provide a secure organization but at minimum, the standards require the existence of: ■ ■ ■ ■ ■ ■ ■ ■ ■ Written information system security policy Allocation of responsibility for information security Users trained appropriately on information security risks and controls A feedback mechanism for the reporting of security-related issues Fully tested and effective business continuity plans Controls to ensure compliance with the appropriate data protection legislation Controls to ensure safeguarding of records in line with corporate statutory requirements Controls to prevent and detect malicious software such as viruses and spyware Review procedures ch04_4768 1/8/07 2:50 PM Page 53 Standards and Guidelines for IS Auditing 53 NIST With the passage of the Federal Information Security Management Act (FISMA) of 2002,4 there is a statutory provision to ensure that agencies comply with mandatory Federal Information Processing Standards (FIPS). The National Institute of Standards and Technology (NIST) is the federal technology agency that works with technology measurements and standards. The Computer Security Resource Centre (CSRC), a division of the NIST, has assisted by producing both a handbook on IT security as well as multiple security standards. The NIST Handbook covers very similar ground to BS 7799 and ISO 17799, but goes into considerably more detail on subjects such as: ■ ■ ■ Elements of computer security Roles and responsibilities Common threats Management Controls ■ ■ ■ ■ ■ Computer security policy Computer security program management Computer security risk management Security and planning in the computer system life cycle Assurance Operational Controls ■ ■ ■ ■ ■ ■ Personnel/user issues Preparing for contingencies and disasters Computer security incident handling Awareness, training, and education Security considerations in computer support and operations Physical and environmental security Technical Controls ■ ■ Identification and authentication Logical access control ch04_4768 1/8/07 2:50 PM Page 54 54 ■ ■ IS AUDIT PROCESS Audit trails Cryptography The NIST Handbook also includes sections on the practical implementation of assessing and mitigating risks within the computer system. Another recent standard, Minimum Security Requirements for Federal Information and Information Systems, specifies minimum security requirements for federal information and information systems in 17 security-related areas. Federal agencies are required to meet the minimum security requirements as defined therein. All such standards are available from NIST at www.csrc.nist.gov. BSI BASELINES The British Standards Institution (BSI) Baseline Controls for Information Security can be obtained from www.bsi.bund.de. They describe a minimum set of controls to provide medium-level protection for information systems and cover: IT Security Management ■ ■ IT security process Responsibilities and authorization in the IT security process IT Baseline Protection for Generic Components ■ ■ ■ Organization ● Personnel ● Contingency Planning ● Data Protection Infrastructure ● Buildings ● Cabling ● Rooms Office ● Server Room ch04_4768 1/8/07 2:50 PM Page 55 Standards and Guidelines for IS Auditing 55 Storage Media Archives Technical Infrastructure Room ● Protective cabinets Home working place ● Non-Networked Systems ● DOS PC (single user) ● UNIX System ● Laptop ● DOS PC (multiuser) ● Non-networked Windows NT computer ● PC with Windows 95 ● Local Area Networks (LANs) Server-Based Network ● Networked UNIX Systems ● Peer-to-Peer Network ● Windows networks ● Novell Netware ● Heterogeneous networks Data Transfer Systems ● Data Carrier Exchange ● Modem ● Firewall ● E-mail Telecommunications ● Telecommunication systems ● Fax Machine ● Telephone Answering Machine ● LAN integration of an IT system Other IT Components ● Standard Software ● Databases ● Telecommuting ● ● ■ ■ ■ ■ ■ It should not be thought that the standards are definitive. From time to time new standards are created and old ones updated and it is part of the job requirement of the IS Auditor to keep abreast of the latest developments in internationally recognized standards. ch04_4768 1/8/07 2:50 PM 56 Page 56 IS AUDIT PROCESS ENDNOTES 1. © 2005 Information Systems Audit and Control Association. All rights reserved. Reprinted by permission. 2. © 2005 Information Systems Audit and Control Association. All rights reserved. Reprinted by permission 3. © 2005 Information Systems Audit and Control Association. All rights reserved. Reprinted by permission. 4. Federal Information Security Management Act (FISMA): www.csrc.nist.gov/policies/FISMS-final.pdf: 2002. ch05_4768 1/8/07 2:51 PM Page 57 CHAPTER 5 Internal Controls Concepts Knowledge his chapter introduces the concepts of Corporate Governance with particular attention to the implications within an Information Technology (IT) environment and the impact on Information Systems (IS) auditors. Criteria of Control (COCO), Committee of Sponsoring Organizations (COSO), King, Sarbanes-Oxley Act of 2002, and other recent legislative impacts are examined together with the structuring of controls to achieve conformity to these structures. Control classifications are examined in detail together with both general and application controls. Particular attention is paid to Control Objectives for Information and Related Technology (COBIT) from both a structural and relevance perspective. T INTERNAL CONTROLS Confusion commonly arises as to what exactly a control is. A control may be defined as any action taken by management to enhance the likelihood that established objectives and goals will be achieved. It results from management’s planning, organizing, and directing, and the many variants (e.g., management control, internal control, etc.) can be incorporated within the generic term. Management controls are intended to ensure that an organization is working toward its stated objectives: ■ Corporate objectives and goals are the statement of corporate intent (market penetration will increase by 10% in the coming year). 57 ch05_4768 1/8/07 2:51 PM Page 58 58 IS AUDIT PROCESS ■ Management objectives define how the corporate objectives will be met (market penetration will be increased leveraging the information within the data warehouse in order to determine customers’ current and future wants and needs). Internal control ensures that programs to ensure management objectives are properly planned and executed (periodic checks will be made of the integrity of the data contained within the data warehouse and marketing will be trained in full use of data mining tools in order to satisfy their information needs). ■ Control responsibility is clearly management’s job and encompasses planning, organizing, and directing. Planning in this case is taken to mean the establishing of objectives and goals as well as choosing the preferred methods of utilizing resources. Organizing involves the gathering of the required resources and arranging them in such a way that the objectives may be attained. The directing process of management includes the authorizing, instructing, and monitoring performance as well as periodically comparing actual to planned performance. Within the IS environment, this involves ensuring that systems function as intended, data integrity is maintained, confidentiality is maintained, systems are available as and when required, data accuracy and completeness are maintained, and access is granted only on an authorized basis. Management decisions may be classified as Strategic, Tactical, or Operational and all decisions at whatever level are impacted by the IS designed to provide the basis upon which the decisions are made. IS Audit must then ensure that the system of internal control will be effective and functions as intended. The level of control needed will be affected by overall objectives. Corporate objectives and goals are the statement of corporate intent and are generally very broad, while Management objectives define how the corporate objectives will be met and they are normally much more detailed. Internal control is designed to ensure that programs to ensure management objectives are properly planned and executed. Again, at an even more detailed level, Operating objectives are the drivers dictating the normal day-to-day activities and may, in ch05_4768 1/8/07 2:51 PM Page 59 Internal Controls Concepts Knowledge 59 themselves, conflict so that we find a conflict between, for example, the need for confidentiality and the need for data availability; similarly there are conflicts between efficiency of data processing versus the effectiveness. The prioritization of operating objectives directs the development of controls and will affect the final, overall system of controls. Assume the organization operates in a high-security environment. Control objectives may be such that the permanent loss of information would be preferable to leakage of information. In a lower-security environment availability may be the key concern and loss of confidentiality may be a comparatively minor matter. It is the evaluation of this risk profile that dictates the nature and direction of the internal control structures and therefore the IS Audit work. COST/BENEFIT CONSIDERATIONS Objectives must take into consideration the cost of attempting to achieve them. “As quickly as possible” implies zero controls other than for speed while “No errors” implies strong internal controls covering all aspects of quality. Controls must therefore be practical, useful, achievable, and compatible with both operating and control goals and there is always a trade-off between cost and benefit. Because all controls cost resources in terms of money, personnel, computing power, and time, controls always imply a trade-off between cost and benefit. (Is it worth spending $200 to prevent a possible loss of $100?) INTERNAL CONTROL OBJECTIVES Overall, Internal Control Objectives, at a detailed level, can be seen to encompass: ■ Reliability and Integrity of Information. If management cannot trust the reliability and integrity of the information held and processed within the IS, then all information must be deemed suspect and, in some cases, this may be more detrimental to the organization than a loss of information systems. ch05_4768 1/8/07 2:51 PM Page 60 60 IS AUDIT PROCESS ■ Compliance with Policies, Plans, Procedures, Laws, and Regulations. Laws and regulations are imposed externally and must be complied with. Inadequate information systems may lead to the organization inadvertently breaching the laws of the country with result of losses in terms of fines, penalties, and possibly imprisonment for corporate officers. The organization’s internal policies, plans, and procedures are designed to ensure planned, systematic, and orderly operation. From time to time the manager may be required to evaluate the adequacy of such policies, plans, and procedures since the nature of the business may have changed, risks may have to be reassessed and control objectives re-prioritized. Safeguarding of Assets. Loss of assets is typically one of the most visible risks an organization can face and typically these lead to the implementation of the most visible controls, such as locks on doors, safes, security guards, and so forth. In an IS-dependent organization asset controls may also include non-tangibles such as dual custody, segregation of duties, and computer authentication techniques. Few organizations would be in a position to declare the information held as a corporate asset on the balance sheet. Nevertheless, the corporate information warehouse may be the largest asset the organization can claim if leveraged appropriately. In addition, for many organizations the financial records held within the computer systems are indeed actual assets in that, for example, the total value of inventory is commonly taken to be whatever the computer system says the inventory value is. Similarly, debtors and creditors valuations are largely based upon the information contained within the appropriate computer systems. Effectiveness and Efficiency of Operations. Effectiveness involves the achievement of established objectives and should be the ultimate focus of all operations and controls. Many information systems, at the time of the original design, were focused upon achieving the corporate objectives. Over time these objectives may have changed and the information systems may become counterproductive to achieving those objectives. Computer systems therefore required constant monitoring as to their alignment with corporate strategic directions and intent. ■ ■ ch05_4768 1/8/07 2:51 PM Page 61 Internal Controls Concepts Knowledge 61 Efficiency is classed as a measurement of the optimization of utilization of “scarce resources” and includes reduction of waste as well as the reduction of under-utilization of resources. In many organizations information systems have become the proverbial “sledgehammer to crack a nut” and, taking only in the case of office automation, have served to reduce efficiencies instead of improving them. With those control objectives in mind, management can structure the system of internal controls to improve the probability of achieving all of those objectives. TYPES OF INTERNAL CONTROLS Internal controls can be classified into various types and it is the combination of these controls that go to make up the overall system of internal controls designed to achieve the general control objectives. Such controls can be classified into: ■ ■ ■ Preventative controls, which occur before the fact but can never be 100% effective and therefore cannot be wholly relied upon. These could include controls such as restrictions on users, requirements for passwords, and separate authorization of transactions. Detective controls, which detect irregularities after occurrence and may be cheaper than checking every transaction with a preventative control. Such controls could include effective use of audit trails and the use of exception reports. Corrective controls ensure the correction of problems identified by detective controls and normally require human intervention within the IS. Controls in this area may include such processes as Disaster Recovery Plans and transaction reversal capabilities. Corrective controls are themselves highly error-prone because they occur in unusual circumstances and typically require a human decision to be made, and an action decided upon and implemented. At each stage in the process a subsequent error will have a multiplier effect and may compound the original mistake. ch05_4768 1/8/07 2:51 PM Page 62 62 IS AUDIT PROCESS ■ Directive controls are designed to produce positive results and encourage acceptable behavior. They do not themselves prevent undesirable behavior and are normally used where there is human discretion in a situation. Thus, informing all users of personal computers that it is their responsibility to ensure adequate backups are taken and stored appropriately does not, of itself, enforce compliance. Nevertheless, such a directive control can be monitored and action taken where the control is breached. Compensating controls can be seen to exist where a weakness in one control may be compensated by a control elsewhere. They are used to limit risk exposure and may trap the unwary evaluator. This is particularly true where the auditors are faced with complex integrated systems and the control structures involve a mixture of system-driven and human controls scattered over a variety of operational areas. ■ In general, then, management and the auditor must always bear in mind that under-control is cheap to implement but may cost you the organization, while over-control is expensive and ultimately paralyzing. SYSTEMS OF INTERNAL CONTROL It is the overall combination of the individual elements of control that go to make up the Systems of Internal Control. These are, in turn, influenced by the Control Environment. This may be defined as the overall infrastructure within which the other control elements will function and establishes the conditions under which the rest of the Internal Controls will operate. Primary elements within this include the Organizational Structure. This defines individual managers’ responsibilities, sets limits of authority, and allows the ensuring of appropriate segregation of duties. If the organizational structure is inappropriate, with excess powers granted to individuals or if poor segregation of duties exists, the effectiveness of the individual controls may be weakened irreparably. It is impossible to enforce, for example, division of duties within the computer system by using detailed access rights if one individual has been granted access rights across incompatible duties as part of the normal operating procedures. The Control Framework includes the policies and procedures ch05_4768 1/8/07 2:51 PM Page 63 Internal Controls Concepts Knowledge 63 that describe the scope of a function, its activities, interrelationships with other departments, as well as the external influences of laws and regulations, customs, union agreements, and its competitive environment. The structures enforcing controls may be complex or simple. Large organizations tend to have highly structured control frameworks, while smaller organizations frequently use personal contact between employees. ELEMENTS OF INTERNAL CONTROL Given the overall control objectives noted in the preceding section, control structures must be designed in order to ensure: ■ ■ ■ Segregation of duties. Controls to ensure that those who physically handle assets are not those who record asset movements. Nor are they the same people who reconcile those records nor even those who authorize such transactions. Within a modern computer system this is normally achieved by a combination of user identification, user authentication, and user authorization. Competence and integrity of people. Underpinning the control system are the people who enforce it. In order for controls to be effective, those who exercise control must be capable of doing so and honest enough to consistently do so. This means that simply having users follow procedures is inadequate in a modern Information Systems environment, and a high degree of risk and control awareness is required in order to ensure that the controls function as intended. Appropriate levels of authority. A common mistake in control structures is the granting of too much authority within control boundaries. Authorities should only be granted on a need-tohave basis. If there is no need for a particular individual to have specific authorities, they should not be granted. Obviously this requires effort on the part of those individuals who assign authorities in identifying which levels of authority are in fact needed and which are simply desired. It is, unfortunately, still true in many sites that access control is limited to user authentication and subsequent to such authentication the user will then have unrestricted access into all functional areas within the IS. ch05_4768 1/8/07 2:51 PM Page 64 64 IS AUDIT PROCESS ■ Accountability. For all decisions, transactions, and actions taken, there must be controls that will allow the determination of who did what with an acceptable degree of confidence. This normally involves the use of control logs and audit trails. Simply maintaining such logs and records can be counterproductive because they can lull the organization into a false sense of security. For such records to be an effective control they must be scrutinized regularly and appropriate action taken to remedy any discrepancies noted. Adequate resources. Controls that are attempted with inadequate resources will typically fail whenever they come under stress. Adequate resources include manpower, finance, equipment, materials, and methodologies. Management frequently underestimates cost of resources to implement controls and IS Auditors will commonly recommend controls giving no thought to the cost of such control and management’s lack of resources to implement. Supervision and review. Adequate supervision of the appropriate type is fundamental to the implementation of sound internal control. It is unfortunately still true that in many cases people do not do what is expected, but only what is inspected. ■ ■ MANUAL AND AUTOMATED SYSTEMS Within our information systems there are two primary software components that add to or subtract from control. These components are: ■ ■ Systems Software. Systems software includes computer programs and routines controlling computer hardware, processing, and non-user functions. This category includes the Operating Systems, telecommunications software, and data management software. Applications Software. Applications software includes computer programs written to support business functions such as the General Ledger, Payroll, Stock Systems, Order Processing, and other such line-of-business functions. In addition, many organizations are becoming more and more dependent upon application systems created within the user’s own environment. ch05_4768 1/8/07 2:51 PM Page 65 Internal Controls Concepts Knowledge ■ 65 End-User Systems. End-user systems are special types of application systems that are generated outside the IS organization to meet specific user needs. These include micro-based packages as well as user-developed systems. In many cases these systems were designed to achieve specific operational goals and may or may not have been designed with appropriate controls implemented. CONTROL PROCEDURES In order to ensure that control over the corporate computer investment is adequate, a range of controls is required, including: ■ ■ ■ ■ ■ ■ General IS Controls. Covering the environment within which the computer systems are utilized Computer Operations. Covering the day-to-day operations of the machine Physical Security. Covering the security of the physical hardware, software, buildings, and staff Logical Security. Covering the manner in which data and software are protected from access via the systems themselves Program change control. To ensure that systems that are correct and functional continue to be so Systems development. To ensure that the systems in use by the organization are effective, efficient, and economical APPLICATION CONTROLS Application systems have their own sets of built-in controls that are primarily business systems–oriented. Generally they include such control objectives as Accuracy, Completeness, and Authorization. In addition, the auditor may find Compensating Controls, where weak controls in one area may be compensated for by other controls. As previously stated, controls are usually classified into the general categories of preventative, detective, and corrective. It can be useful to the auditor in determining the degree of reliance to be placed on control structures to categorize controls in other ways. Controls may ch05_4768 1/8/07 2:51 PM Page 66 66 IS AUDIT PROCESS be classified as discretionary or non-discretionary, where discretionary controls are those that are subject to human discretion. These would include such controls as supervisory review of signatures. Nondiscretionary controls are provided by the system and cannot be overridden. They include controls such as the use of PIN numbers. Other classification types could be voluntary or mandated. Voluntary controls are chosen by the organization to support its business, while mandatory controls are those that are required by laws and regulations. Controls may be manual or automated, where manual controls are implemented by manual intervention and automated controls are implemented by the computer system itself. Controls may be application or general IS, with application controls having to do with the business function and general IS controls being about the running of the IS function. A control may be a preventative, discretionary, voluntary, manual, general control if it: ■ ■ ■ ■ ■ Prevents errors Could be changed or omitted Is not required by law Is performed by a human Addresses the environment in which other controls operate CONTROL OBJECTIVES AND RISKS All computer environments face a variety of risks, which include such dangers as: ■ ■ ■ ■ ■ ■ Fraud Business interruption Errors Customer dissatisfaction Poor public image Ineffective and inefficient use of resources These are controlled via a variety of Control Objectives that address specific threat areas. ch05_4768 1/8/07 2:51 PM Page 67 Internal Controls Concepts Knowledge 67 GENERAL CONTROL OBJECTIVES These objectives, general in nature, cover the overall aspects of the integrity of information, computer security, and compliance with policies, plans, rules, laws, and regulations. DATA AND TRANSACTIONS OBJECTIVES The processing of transactions and the handling of data are also subject to control procedures at each stage of processing. At the input stage typical examples of control objectives might be that: ■ ■ ■ All transactions are initially and completely recorded All transactions are completely and accurately entered into the system All transactions are entered only once Input methods could include a mixture of on-line input, batch input, input from interfacing systems, and electronic data interchange. Controls at this stage would typically include: ■ ■ ■ ■ ■ ■ ■ Use of pre-numbered documents Reconciliation of control totals Data validation in all its forms Activity logging Document scanning Access authorization Document cancellation At the processing stage typical examples of control objectives might be that: ■ ■ ■ ■ ■ Approved transactions are accepted by the system and processed All rejected transactions are reported, corrected, and re-input All accepted transactions are processed only once All transactions are accurately processed All transactions are completely processed ch05_4768 1/8/07 2:51 PM Page 68 68 IS AUDIT PROCESS Processing types may include batch processing, interactive update (real time), as well as on-line batch processing where the data is captured on-line but the processing takes place in a batch environment. Controls at this stage would typically include: ■ ■ ■ ■ ■ ■ ■ ■ ■ Control totals Programmed balancing Segregation of duties Restricted access File labels Exception reports Error logs Reasonableness tests Concurrent update control At the output stage typical examples of control objectives might be that: ■ ■ Assurance that the results of Input and Processing are output Output is available only to authorized personnel Outputs could include hard-copy printouts, file output for onward processing, or on-line inquiry replies. Controls at this stage would typically include: ■ ■ Complete audit trail Output distribution logs PROGRAM CONTROL OBJECTIVES The development and running of computer programs are subject to their own control objectives and procedures. Control objectives would include ensuring: ■ ■ ■ ■ Integrity of programs and processing Prevention of unwanted changes Ensuring adequate design and development control Ensuring adequate testing ch05_4768 1/8/07 2:51 PM Page 69 Internal Controls Concepts Knowledge ■ ■ 69 Controlled program transfer Ongoing maintainability of systems Typical controls around the development of programs would include: ■ ■ ■ ■ ■ ■ ■ ■ Use of a formal Systems Development Life Cycle (SDLC) User involvement Adequate documentation Formalized testing plan Planned conversion Use of post-implementation reviews Establishment of a quality assurance (QA) function Involvement of Internal Auditors If these control objectives are adequately addressed and the appropriate controls are effected, then the risks within the computer systems should be effectively minimized. CORPORATE IT GOVERNANCE The importance of good governance has become a watchword internationally and has been driven by the requirements of the global economy for transparency and accountability in organizational stewardship. Corporate governance involves the mechanisms by which a business enterprise is directed and controlled. It concerns the mechanisms through which corporate management is held accountable for corporate conduct and performance and provides the framework within which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. Good corporate governance ensures that the board and management pursue objectives that are in the best interests of the organization and its stakeholders and facilitates effective monitoring. The corporate governance framework rests on the legal, regulatory, and institutional environment and includes factors such as business ethics and corporate awareness of the environmental and societal interests of the communities within which the organization operates ch05_4768 1/8/07 70 2:51 PM Page 70 IS AUDIT PROCESS because these can also have an impact on the reputation and the longterm sustainability of an organization. Following the lead taken by the Treadway Commission report into Fraudulent Financial Reporting in the United States in 1987, a number of commissions were established in various countries to investigate corporate governance practices and make recommendations inter alia regarding: changes to legislation; recommending corporate codes of “ethical” conduct; and criteria for evaluating and reporting on corporate governance practices worldwide. These include the Cadbury Report on Corporate Governance (United Kingdom, 1992), the Hampel Report (United Kingdom, 1998), the King Report (South Africa, 1994), the Blue Ribbon Report (United States, 1998), the King II Report (South Africa, 2002), and the recent Smith Report (United Kingdom, 2003)1 Audit Committees Combined Code Guidance dealing with the role and responsibilities of “effective” Audit Committees, and the Higgs Report (2003)2 providing a Review of the role and effectiveness of non-executive directors. In Europe there has similarly been much activity to strengthen corporate governance and company law standards. These include the Cromme Code in Germany and the Bouton Report “Promoting better corporate governance in listed companies” in France in September 2002. The Cadbury Committee was commissioned to report specifically on the financial aspects of corporate governance in response to some spectacular company collapses in the United Kingdom such as BCCI Plc, Polypeck Plc, and Barings Bank. In many cases these reports called for a strengthening of the board’s conformance and compliance role. The reports advocated the strengthening of the role of independent non-executive directors, the creation of compliance committees using these non-executive, independent directors in audit committees, remuneration committees to oversee directors’ remuneration, and nomination committees concerned with the nomination of new directors to the board. In addition they called for greater transparency of board matters and the separation of the roles of the chairman of the board from the chief executive officer of the business. The various reports all contain recommendations for enhancing corporate governance practices, some of which have subsequently ch05_4768 1/8/07 2:51 PM Page 71 Internal Controls Concepts Knowledge 71 been incorporated into changes in corporate legislation and the listing requirements of stock exchanges. The far-reaching Sarbanes-Oxley Act3 in the United States provides stringent legal requirements to enforce sound corporate governance requirements on all U.S. Securities and Exchange Commission (SEC) registrants as well as their subsidiaries and associated entities, wherever established and operating in the world. Sarbanes-Oxley provides for new corporate governance rules, regulations, and standards for specified public companies including the United States Securities and Exchange Commission (SEC) registrants. The SEC has made the use of a recognized internal control framework mandatory and, in its final rules regarding the SarbanesOxley Act, made specific reference to the recommendations of COSO. COSO and Information Technology COSO specifically addresses IT control requirements in certain components of the COSO framework (e.g., control activities). While there are many sections within the Sarbanes-Oxley Act, sections 302 and 404 probably have the most impact on information systems. Section 302: . . . Requires a company’s management, with the participation of the principal executive and financial officers (the certifying officers), to make the following quarterly and annual certifications with respect to the company’s internal control over financial reporting: • A statement that the certifying officers are responsible for establishing and maintaining internal control over financial reporting • A statement that the certifying officers have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles • A statement that the report discloses any changes in the company’s internal control over financial reporting that occurred ch05_4768 1/8/07 2:51 PM Page 72 72 IS AUDIT PROCESS during the most recent fiscal quarter (the company’s fourth fiscal quarter in the case of an annual report) that have materially affected, or are reasonably likely to materially affect, the company’s internal control over financial reporting Section 404 goes on to state that : Management’s report on internal control over financial reporting is required to include the following: • A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company • A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control over financial reporting • An assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether that internal control over financial reporting is effective • A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting Management should provide, both in its report on internal control over financial reporting and in its representation letter to the auditor, a written conclusion about the effectiveness of the company’s internal control over financial reporting. The conclusion about the effectiveness of a company’s internal control over financial reporting can take many forms; however, management is required to state a direct conclusion about whether the company’s internal control over financial reporting is effective. Management is precluded from concluding that the company’s internal control over financial reporting is effective if there are one or more material weaknesses. In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year.4 As can be seen, these sections that address internal control over financial reporting requires the management of public companies specified by the Act to assess the effectiveness of the organization’s internal control over financial reporting and annually report the ch05_4768 1/8/07 2:51 PM Page 73 Internal Controls Concepts Knowledge 73 result of that assessment. For listed companies, this means assessing the effectiveness of the organization’s internal controls over their information systems because these form the base source for the financial information contained within the financial reports. While Sarbanes-Oxley requires management to state that it has implemented a control framework that is compatible with COSO, there is no guidance on what framework it should use. The IT Governance Institute (ITGI) addressed in IT Control Objectives for Sarbanes-Oxley: The Importance of IT in the Design, Implementation and Sustainability of Internal Control for Financial Reporting and Disclosure.5 Within this document, ITGI points out that: Organizations need representation from IT on their Sarbanes-Oxley teams to ensure that IT general controls and application controls exist and support the objectives of the compliance effort. Some of the key areas of responsibility for IT include: • Understanding the organization’s internal control program and its financial reporting process • Mapping the IT systems that support internal control and the financial reporting process to the financial statements • Identifying risks related to these IT systems • Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness • Documenting and testing IT controls • Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting processes • Monitoring IT controls for effective operation over time • Participation by IT in the Sarbanes-Oxley project management office It then becomes critical to demonstrate how the IT controls implemented support the COSO framework. An organization should have IT control competency in all COSO components. As noted in Chapter 4, COSO identifies five essential components of effective internal control being: 1. Control environment 2. Risk assessment 3. Control activities ch05_4768 1/8/07 2:51 PM Page 74 74 IS AUDIT PROCESS 4. Information and communication 5. Monitoring COSO itself does not give sufficient detail for implementation of an appropriate control framework within IT. As such, IT management will be required to implement a more detailed control framework as defined within Chapter 4 such as COBIT, which aligns with the intentions of the Sarbanes-Oxley Act and facilitates the designed control structure in compliance with section 404. Always bear in mind that COBIT was designed to provide control over operational and compliance objectives. Financial reporting is only one of those objectives. ENDNOTES 1. Audit Committees Combined Code Guidance, a report and proposed guidance by a Financial Reporting Council appointed group chaired by Sir Robert Smith, London, January 2003. 2. Review of the Role and Effectiveness of Non-executive Directors, report and recommendations to the Secretary of State for Trade and Industry, Derek Higgs, London, January 2003. 3. The Sarbanes-Oxley Act (2002), 107th Congress of the United States, Washington, January 2002. 4. Ibid. 5. IT Governance Institute, IT Control Objectives for SarbanesOxley: The Importance of IT in the Design, Implementation and Sustainability of Internal Control for Financial Reporting and Disclosure, www.itgi.org, 2004. ch06_4768 1/8/07 2:53 PM Page 75 CHAPTER 6 Risk Management of the IS Function his chapter introduces the concept of computer risks and exposures and includes the development of an understanding of the major types of risks faced by the information system (IS) function, including the sources of such risk as well as the causes. It also emphasizes management’s role in adopting a risk position, which itself necessitates a knowledge of the acceptable management responses to computer risks. One of the most fundamental influencing factors in IS Auditing is the issue of corporate risk. This chapter examines risk and its nature and the corporate environment and looks at the internal audit need for the appropriate risk analysis to enable risk-based auditing as an integrated approach. This structured approach includes the effect of computer risks, the common risk factors, and the elements required to complete a computer risk analysis. T Leadership involves making choices in the face of uncertainty. “Risk” is the possibility that one or more individuals or organizations will experience adverse consequences from those choices. Risk is the mirror image of opportunity.1 NATURE OF RISK Ultimately, all entities encounter risk regardless of their size, corporate structure, nature of business, or type of industry. All business decisions involve elements of risk whether it is a decision regarding the financing of the business, addition or deletion of product lines, or the sources and methods of supply to the organization. All these must be assessed at an entity level by the executive management of an organization and related to the business activity desired. 75 ch06_4768 1/8/07 2:53 PM Page 76 76 IS AUDIT PROCESS These risks can affect the ability to successfully compete, the ability to maintain financial strength and the corporation’s positive public image, and ultimately the organization’s ability to survive. The overall quality of products, services, and people will all be affected. Risks cannot be eliminated, only managed, but this requires an entitywide risk identification. The overall risk will largely depend on entity objectives, and the identification must be seen as an iterative process carried out on an ongoing basis. Risk identification may be done as part of the planning process either on a “zero base” or as incremental to the last review. Risks may arise from internal or external factors and the factors themselves may be interrelated. The Institute of Risk Management (United Kingdom) recommends in its risk management standard the following responsibilities for boards: The Board has responsibility for determining the strategic direction of the organization and for creating the environment and the structures for risk management to operate effectively. This may be through an executive group, a non-executive committee, an audit committee or such other function that suits the organization’s way of operating and is capable of acting as a ‘sponsor’ for risk management. The Board should, as a minimum, consider, in evaluating its system of internal control: • The nature and extent of downside risks acceptable for the company to bear within its particular business • The likelihood of such risks becoming a reality • How unacceptable risks should be managed • The company’s ability to minimise the probability and impact on the business • The costs and benefits of the risk and control activity undertaken • The effectiveness of the risk management process • The risk implications of board decisions2 AUDITING IN GENERAL Auditing in general involves an annual risk assessment and planning exercise to determine the overall audit coverage required. This is fol- ch06_4768 1/8/07 2:53 PM Page 77 Risk Management of the IS Function 77 lowed by individual audit planning. The preliminary review is used to obtain and record an understanding so that an audit area may be broadly evaluated. From this evaluation, the extent of compliance testing or substantive testing required may be determined. After the testing is completed and the results evaluated, audit reporting must take place. This is typically addressed to the first level of management able and empowered to take effective action. After the report is agreed and issued, a follow-up is required to ensure any agreed action has taken place. The auditor needs to identify the appropriate control objectives, then to identify what is needed to accomplish control, to identify where responsibility lies, and whether a management, system, or physical control is appropriate. Identifying control objectives is done via the risk profile. The control objectives will have unique weightings for your site although the fundamental objectives of availability, completeness, accuracy, confidentiality, and integrity will not change. All controls implemented will involve cost/benefit trade-offs. Problems that will commonly be encountered as a result of computer risks include: ■ ■ ■ ■ ■ ■ ■ ■ ■ Erroneous record keeping Unacceptable accounting Business interruption Erroneous management decisions Fraud and embezzlement Loss or destruction of assets Competitive disadvantage Excessive costs Paralysis of the business Typical causes of computer risks in companies include no risk evaluation having been done. This commonly results in an incorrect view of computer controls. No allocation of responsibilities and a lack of management involvement lead to inadequate segregation of duties. Poor supervision and poor personnel procedures can lead to problems with inadequate access control. Open systems and a lack of user awareness coupled with the common problem of human errors combine to leave an unacceptable risk position. ch06_4768 1/8/07 2:53 PM Page 78 78 IS AUDIT PROCESS Auditors normally consider three types of risks when utilizing the risk-based audit approach. Inherent risk is the likelihood of a significant loss occurring before taking into account your risk reducing factors. In order to evaluate inherent risk the auditor must be familiar with the environment within which the risk could occur in order that the nature of risk, indicators suggesting the likelihood of such a risk, and the severity of such an implied risk may be assessed. Control risk measures the likelihood that the control processes established to manage inherent risk are proved to be ineffective. In order to evaluate whether the controls designed and implemented by management have adequately reduced the inherent risk to within tolerance levels, the auditor must identify those controls relied upon by management to reduce the likelihood or impact of the risk. Once these controls have been identified, an audit program to test the known effectiveness of these controls may be designed and implemented. The auditor must always bear in mind the cost of controls in reducing risks and that, at some point, a management decision may be taken to implement no further controls and accept the residual risk. Audit risk is the risk that significant business exposures have not been adequately addressed by the audit process. While the IS Auditor will take all steps to ensure that audit risk has been minimized, it can never be guaranteed. ELEMENTS OF RISK ANALYSIS Risk analysis involves the estimating of the significance of a given risk and assessing the likelihood or frequency of the risk occurring. Risk analysis in an organization involves process analysis, which requires the identification of key dependencies and control nodes. It looks at the processes within a business entity and identifies cross-organizational dependencies. It looks at where data originates, where it is stored, how it is converted to useful information, and who uses the information. These processes can be positively affected by quality control programs. At this stage, risks are normally evaluated before the mitigating effects of controls are considered in order to establish the inherent risk. Management and auditors must then consider how the risk should be managed, what actions need to be taken, and what controls ch06_4768 1/8/07 2:53 PM Page 79 Risk Management of the IS Function 79 need to be implemented. Should they be preventative procedures to reduce the significance or likelihood of the risk occurring, or displacement procedures to offset the effect if it does occur? Mitigation of risk by internal control involves decisions regarding costs and benefits. Of these, cost is normally easier to quantify and theoretically costs should be incurred until they exceed benefits. In practice this is a management decision where cost-benefit analysis usually results in some portion of the risk being managed and some portion remaining. Management should review the residual risk on an ongoing basis and from an exposure standpoint. Risk analysis is not a universal panacea. No matter how good the analysis, poor judgment in decision making may still occur after the risks are known. The analysis itself may have been made in the light of data that was incomplete, inaccurate, or untimely. People tire and make mistakes. Most risk analysis ignores collusion (two or more people acting collectively) or management override of the system of internal control. Nevertheless, meaningful risk analysis substantially increases the probability of achieving objectives. It alerts management to changes needed to control procedures and links activity objectives to action. It focuses effort on control procedures and should become second nature. The analysis itself may be formal or informal; it is the results, not the degree of formality, that matter. DEFINING THE AUDIT UNIVERSE In order to commence the risk analysis process, an “inventory” requires to be taken of all auditable units. This may be by cost center, business function, by subsidiary, or by cost center within subsidiary. How the audit universe is regarded depends on several organizational factors such as the nature of the industry, the degree of pre-defined structure within the entity, the degree of autonomy granted to business units, the types of management processes and organizational relationships, as well as the information systems usage. At a more detailed level, computers of all kinds within an organization are constantly faced with a variety of risks and exposures. It is helpful if we first define these terms: ch06_4768 1/8/07 2:53 PM Page 80 80 IS AUDIT PROCESS ■ Computer risk. Probability that an undesirable event could turn into a loss. Computer exposure. Results from a threat from an undesirable event that has the potential to become a risk. Vulnerability. A flaw or weakness in the system that can turn into a threat or a risk. ■ ■ The total impact of computer risks range from minor to devastating and could affect the organization’s ability to successfully compete, maintain its financial strength, maintain a positive public image, and, ultimately, to survive. Such risks could include any or all of: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Loss of sales or revenues Failure to meet government requirements or laws Loss of profits Loss of personnel Inability to serve customers Inability to sustain growth Inability to operate effectively and efficiently Inability to compete successfully for new customers Inability to stay ahead of the competition Inability to stay independent without being acquired or merged Inability to maintain present customer/client base Inability to control costs Inability to cope with advancements in technology Inability to control employees involved in illegal activities Damage to business reputation Complete business failure Computer risks, exposures, and losses may be characterized as intentional or unintentional and may involve actual damage, alteration of data or programs, as well as unauthorized dissemination of information. Objects that can be affected include physical items such as the hardware or hard-copy outputs, which are both vulnerable to risks such as theft or loss; the telecommunications system, which can cause major corporate grief if unavailable for any reason as well as being vulnerable to internal or external penetration; the applications software which is vulnerable to sabotage; systems software such as the operating system itself, which can also be amended or circumvented; ch06_4768 1/8/07 2:53 PM Page 81 Risk Management of the IS Function 81 computer operations where control procedures may be amended or bypassed; and the data itself, where virtually anything could happen. The risks in IS are the opposite of the control objectives and may be expressed as either. For example, a risk may be expressed as “loss of confidentiality” or the control objectives as “maintaining confidentiality.” Either way these must be treated as risks to the business. As such they are the responsibility of executive management with enforcement occurring at an operational or technical level. Obviously, the relative importance of risks will vary and the control techniques will differ from industry to industry and from company to company. The risks may be minimized but they can never be totally eliminated and indeed it is normally not cost effective to attempt to eliminate risks and in some cases not even desirable. COMPUTER SYSTEM THREATS Threats may come from either external or internal sources and may be intentional or unintentional as well as malicious or non-malicious. Internal threats may come from users, management, IS staff, IS Auditors, and others, either acting alone or in collusion. Users Threats from this source are the most commonly occurring and include errors, fraud, breach of confidentiality (commonly accidentally), or malicious damage. The most common causes of these threats are poor supervisory control combined with poor personnel procedures. In many cases far too much power has been granted to users who already have access to the assets. In many cases the users have an in-depth knowledge of the system’s control weaknesses and are in a position to exploit them. Management Threats here again include error and fraud but may also include systems manipulation for “corporate” reasons such as profit smoothing ch06_4768 1/8/07 2:53 PM 82 Page 82 IS AUDIT PROCESS or advance booking of sales or delayed recording of costs. Again breach of confidentiality is a hazard together with malicious damage. Common causes here are likely to involve inadequate segregation of duties with management, in many cases, unquestioned regarding decisions they make and transactions they authorize. This, combined with poor personnel procedures and too much power granted, can lead to major problems, particularly when combined with management’s access to assets and its authority to override conventional control levels. IS Staff Threats here include the normal problems of error, fraud, and breach of confidentiality as well as malicious damage. In this case, however, the impact of errors and so forth tend to be further reaching because they may affect not single transaction, but every transaction passing through a system. Once again the most common problem is accidental destruction rather than deliberate sabotage. Common causes are typically too much power granted, for example, granting of access to live data; poor change control; and ineffective division of duties. In many cases computer staff have control because they have the power associated with knowledge of the system. IS Auditors A commonly ignored threat, IS Auditors again are in a position to commit errors or fraud, to breach confidentiality, or cause malicious damage. In many cases there is little or no supervisory control exercised and far too much power granted. The auditors have access to the assets and a detailed knowledge of system weaknesses. In addition, they have the right to attempt to break the system, although it is not supposed to be for their gain. Others Other people also have access to computer systems, including engineers, salespersons, and so forth. Threats here include again errors, ch06_4768 1/8/07 2:53 PM Page 83 Risk Management of the IS Function 83 fraud and loss of confidentiality, as well as malicious damage and accidental destruction. Common causes in these cases include poor disposal of outputs, careless talk, inadequate access control both physical and logical, publicity, and the advent and promotion of open systems. External Threats Threats may come from legitimate external users as well as inter-computer links such as the Internet, electronic data interchange systems, system hackers, and viral attacks as well as from natural causes. Such threats are commonly caused by inadequate logical access control resulting in high-value systems being unguarded. A poor security attitude within staff coupled with an incorrect concept of computer security and an incorrect risk evaluation can also open up such exposures. RISK MANAGEMENT With such a plethora of risk exposures, management must adopt a position on risk. It may involve any or all of accepting the risk, reducing the risk (normally by increased internal control), or transferring the risk. The option that is NOT acceptable is simply ignoring the risk. In order to adopt an appropriate position, management must know and understand the risk. Risk-Based Audit Approach Risk assessment must be carried out in order to permit the efficient allocation of limited IS Audit resources and to ensure that all levels of management have been checked and that the audit effort is focused on areas of highest business impact. Risk assessment is then the basis for audit department management because it summarizes the impact of the selected subject on the overall business. The initial audit activity gathers or updates information about the organization in order to determine the audit strategy. This determination includes forming audit judgments regarding the organization and assessing the inherent and control risks in order to determine the appropriate audit testing plan. Inherent risk may be seen as the risks ch06_4768 1/8/07 2:53 PM Page 84 84 IS AUDIT PROCESS the organization faces without the mitigating impact of internal controls. Control risks involve those elements of inherent risk not successfully mitigated by the internal control structures. The initial information required would include knowledge of the organization’s business and place within its industry, as well as a knowledge of the applicable accounting, auditing, and regulatory standards within the industry. These allow the determination of the overall business objectives of the organization or departmental function. Once the business objectives have been determined, the auditor may proceed to identify and isolate the individual detailed control objectives. For example, the overall objective of the purchasing function is to buy items for the organization. The control objectives for this function would include ensuring that only the right items are purchased, at the right price, in the right quantity, of the right quality, in an authorized manner, for delivery to the right place at the right time. The risks then become those factors that can prevent fully or partially the achievement of the control objectives. The auditor must then determine which controls will mitigate those risks and what source of evidence exists as to the adequacy and effectiveness of that mitigation. Risk Factors to Consider Among the risk factors normally considered are the: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Date and results of last audit Financial exposure and potential loss and risk Requests by management Major changes in operations, programs, systems, and controls Opportunities to achieve operating benefits Quality of the internal control framework Competence of management Complexity of transactions Liquidity of assets Ethical climate and employee morale There are two possible assessment methods for the auditor to choose from. Objective Assessment utilizes only quantitative attributes of auditable units such as the value of throughputs, the value of ch06_4768 1/8/07 2:53 PM Page 85 Risk Management of the IS Function 85 assets under control, the number of personnel, or the volume of transactions. In this methodology, there is no weighting of risk factors undertaken. The alternative assessment method uses Subjective Assessment, whereby each risk factor may be weighted on a scale representing degrees of concern, thus allowing the auditor to express his or her (or management’s) feelings regarding risk materiality. Risk-Based Auditing Risk-based auditing involves integrating the concepts of high-level risk analysis into the development of the overall audit plan. The audit plan itself may be differentiated between mandatory audit activities and discretionary audit activities. Mandatory audit activities are those activities that must be carried out within the time span of the audit plan and include legal or regulatory requirements, senior management requirements, and external auditor liaison requirements. These may be assigned the greatest risk value to ensure automatic selection but the auditor must be careful to ensure that senior management requirements are in fact requirements and not just nice to have. Discretionary audit activities should be decided upon using risk factors that should be limited to the most important ten or less to keep the process manageable. Risk factors must apply to a variety of products and services across the company. Common risk factors within information systems include the monetary values handled within individual applications. This is an easily quantified criterion for evaluation and, as such, is one of the more frequently used risk factors. Disclosure of information to a third party could seriously impact the organization and could, in some cases, jeopardize the future viability of the organization. Loss of information could, under some circumstances, also threaten the existence of the business. Failure to comply with legal statutes or regulations will normally result in some form of sanction, frequently monetary. The technical complexity of systems is very much a judgment call for a system classed as extremely complex by one organization but may be seen to be the norm at another. Nevertheless, such complexity can add greatly to the risk of failure of parts or all of the information processing structures. System stability is commonly overlooked as a risk factor because rarely does it threaten the survival of ch06_4768 1/8/07 2:53 PM Page 86 86 IS AUDIT PROCESS the organization. Despite this, the costs involved in constant maintenance and adjusting of unstable systems, hardware, software, or a combination of both, can make this a significant threat. For many modern organizations unavailability of systems has become a major threat and for many businesses an extended period of unavailability could result in their rapid closure of the business. In addition, there are always risk factors unique to a given organization and these must also be taken into consideration. These risks result from a variety of sources and causal factors and initial risk analysis is intended to measure inherent risk, that is, risk without taking into consideration the effects of internal control processes. Sources of threats also include fire, flood, sabotage, natural disaster, and the biggest threat of all—human error. Logical threats such as user abuse, time bombs, data peeking, Trojan horses, salami techniques, and data diddling must also be considered, as must the mitigating effect of such control elements as change control. The high-level risk analysis should therefore be seen as a broadbrush approach designed to arrive at an approximate risk evaluation of a business entity. This determines the frequency of audit but not necessarily depth or focus areas. The detailed risk analysis identifies the control processes designed to mitigate risk and involves the design of the audit steps to test such control processes. Basic controls within computer systems include edit checks on inputs, reconciliations on outputs, backup, and recovery controls to ensure ongoing continuity. Disciplinary controls such as segregation of duties, physical and logical access restrictions, and authorization are essential to ensure adequacy of risk control. Establishing a detailed risk profile involves assessment of a range of security-threatened areas including: ■ ■ ■ ■ ■ ■ ■ Physical security Personnel security Data security Applications software security Systems software security Telecommunications security Operations security ch06_4768 1/8/07 2:53 PM Page 87 Risk Management of the IS Function 87 In order to mitigate risk in these areas, control procedures may be classified under the headings of general organization control procedures, access controls to data and programs, use of the appropriate systems development methodologies, data processing operations controls, systems programming and technical support functions, as well as data processing quality assurance procedures. In assessing the quality of internal controls, the nature and quality must be examined including whether the controls are manual or automated. Weak or unknown internal controls indicate a higher risk. The audit experience of this business area as well as the time since the last audit and the significance of findings at that time may have a major impact on the evaluation of risk. Visibility and scope may be measured by the volume of transactions, the size of master files, the types of input, and processing. Visibility may be assessed by considering the number of users of services, systems interfacing with other audit units, and any major changes since last audit. The effect on accounting data may be shown by the booking duration of accounting entries, the degree of automation in processing, and the condition of suspense accounts in terms of both size and movements. Assessing the risk could involve measuring and evaluating the number of users on the system, the security awareness of those users, the value of assets under the direct control of the systems, the degree of user sophistication, and outsider access. In addition, the effectiveness of password management and change control must be considered as well as the access rights of both operations and development staff. Controls such as the scrutiny of logs may also be seen to reduce risk. ENDNOTES 1. W. Bradshaw and A- Willis, Learning about Risk Choices, Connections, and Competencies, Toronto: Canadian Institute for Chartered Accountants, 1998. 2. The Institute of Risk Management (IRM), The Association of Insurance and Risk Managers (AIRMIC), and ALARM The National Forum for Risk Management in the Public Sector, Risk Management Standard, London, 2002. ch07_4768 1/8/07 2:54 PM Page 88 CHAPTER 7 Audit Planning Process his chapter examines the Audit Planning Process at both a strategic and tactical level. The use of risk-based auditing and risk assessment methods and standards are covered. The preliminary evaluation of internal controls via the appropriate information gathering and control evaluation techniques as a fundamental component of the audit plan and the design of the audit plan to achieve a variety of audit scopes is detailed. T BENEFITS OF AN AUDIT PLAN Planning is fundamental to successful auditing. Bad planning typically results in a failure to achieve the audit objectives as well as the conducting of audits being either insufficient in scope with unidentified risks resulting in incomplete audits, or alternatively over-auditing and making inefficient use of resources. One of the more common mistakes made by Information Technology (IT) auditors is proceeding to implementation of the audit without having a clearly thought-out plan. Planning is one of the most fundamental management techniques and yet one of the most badly executed techniques. In order for an audit to be effective it must, by definition, achieve its objectives. It is critical that the auditor fully understand these objectives before the audit commences. A structured, well-documented audit plan identifies and establishes the criteria against which a successful audit will be measured. The planning process involves: ■ ■ 88 Identifying the tasks to be performed in the course of an audit Allocation of those tasks to specific auditors ch07_4768 1/8/07 2:54 PM Page 89 Audit Planning Process ■ ■ 89 Deciding when a task should commence Quantification of the duration of each individual task based upon the auditor allocated The primary stage of planning any audit, computer or non-computer, is obtaining a clear understanding of the business objectives of the area under review. For example, the overall business objective of a procurement function may be seen as buying things. This, in turn, leads to the definition of the control objectives of the business area; for example, ensuring that goods are procured at the right price, at the right time, in the right quantity, in the right quality, for delivery to the right place. Once the control objectives of the area under review are clearly and fully understood, the auditor may then proceed to identify those controls relied upon by the user to ensure that the control objectives are achieved. Many of these controls will be preventative and will not themselves leave a clear audit trail of the control efficiency and effectiveness. As a result, the auditor may have to look elsewhere for evidence that the controls are achieving that which was intended, and that the control objectives in fact are being achieved. Once the auditor has identified the source of evidence as to the achievement of the control objectives, the appropriate audit technique and audit tools may be selected. If these steps are omitted and the auditor proceeds directly to the interrogation of computer systems and the running of Computer Assisted Audit Techniques (CAATs), an audit will result that cannot be seen to be achieving its goals and objectives because the goals and objectives were unknown when the audit took place. Only with careful consideration and planning can a successful audit occur. The Elements An audit should include: ■ Tentative determination of the objectives and scope of the audit. This includes determining the objectives of the audit in consultation with the auditees as well as what is to be included within the ch07_4768 1/8/07 90 ■ ■ 2:54 PM Page 90 IS AUDIT PROCESS scope of the audit and what will not be included. Once the objectives and scope have been finalized and agreed, an engagement letter clarifying the agreed scope and objectives should be sent to the client so that, at a later stage, no misunderstanding will arise as to what had been agreed would and would not be audited. At this stage, the auditor will seek to determine the overall business objectives of the area to be reviewed as well as the control objectives. The background information regarding the area to be audited must be gathered. This involves a reading of operating procedure manuals and discussions with operating management in order to obtain the whole picture. This theory will be combined with a more practical approach involving interviewing user staff in order to both evaluate their understanding of the business and to confirm the auditor’s understanding. Site visits to observe the operation of specific business functions will also help. Further information and confirmation may be derived by comparing the current understanding of the controls to those identified and in operation during previous reviews. The major products and services that are the key activities involved in meeting the business objectives must be identified. Once again, this will involve determining the level of management’s understanding of their own key performance areas (KPAs). For each KPA, performance objectives must be established. This involves seeking core activity targets that are both achievable and, at the same time, stretching. Key performance indicators (KPIs) must be identified that will enable the performance to be measured appropriately. The risks and threats that could lead to nonachievement, underachievement, or even failure must then be assessed. Both external and internal threats must be considered. Internal threats are those over which management has complete control, such as choice of vendor. External threats are those that management cannot directly control, but for which they must nevertheless develop a coping strategy, such as interest rate fluctuations or actions by competitors. ■ The overall intention of a specific audit may be classified as reviewing the design of the internal control system for adequacy, tests of compliance with the designed control system, and evaluation of the effectiveness of the implementation of the control system. ch07_4768 1/8/07 2:54 PM Audit Planning Process ■ ■ ■ Page 91 91 The selection of the audit team. In many cases the audit will be conducted by a team of auditors that will include a mixture of disciplines. Each team has typically several functions to perform, usually by different members of the team. These will include determining of objectives and scope, coordinating the work including assigning team members, coordinating the project with other work going on in the department at the same time, and reviewing all documentation for the audit process. In addition to these administrative functions, the conducting of the extended audit tests will be carried out by individual team members. In many smaller audits, or in departments where IT auditors are few, these functions are typically combined so that a single auditor will carry out all those functions. It is only once the team has been selected that the full time extent of the audit can be determined, because that time taken will be dependent upon the skills and experience of the individual team members. Initial communication with the auditees and others involved in the audit. Courtesy as well as good business of practice indicates that the auditor should notify the auditee and selected others prior to the commencement of the audit. This permits the auditees to make necessary preparation and arrange access to records, employees, and facilities. At this point it is appropriate for the audit team leader to draft an engagement letter outlining the information pertaining to the forthcoming audit. This letter confirms discussions with the auditees and agreements reached on scope and objectives. Obviously there are times—for example, fraud audits—where such preliminary communication would not be carried out in the same manner if, indeed, at all. Preparation of the preliminary audit program. One of the most critical areas in the planning process is establishing the audit program. This program is a detailed list of analytical steps to be carried out during the course of the audit. Preparation of this program enables the assignment of individual auditors to individual tasks within the overall audit. This is essential in time management because individual auditors do not work at the same rates. Auditor productivity will be heavily dependent on the individual auditor’s experience and knowledge of the areas under review. ch07_4768 1/8/07 92 ■ ■ 2:54 PM Page 92 IS AUDIT PROCESS It should be stressed that this audit program is purely preliminary and will be modified during the course of subsequent audit operations as new information comes to light. As such, time estimates at this stage are precisely that, estimates. One of the most common mistakes in preparing the preliminary audit program is to simply list the questions to be asked. While this is part of an audit program, the critical element is the determination of which evidence will be examined, and how, in order to answer those questions. An example of a bad audit program would include a step to “determine if all purchase orders are appropriately signed.” A better step would be “take a statistically significant sample of purchase orders and compare the signatures to the authorized signatures list in order to determine whether all purchase orders are appropriately signed.” The planning of the audit report. The best audit in the world is a waste of time and money if necessary improvements do not take place. In order for management to be convinced that changes to control procedures are necessary, the auditor must produce a report that is objective but persuasive, clear, concise, constructive, and timely. The audit report communicates the result of the audit to the auditees and others in the organization. The planning for the audit report begins at the preparation stage of the audit process. Ultimately, all audit work is carried out in anticipation of the final audit report. Many auditors see the audit report as largely non-productive work and a task to be rushed and disposed of as soon as possible at the end of the audit. Nothing could be further from the truth. If this stage is rushed, a poor-quality report will result. In many cases it will lie unread on a manager’s desk and will have very little impact on the organization as a whole. A well-written audit report will typically result in a rapid response from the appropriate management levels to resolve the issues included therein. The contents of the final report are obviously unknown at the planning stage, however, because most audit departments use standardized report layout, it should be possible for the auditor to envisage the structure and appearance of the final report even if the actual contents are unknown. Approval for the audit approach. It is the responsibility of the in-charge auditor to review and approve the audit program prior to the commencement of actual work by the audit team. This ch07_4768 1/8/07 2:54 PM Page 93 Audit Planning Process 93 review includes determining that the audit objectives and scope are as required and that the specific audit procedures including in the audit program will lead to those audit objectives being accomplished. STRUCTURE OF THE PLAN The structure of the planning will, in general, follow the structure of the audit process. It will therefore include the preliminary survey of operations, the internal control description and analysis, the expanded tests control systems, the development of findings and recommendations, the report production, following up, and audit evaluation. Preliminary Survey The objectives of the preliminary survey are to gain an initial understanding of the auditee’s operations and to gather preliminary evidence for further audit planning. Where the area has been audited in the past, the preliminary survey may take the form of confirmation of the auditor’s understanding. The survey itself will typically include an opening conference between members of the audit team and auditee management to outline the audit assignment with management and coordinate audit activities with auditee operations. An on-site tour of the premises is normal to familiarize the auditor with the nature of the operations and personnel involved. This tour permits the auditor an initial assessment of the overall standard of internal control. Care must be taken at this stage not to start the audit process prematurely. Further studies of selected documents will provide a basis for written descriptions of the auditee’s operations. Documents such as job descriptions, organization charts, policy manuals, and critical operating documents would be examined at this stage in order to determine if they exist, how well they are maintained, if they are appropriately secured, and if they are ever used. Written descriptions of the auditee’s operations prepared by the auditor can clarify the auditor’s understanding and confirmation can be sought directly from auditee management. ch07_4768 1/8/07 2:54 PM Page 94 94 IS AUDIT PROCESS Internal Control Description and Analysis From the preliminary survey the audit should have a good understanding of the business and control objectives of the area under review. This stage allows the preparation of detailed descriptions of the auditee’s internal controls related to the areas under review. Limited testing of such controls may take place at this stage in order to determine the size of subsequent testing required. Based on this information the auditor would evaluate the system of internal controls in order to determine whether the control structures in place, if effective, would lead to the desired level of control. At this point a risk reassessment can be carried out in order to determine the need for any changes in the objectives and school of the audit and how much, if any, expanded audit tests are required before conclusions can be drawn. Expanded Tests In order to determine whether the internal control structure is effective, a certain amount of expanded audit testing will be required. These are the tests that would be included in the final audit program as an addition to the preliminary audit program. Such testing would include the examination of records and documents, interviews with auditee management and other personnel, observation of operations, examination of assets, interrogation of computer files, comparisons of audit results to auditee’s reports, and other procedures designed to test the effectiveness of the system of internal control. The auditor would make use of all the previously discussed tools and techniques at their disposal. Findings and Recommendations Based on the work carried out, the auditors will develop the findings and determine what changes, if any, are necessary to improve internal controls. A finding consists of four distinct parts. Criteria are those standards against which observed conditions will be measured. Conditions refer to what was actually observed during the course of ch07_4768 1/8/07 2:54 PM Page 95 Audit Planning Process 95 audit testing. The effect refers to the impact on the business associated with any observed problems. The cause of the problem addresses failures of internal control or weaknesses within the internal control structures. Based on these findings the auditor may choose to make recommendations. These typically take four forms: 1. Make no changes in the control system. Where controls are deemed to be both adequate for a given level of a risk and effective in controlling that risk and the current control system is seen to be cost effective. 2. Improve control and reduce risk either by modifying current controls or by adding new ones. 3. For those areas where risk is not at acceptable levels, but control is impractical or not cost-effective to implement, the auditor may recommend the transfer of risk either by insurance or outsourcing. 4. Should there remain an element of risk uncovered by the system of internal control but nevertheless at an unacceptable level, the auditor may be able to recommend changes that would improve the rate of return for accepting that level of risk. Report Production The reporting phase of the audit includes documenting and communicating the final results. This is not, as is often believed, the “final product.” The overall objective of the audit was to assist management to improve control within the organization. As such communication via the audit report is a critical element. It is the audit report that will persuade management to take effective action or conversely fail to persuade management. The reputation of the audit function is largely based on the audit report because this represents a formal presentation of the auditor’s professional competence. In most audit reports it is found beneficial to include the comments of the auditee to any recommendations raised. This ensures the objectivity of the final report by permitting the auditee to disagree formally with the auditor’s observations. Failure to include auditee comments may result in the auditee finding other ways of expressing their disagreement with the audit report, the audit process, and the auditors themselves. The audit ch07_4768 1/8/07 2:54 PM 96 Page 96 IS AUDIT PROCESS report itself must be produced in a timely manner and no unwarranted delays should be permitted to occur within the process. A 24to 48-hour production schedule should be aimed at. Following Up It is critical that any recommendations made within the audit report be followed up in order to determine whether management has accepted the risk of taking no further action, taken the appropriate remedial steps to resolve any control weakness, or taken no action and left the weakness as an unacceptable risk. This follow-up will itself result in the production of report, albeit a short report, which will hopefully state that all outstanding issues have now been resolved. Audit Evaluation The final stage of the audit relates to the evaluation made by the auditors of themselves. No audit is complete until the full audit process has been executed. It is an essential control within the audit function itself that self-assessment be carried out at the end of each audit project. Coming as it does at the end of the process, the step is often omitted to the detriment of future audit performance. TYPES OF AUDIT Again, to a large extent the development of the audit plan will depend upon the nature of the audit being conducted. Financial audits tend to involve the verification of figures produced by the computer systems. This will commonly involve the auditor using CAATs to extract information directly from data files for comparisons to reported figures. Operational audits focus on the effectiveness and efficiency of business operations and could include IT in itself as a business function. These audits will normally involve identifying performance evaluation criteria and KPAs and matching the performance achieved against that intended. General control audits focus on the management controls around the information processing function and facil- ch07_4768 1/8/07 2:54 PM Audit Planning Process Page 97 97 ity and may be either operational or compliance based. Application audits can take the form of reviews of live application systems within the user arena, audits of application systems under development, or audits of the applications systems development process itself. Audits involving operating systems are less concerned with audits of the operating system itself but rather the way in which the installation has chosen to implement operating system options. This typically involves examining the parameters selected and the selection process for appropriateness. Physical access audits are performed in the same manner as physical access audits to any corporate asset for the primary objective and safeguarding of the corporate asset. Logical access audits, however, will typically involve interrogation of computer systems control files in order to match access rights granted against job requirements. ch08_4768 1/8/07 2:56 PM Page 98 CHAPTER 8 Audit Management his chapter looks at audit management and its resource allocation and prioritization in the planning and execution of assignments. The management of Information Systems (IS) audit quality through techniques such as peer reviews and best practice identification is explored. The human aspects of management in the forms of career development and career-path planning, performance assessment, counselling and feedback, as well as professional development through certifications, professional involvement, and training (both internal and external) are reviewed. T PLANNING It is important to emphasize that computer audit is only one part of the total internal or external audit function. The IS Audit group’s responsibility is to provide support to the general audit side on computer-related aspects of their work, by providing adequate audit coverage of the organization’s information systems. Audit management must ensure that general and computer audit work complement each other, dovetailing together to provide adequate audit coverage for the enterprise. Planning the IS Audit function involves defining the areas of audit involvement. These could be the review of: ■ ■ ■ ■ ■ 98 Business systems Systems under development IS facilities management Security and recovery controls Efficiency and effectiveness of IS ch08_4768 1/8/07 2:56 PM Page 99 Audit Management 99 AUDIT MISSION To review, appraise, and report on: ■ ■ ■ ■ ■ ■ ■ ■ Soundness, adequacy, and application of controls Compliance with established policies, plans, and procedures Accounting for and safeguarding corporate assets Application of proper authority levels Reliability of accounting and other data Quality of performance of assigned duties Extent of coordinated effort between departments Safeguarding of corporate interests in general IS AUDIT MISSION To review, appraise, and report on: ■ ■ ■ ■ ■ ■ ■ ■ Soundness, adequacy, and application of IS operational standards Soundness, adequacy, and application of systems development standards The extent of compliance with corporate standards Security of the corporate IS investment Adequacy of contingency arrangements Completeness and accuracy of computer-processed information Whether optimum use is being made of all computing resources Soundness of application systems developed The scope of work undertaken includes installation reviews, systems reviews, audits of systems under development, as well as audits of the development process. Auditing of the contingency planning arrangements, provision of in-department expertise, and training of non-IS Auditors may also be IS Audit responsibilities. The specialist may be required to assist in computerizing the internal audit function, to review logical security, and to liaise with external IS Audit functions. Specialist tasks would include reviews of logical security, IS strategic planning, efficiency/effectiveness, communications systems security, and IS technical support functions. ch08_4768 1/8/07 2:56 PM Page 100 100 IS AUDIT PROCESS ORGANIZATION OF THE FUNCTION The dividing line between what is a computer audit function and what is a general audit function can vary significantly between audit groups. Some groups include what in other audit departments would be a computer audit function in the general audit responsibilities. There are three different views on computer audit as a discrete discipline. The first view, and one often held by computer auditors themselves, is that any review of computer controls should be carried out by a specialist computer auditor. Therefore, as computer systems are continuing to spread and increase in complexity, the number of staff working as professional, full-time computer auditors must increase correspondingly. The contrary view is that computer auditors and general auditors must integrate fully. Because most business systems are computer based, all auditors must be computer auditors. Extreme proponents of this view see no future for separate computer audit specialists, even for the most technical work. Between these views is a third view, which has much to commend it. There is some benefit in some areas of audit work involving the review of computer systems being carried out by computer-literate general auditors. This includes the review of PC systems, which tend to be highly integrated into the workings of user departments, and many aspects of the review of both developing and live systems, which again benefit from a detailed knowledge of the business environment. Some straightforward file interrogations can now easily be carried out by general auditors. However, there is still a continuing and major role for specialist computer audit staff, particularly in the more technical areas of developing or live application reviews, and for mainframe computer installation and systems software reviews. Such an organization will typically report independently to a level sufficiently high to ensure adequate authority for access. Normally it is seen as a part of internal audit and reports within that structure. The structure of IS Audit itself is a factor of size, which will determine the need for specialists as opposed to generalists, the complexity of systems and the uniqueness of systems, as well as the extent of use of packaged systems will also play a part in deciding the structure. ch08_4768 1/8/07 2:56 PM Page 101 Audit Management 101 STAFFING Depending on the size and complexity, staffing could consist of a mix of: ■ ■ ■ ■ ■ Computer audit manager Application auditors Trainee auditors Audit application development staff Technical support Skill levels required of the manager of such a department would include specialized skills in both conventional and computer auditing as well as the managerial skills appropriate to handle a mix of technical specialists. Knowledge of the corporation would be absolutely essential to ensure adequacy of risk coverage. Tasks of the IS manager include the planning of the strategic direction of the section, which must take into account corporate priority setting as well as the liaison internally and externally to ensure effective IS coverage in an efficient manner. As with any line manager, the review and approval of all IS Audit work and the controlling and monitoring of the workflow are part of the normal managerial function. The staffing of the department, defining of roles, sourcing of staff and training, motivating and career planning for acquired staff are part of the normal managerial process. Once the audit universe has been defined, it will be possible to work out the types of skill required to review the audit areas that have been identified. Assuming a typical IS Audit coverage in a large organization, the following skills or knowledge may be required in an IS Audit department: ■ ■ ■ IS security and control principles. Audit principles. Auditors need to understand how to plan and undertake audits, and how to document their work. Good interpersonal and communications skills, both oral and written, because very complex technical information often has to be communicated in a jargon-free way. ch08_4768 1/8/07 102 ■ ■ ■ ■ ■ ■ ■ ■ ■ 2:56 PM Page 102 IS AUDIT PROCESS Good sense of judgment, because they need to analyze complex technical and business issues, and to conclude on the security and control implications. Business-specific skills; for example, a bank will benefit in application reviews if some staff have banking training. Systems analysis skills, to assist in understanding computer systems, and reviewing the development process. Data analysis skills, to assist the auditor in understanding the design and development process, as data analysis techniques are in widespread use. Some programming skill, to assist in preparing computer assisted audit techniques (CAATs) and reviewing systems under development. Computer operations experience, to help the auditor to review computer installations. Networks, for the review of data communications. Systems software, to assist in the review of the systems software infrastructure of the organization. PCs and minicomputers. This has now become a very significant area in many organizations. In-depth and varied skills are therefore required, and are rarely found in one individual. Many computer audit departments are thus staffed by auditors from a variety of different computing and audit backgrounds. It is management’s job to develop missing skills in the group, and bring the group together as a team. Ongoing training is essential to keep skills current in an ever-changing data processing environment. In order to discharge their responsibility of identifying and analyzing risk in computer systems, the computer auditor must, as is the case with all auditors, be able to write reports in simple, jargon-free language. The auditor must be able to report on risk in terms that management can understand; insofar as is possible, the effect of the risk must be described in business terms for business management. While the final report of findings to management, both orally and in writing, may take only a small percentage of audit time, if it is not done professionally much of the potential benefit of the audit will be lost. Good written and oral communications skills are therefore essential. ch08_4768 1/8/07 2:56 PM Page 103 Audit Management 103 IS AUDIT AS A SUPPORT FUNCTION IS Audit may also be viewed as support function to the rest of the internal audit function and may be involved in the development of CAATs, the provision of assistance to non-IS Auditors, and even the internal training of non-IS Auditors. They may also assist in the development of control procedures for internal computer usage while ensuring the appropriate research in advanced IS and IS Audit techniques is conducted. Organizational structures may be centralized or decentralized. Centralized has the advantages of independence from local management and the maintenance of close ties with corporate management. Availability is flexible but the centralized auditor may be seen as an outsider by local management and this could offset all the aforementioned advantages. Decentralized IS Audit with each division with its own IS Auditors permits close ties at local level with an enhanced perception of benefits. The auditors may have a better understanding of the local business functions but there is a possible loss of objectivity and standard audit approach. It is also a costly approach. The hybrid approach uses generalist groups in the field with technical support at the head office. Rotation of staff through the specialist section may give the best of both worlds, but it may fragment audit effort and result in a loss of cohesion. PLANNING Planning the computer audit function involves defining the areas of audit involvement. These could be the review of: ■ ■ ■ ■ ■ Business systems Systems under development IS facilities management Security and recovery controls Efficiency and effectiveness of IS Of these we will focus primarily on the review of business information systems. ch08_4768 1/8/07 2:56 PM Page 104 104 IS AUDIT PROCESS BUSINESS INFORMATION SYSTEMS Reviews of business systems include audits of application systems, fraud audits, compliance audits, financial audits, operational audits, recovery audits, and systems development audits. Auditing computer systems of any kind is a systematic process commenced by obtaining a business understanding of the system under review. From this understanding, the auditor can define the business objectives of the system and verify them with user management. The next stage would be the definition of the specific control objectives and from there the auditor may proceed to identify and evaluate critical controls/processes/apparent exposures and design the audit procedures to test the critical facets. Evaluation of the results, reporting, and follow-up complete the process. In designing the audit procedures, the auditor is testing to obtain evidence. This means that the auditor must know what he or she is looking for. It must always be understood that not all controls need to be tested and that, to provide cost-effective auditing, the auditor should look for common controls; that is, controls that address a variety of control objectives. As individual controls are identified, the auditor should try to identify control structures or combinations of controls that serve to mitigate risk areas and should establish the degrees of control effectiveness. INTEGRATED IS AUDITOR VS INTEGRATED IS AUDIT For many years confusion has arisen as to the difference between integrated audit and the integrated auditor. Contrary to what some believe, there are some simple and realistic answers to this question. There are two readily identifiable approaches to integrated audit that have been tried with varying degrees of success: integrated auditor and integrated audit. Integrated Auditor The basic concept is to develop an expanded auditor skill set, basically to train financial/operational auditors to be “partial” IS Auditors. Armed with a basic understanding of computers—and general and ch08_4768 1/8/07 2:56 PM Audit Management Page 105 105 application controls—all auditors would be able to include IS control considerations in each and every audit, as well as use basic CAATs (without being totally dependent on the IS Audit staff). Basic training on information technology and IS Audit remains the first step in developing IS Auditors (including integrated auditors) at all skill levels. Audit programs may then be modified to include IS control considerations, as well as to identify opportunities for CAATs. If extensive IT audit education is provided for the integrated auditor, standard “off the shelf” IS Audit programs might be used without modification. If the education provided is less extensive, audit programs may require significant modification to ensure the auditor fully understands both the question and possible answers, and knows what to do next based on the answer given. The complete integrated auditor fully understands and will use CAATs in all audits. Undertrained integrated auditors rely on others to do CAATs for them. In today’s world, all auditors must have some level of information technology (IT) expertise. All organizations base audit staffing and training requirements on the audit mission and audit requirements, and are becoming increasingly sophisticated in accomplishing that process. Thus, in reality, all auditors have become integrated IS Auditors—some just have greater knowledge and skills than others. Effective integration is therefore dependent on: ■ ■ ■ ■ Expanding the IT knowledge base of each and every auditor Realistic audit assignments based on knowledge and skill level Extensive IS Audit tools and support Effective technical supervision Integrated Audit The alternate solution chosen by some organizations is to focus their resources more directly by providing an integrated audit product rather than developing an integrated auditor. Rather than attempt to expand the knowledge base of an individual, they seek to apply the knowledge base that currently exists within their organization by assembling an audit team including IS Audit-trained as well as financial/operationally trained auditors working together. This approach is ch08_4768 1/8/07 2:56 PM Page 106 106 IS AUDIT PROCESS obviously preferred by those organizations that already use crossfunctional teams extensively. Though it is not always a viable alternative for smaller audit staffs, including a technical expert in an audit can have major internal assurance and risk management advantages. The key to successful team auditing is the building of team participation skills to assure functional groups. Not all auditors are used to working as members of cohesive groups, and some have had no training or experience whatsoever of working in a group setting. This means that effective team building will involve expanding the group process knowledge base of both staff and management. Realistic audit team assignments based on knowledge and skill level are a prerequisite as IS Audit management involvement and participation. The biggest barriers to achieving effective auditing in an IS environment include the assumption that IS Audit is a separate and unique and special audit discipline, while the fundamental internal auditor skill set is accounting and general business oriented, with limited IS knowledge required. Many organizations are redefining internal audit as the business processes are re-engineered throughout the rest of the organization. The internal audit discipline is also undergoing a massive re-engineering and reorganization as new philosophies, methodologies, and techniques such as control self-assessment are tested and implemented. What better time to restructure based on an IT philosophy? IT is pervasive within the organization. Structures that seek to make IS distinct and special are obsolete and counterproductive. As auditors we have created the artificial functional designations of financial audit, operational audit, and IS Audit because that suited our purposes at the time. In today’s business environment we must use functional specialization to our advantage, not be ruled by it. We must eliminate over-specialization and correctly reclassify IT as a pervasive and critical organization resource rather than a special organization function that can only be audited by function specialists. AUDITEES AS PART OF THE AUDIT TEAM Effective internal control can only be achieved when everyone wants to have effective internal control and work together to achieve that goal. Team-based auditing has long been a preferred integrated audit ch08_4768 1/8/07 2:56 PM Page 107 Audit Management 107 approach. As in any team effort, success is dependent on shared objectives and full participation. In today’s world, however, the team audit approach needs to be taken to the next level, including management and staff of the area undergoing evaluation. True team audits can provide team access to the broader specialized knowledge content of its individual members, and also identify those areas where critical specialized knowledge is absent. APPLICATION AUDIT TOOLS The tools available for computer auditors include not only CAATs but also the standard tools such as interviews, system questionnaires, control questionnaires, and documentation. Control evaluation tools such as CAATs, test data generators, and flowcharting packages may be combined with specialized audit software, generalized audit software, utility programs, and non-audit-specific software such as reporting programs and general query languages. Risk analyzers, audit planning software, and automated working papers may also prove useful tools in this environment. ADVANCED SYSTEMS The audit of advanced systems such as paperless systems (e.g., electronic data interchange [EDI]) or decision support systems (e.g., Executive Information Systems) involves a risk multiplier factor. The risk is limited only by the corporate dependency on the system. This is normally unevaluated and normally understated because risks in these areas could threaten the ongoing existence of the organization. Advanced systems are an enormous corporate investment designed to maintain the corporate competitive edge. In some cases they may lead to a complete re-engineering of the organization with major impacts on effectivity, efficiency, and economy. SPECIALIST AUDITOR Many organizations make use of specialists within their IS Audit function to carry out tasks classed as being beyond the scope of the ch08_4768 1/8/07 2:56 PM Page 108 108 IS AUDIT PROCESS conventional IS Auditor. These include such audit areas as performance auditing of computerized systems, auditing logical computer security, auditing telecommunications, auditing that technical specialist’s area, and auditing IS strategic planning. In all of these areas a higher level of technical competence is normally required and for many organizations it is neither cost effective nor desirable to retain such skill levels in-house. In these circumstances, the organization will rather outsource to a technical specialist or use consultancy skills as required. Where the specialist IS Audit capability is in-sourced, career progression can be a problem because such high levels of technical skills are normally only required within IS Audit, IS security, or IS itself. IS AUDIT QUALITY ASSURANCE As with any other audit area, quality assurance remains the responsibility of the audit manager. In practice, this will normally involve review of audit work by other IS Auditors as well as audit management. It is critical, to maintain the confidence of the auditee and the IS department in the IS Audit function, that IS Audit work be seen to be technically competent in all of the areas addressed. Once more, where such assurance cannot be given in-house, outside sources may be used as external quality assurance (QA) reviewers. Such external resources can come from a variety of sources including specialist consultancy firms and independent external auditors. ch09_4768 1/8/07 2:59 PM Page 109 CHAPTER 9 Audit Evidence Process his chapter explores the fundamental audit evidence process and the gathering of evidence that may be deemed to be sufficient, reliable, relevant, and useful. Evidence gathering techniques such as observation, inquiry, interviewing, and testing are examined and the techniques of compliance versus substantive testing are contrasted. The complex area of statistical and non-statistical sampling techniques and the design and selection of samples and evaluation of sample results is examined. The essential techniques of computer assisted audit techniques (CAATs) are covered and a case study using the IDEA© software provided with the book is detailed. T AUDIT EVIDENCE As noted in Chapter 3, IS Auditors must gather audit evidence in order to express opinions. Audit evidence itself may be classified as sufficient, competent, relevant, or useful and evidence is typically classified as physical, testimonial, documentary, or analytical. AUDIT EVIDENCE PROCEDURES As has been stated, the auditor gathers evidence by following the audit program, which is a set of detailed steps that the auditor will follow in order to gain the appropriate evidence and, for the Information Systems (IS) Auditor, may well include the use of computerized techniques, although this is not always the case. The evidence gathered permits the expression of an opinion on the efficiency, economy, and effectiveness of the activities. It lists directions for the examination and evaluation of information and 109 ch09_4768 1/8/07 2:59 PM Page 110 110 IS AUDIT PROCESS provides the primary link between the audit field work and the audit report. Steps in formulating the audit program involve determining the results from the preliminary survey, determining what, if any, risk is indicated; determining what types of controls best manage the risks; determining what, if any, additional evidence the auditor would like; and selecting the audit tests. Like a route map, the audit program must fit the need of the traveller. It states what is to be done, when it is to be done, how it is to be done, who will do it, and how long it will take. The audit program helps the auditor stay on schedule/budget. It may be “pro-forma” or specifically tailored, but in either case it provides the following benefits: ■ ■ ■ ■ It is a systematic plan for each phase of audit work providing a basis for assigning work to the team members. It is a means of controlling and evaluating progress and assisting in training inexperienced staff members. It provides a summary record of work done. It reduces the direct supervision requirement by providing a clear path for subordinates and provides internal audit quality assurance information. The final audit program should be prepared immediately after the preliminary survey although even then the program may be modified during the audit. Where new pro-forma audit programs are to be introduced, they should be prepared well in advance and field tested. Programs that are prepared too late will be rushed and have steps missing. Preparation of the audit program should focus on what is hazardous to the corporation. The program should be thoughtful, relevant, effective, and economic, remembering again that not every item need be checked and that reasonableness and relevance should be maintained. CRITERIA FOR SUCCESS In order for the audit program to be successful, the objectives of the operation should be stated and agreed by the auditee up-front. The ch09_4768 1/8/07 2:59 PM Page 111 Audit Evidence Process 111 programs should be tailor-made where possible and the reasoning behind each work step should be shown. A common failing of audit programs is the creation of a list of questions to be answered. The audit program is a series of detailed instructions to be followed in the obtaining of audit evidence. These work steps should be prioritized to seek evidence of the most important control objectives first. All audit programs should be flexible because circumstances may change based upon evidence uncovered. Supervisory approval must be shown for all audit scheduling, staffing, and the audit constraints must be agreed. Audit supervision will typically utilize standard project management techniques in order to match resources to requirements. This will include the defining, organizing, and monitoring of tasks and training staff as well as approval of the audit program. The audit supervisor must be satisfied with the: ■ ■ ■ ■ ■ ■ ■ ■ ■ Audit subject Audit objective Audit scope Pre-audit planning Selection of audit procedures Procedures for evaluation or testing Procedures for communication Report preparation Follow-up review The audit program provides for the collection of audit evidence of: ■ ■ ■ Structures Documentation standards Systems documentation This may involve interviewing personnel, observing performance, or statistical sampling. The overall audit approach must be: ■ ■ ■ ■ Simple Practical Quick Commonsense ch09_4768 1/8/07 2:59 PM Page 112 112 ■ ■ IS AUDIT PROCESS Business oriented Technically competent STATISTICAL SAMPLING In many cases the auditor can gain adequate assurance regarding the mitigation of risk without having to examine every single record or transaction. Under such circumstances, the auditor may choose to use a variety of sampling techniques in order to obtain evidence that is satisfactory and competent. The auditor may choose to use either non-statistical or statistical sampling techniques. Non-statistical sampling involves the auditor making a judgment call as to the number of items to be selected and which items. The sampling technique is valid where the auditor wishes to examine a few examples without necessarily drawing conclusions about the whole population. Statistical sampling itself is the process of testing a portion of a group of items to evaluate and draw conclusions about the population as a whole. Statistical sampling may be defined as follows: The auditor is performing either a compliance test, or a substantive test of either documented internal accounting controls or accounting source records by applying procedures to less than 100% of the items in the class of transactions or account balance for the purpose of forming a conclusion about some characteristic of the class or balance. WHY SAMPLE? The underlying assumption of sampling is that the results of a sample yield accurate information about the population from which the sample was taken. Sampling, therefore, can be viewed as an effective method of gathering audit evidence. If auditors did not use sampling, every item comprising an account balance or every transaction occurring within a class of transaction would need to be reviewed. The cost of such an examination ch09_4768 1/8/07 2:59 PM Page 113 Audit Evidence Process 113 would (a) be prohibitive due to the amount of time required to perform such an examination and (b) far outweigh the benefit obtained. Sampling provides the auditor with a means of obtaining almost identical information, but at a much lower cost. Thus, sampling is also an efficient method of gathering information. There are two basic sampling approaches: 1. Judgmental/nonmathematical 2. Statistical Each approach represents a different way of handling audit risk. Therefore, each may be appropriate for some populations but not for others. Choosing the appropriate approach involves answering some critical questions about risk, population characteristics, and the objectives of our testing. The answers lead us to the best approach and the most efficient audit plan. JUDGMENTAL (OR NON-STATISTICAL) SAMPLING In judgmental sampling, the auditor relies solely on his/her professional judgment to assess the risk of sampling error and evaluate the population. Because the sample is not intended to be representative of the whole population, sample results cannot be extrapolated to the whole population. This approach is normally used where the auditor intends to use the sample for limited purposes. Where the auditor is aware that a section of the population is higher risk, the auditor may choose to direct the sample to that particular area. Once again, the auditor has exercised professional judgment in selecting the population to be reviewed and conclusions drawn must be carefully judged to ensure their validity. Judgmental sampling should not be used as a primary audit procedure if the auditors have no special knowledge about which items in the population are more likely to contain misstatements. Again, judgmental sampling may be used for limited purposes (i.e., when sampling is not the primary audit procedure) such as corroboration of the outcome of other analyses by examining a few detailed transactions to check the validity of forecasts. ch09_4768 1/8/07 2:59 PM Page 114 114 IS AUDIT PROCESS STATISTICAL APPROACH In statistical sampling, the sample is selected in such a way that it can be expected to be representative of the population. By doing so, the auditor intends that the relevant characteristics of the sample, such as the sizes or rates or errors, should be mathematically proportional to those of the population. For this to be valid an appropriate sample selection technique, such as random selection, and an adequate sample size must be chosen. The sample results may then be used to project to the population (extrapolate) in order to estimate a specific value for the population. The more representative the sample is, the more accurate the extrapolation. This effectively means the larger the sample size, the more accurate the extrapolation. Obviously statistical sampling is less than 100% assured and the auditor must take into consideration the effect of sampling risk. SAMPLING RISK All auditing involves a certain amount of risk or uncertainties. The risk that material irregularities or errors will not be detected either by internal control or by the use of the appropriate auditing procedures is always present. The uncertainty that exists in applying the audit procedures is commonly referred to as audit risk. When auditors choose to use statistical sampling, they face the possibility that, due to the fact that there is less than 100% certainty, the conclusions drawn about the population may contain some material error. This audit risk comprises two specific subsets. Sampling risk is the risk that the sample chosen does not appropriately reflect the population as a whole, while non-sampling risk is the risk that, having obtained a representative sample, the auditor still misses a significant error. In the case of statistical sampling as opposed to judgmental sampling, an attempt is made to control the risk of sampling error. Because the auditor has accepted that 100% certainty is either not desirable or not possible, an auditor working at a 95% certainty level has accepted a 5% chance that the sample drawn does not accurately or completely reflect the population. This risk exists because of the nature of sampling certainty. In a normal distribution, a 95% certainty indicates that, should the auditor draw a sample of twenty 100 times, 95 of those times the ch09_4768 1/8/07 2:59 PM Audit Evidence Process Page 115 115 full sample would be drawn from a representative part of the population. Five of those times the sample would include one or more items that are not representative of the population. On the occasions when this happens, caused by the random chance in the selection of the sample, it is classed as the risk of sampling error. This risk always exists regardless of how the sample is selected. The auditor’s justification for accepting this risk involves a judgment call regarding the level of assurance that in the chosen combination of substantive testing and reliance and internal control there is a reasonable probability of detection. By choosing the appropriate sampling technique and by applying their professional judgment after consultation with auditee management, the auditor attempts to minimize the risk of sampling error. In addition, by choosing an appropriate statistical model and by following the correct sampling selection methodology, the auditor can quantify the likelihood of sampling error in order to determine that it is within acceptable limits. In the case of judgmental sampling, the risk of sampling error still exists but, because the auditor did not explicitly state the confidence level, the risk is not quantifiable. This means that, in this case, the risk of sampling error is dependent on the experience, skill, and judgment of the individual auditor but that the auditor’s evaluation cannot be independently and quantifiably substantiated. Whether the sample chosen is based upon statistical methods or the auditor’s judgment, every use of sampling is also subject to the risk of non-sampling error. This type of error is a result of other uncertainties that are not caused by the sampling process. Causes of this type of error could include: ■ ■ ■ ■ Mistakes in selecting the sample Use of incorrect audit procedures for a given objective Failure to recognize misstatements or irregularities included in the sample items Improper definition of the population Non-sampling error therefore includes any misjudgments or mistakes on the part of the auditor that may lead them to an incorrect conclusion based upon the tests carried out on the sample. These errors would have occurred even if sampling had not been chosen as the technique and the full population examined. By careful planning and use of the appropriate audit techniques, this risk can be minimized although not eliminated. ch09_4768 1/8/07 2:59 PM Page 116 116 IS AUDIT PROCESS ASSESSING SAMPLING RISK IIA Standards state that auditors should use their professional judgment in assessing sampling risk. The two main aspects of sampling risk in compliance tests of internal controls are: 1. The risk of over-reliance on controls (beta risk), which is the risk that the sample leads the auditor to place reliance on the control when it is not justified. 2. The risk of under-reliance on controls (alpha risk) is the risk that the sample leads the auditor to evaluate the population as beyond tolerance levels erroneously. The auditor should also be concerned with sampling risk when performing substantive tests. Here the risks are classified as: ■ ■ The risk of incorrect acceptance (beta risk) is the risk that the sample supports the auditor’s conclusion that the amount or quantity is not materially misstated when in fact it is. The risk of incorrect rejection (alpha risk) is the risk that the sample leads the auditor to believe that the amount or quantity is materially misstated when in fact it is not. Alpha characteristics of the population relate to the efficiency of the audit, while beta risks relate to the effectiveness of the audit in the detection of material errors. PLANNING A SAMPLING APPLICATION Once an auditor has made the decision to use sampling, consideration must be given to both the audit objectives and the characteristics of the population. Audit Objectives As with any audit, the auditor starts off by considering the control objectives of the area under review. From this can be derived the source of audit evidence and the nature of the audit testing required ch09_4768 1/8/07 2:59 PM Page 117 Audit Evidence Process 117 to evaluate that evidence. Where the audit testing needs to use sampling techniques, the auditor may focus on the specific objectives to be achieved by the tests to be carried out on the sample selected. The sampling technique chosen will be dependent on the nature of the opinion the auditor wishes to express. An opinion on error rates within our population would normally dictate the use of attributes sampling techniques, while expressing an opinion on the probable values of our population may call for the use of monetary unit sampling on variable sampling. Population Characteristics The second stage of planning is to define the population about which an opinion will be expressed in terms of the population’s characteristics. For example, the auditor may choose to express an opinion about high-value items, low-value items, or all items. Any opinions expressed based on a sample can only be in terms of the population that was sampled in the first place. Should the auditor sample invoices within the previous six months, any opinion expressed can only be valid in terms of the previous six months’ invoices. Any conclusions drawn about invoices beyond this period would be invalid. Again, if the auditor wishes to express an opinion regarding customers exceeding their credit limit, the appropriate population to examine would be the creditors’ records and not the invoices. In testing to ensure that all orders have been invoiced, the sample would be drawn from the orders and checked forward against the invoices. If the auditor wishes to express an opinion regarding the authorization of payments, the sample must be drawn from payments and checked backward against the authorized input documents. In any population, a common evaluation technique is to determine the average value of the population. Three averages are possible: the mean, the median, and the mode. In statistical sampling, the most commonly used average is the mean. The mean or arithmetic average value of a data set may be calculated as the sum of all values, divided by the number of data points. For example, if three selections are made by the auditor of invoices with values of R 100, R 140, and R 180, then the average value would be (100+140+180)/3, or R 140. ch09_4768 1/8/07 2:59 PM Page 118 118 IS AUDIT PROCESS The median represents the middle value in a population range. The mode represents the most frequently occurring value in a population. In a census of a population, for example, there may be individuals with ages ranging from 10 to 80 with a predominantly young population and an arithmetic average age of 35. In such a population, the median may be found to be 45, the mean is 35, and the mode may be as low as 20 because of the population being skewed toward younger people. Deviations from the Mean The amount of variability in the population defines the spread of values. One method of determining the variability of a population is to examine its variability from the mean. Standard deviations measure dispersion around the mean. The standard deviation can be calculated as the square root of the average of squared deviations of each member of the population from the mean. In the case of our invoices, this would involve: 100 – 140 = (40)2 = 1600 140 – 140 = (0)2 = 0 180 – 140 = (40)2 = 1600 1600 / 3 = 1066.67 ÷1066.67 = 32.66 The main use from an audit perspective is the statistical fact that in a normal (unskewed) population, 68% of the population will lie within 1 standard deviation from the mean, and 95% of a population will lie within 1.96 standard deviations from the mean. In other words, when an auditor samples such a population, there is a 95% probability that all items selected will be drawn from within +/– 1.96 standard deviations from the mean. The skewness of a distribution refers to its lack of symmetry. A perfectly symmetrical distribution will result in a normal bell curve with a skewness of zero. Most distributions have some degree of skew. A distribution with the majority of the population distributed to the right of the mean is said to be negatively skewed, and a distri- ch09_4768 1/8/07 2:59 PM Page 119 Audit Evidence Process 119 bution with the majority of the population distributed to the left of the mean is said to be positively skewed. The computation of skewness involves taking the deviations from the mean, dividing them by the standard deviation, and raising them to the third power; these figures are then added together and divided by the number of data points. CALCULATING SAMPLE SIZE For any sample design, deciding on the appropriate sample size will depend on certain key factors that must be considered together in order to ensure that the sample objectives are met. As previously stated, the amount of variability in the population defines the spread of values. This will also affect accuracy and consequently the size of sample required when estimating a value. The greater the variability, the larger the sample size required. The confidence level represents the likelihood that the results obtained from the sample lie within the associated precision. The higher the confidence level desired, the larger the sample size required. Auditors normally operate at a 95% confidence level but where a situation is evaluated as low risk, a lower level such as 90% is acceptable. Conversely, in a higher risk situation, the auditor may operate at a 99% confidence level. Contrary to popular belief, the population size does not normally affect sample size. Statistically, the larger the population size, the greater is the likelihood that the sample will be representative. Where the population to be sampled is less than 5,000, the population size begins to have an impact on the sample size. The effect is to slightly increase the required sample size. Where population size is very low, standard sampling techniques may be invalid and non-parametric sampling techniques may be required. Some audit software does not take this into consideration in calculating sample size, and the auditor must be aware that such sampling will only be appropriate in larger populations. Differing methods of sampling are appropriate in different circumstances and the auditor must be aware of the advantages and disadvantages of each so that the appropriate sampling method can be selected as can be seen in the following table: 120 Definition Based on deliberate choice of the auditor Used to determine error rates in the population Used to estimate values of a population Units in the population can often be found in geographical groups or clusters (e.g., schools, households, etc.). A random sample of clusters is taken, then all units within those clusters are examined Method Judgmental sampling Attribute sampling Variable sampling Cluster sampling • Quicker, easier, and cheaper than other forms of random sampling • Does not require complete population information • Useful for face-to-face interviews • Results in the minimum sample size needed to express an opinion of a given confidence level • Works best when each cluster can be regarded as a microcosm of the population • Larger sampling error than other forms of random sampling • If clusters are not small, it can become expensive • A larger sample size may be needed to compensate for greater sampling error • Only valid for populations > 5,000 • May result in a larger sample size than judgmentally sampling • Requires random selection to remain valid • Only valid for populations > 5,000 • May result in a larger sample size than judgmentally sampling • Requires random selection to remain valid 2:59 PM • Results in the minimum sample size needed to express an opinion of a given confidence level • Sample is typically small and can be misleading • Prone to bias • Sample results cannot be extrapolated be extrapolated to give population results Disadvantages 1/8/07 • Normal application is for small samples from a population that is well understood and there is a clear method for picking the sample • Is used to provide illustrative examples or to check forecasts Advantages EXHIBIT 9.1 Table of Sampling Methods ch09_4768 Page 120 Samples are drawn in proportion to their size giving a higher chance of selection to the larger items (i.e., the chance of being selected is proportional to the individual item’s size) The population is subdivided into mutually exclusive layers. The strata can have equal sizes or you may wish a higher proportion in certain strata Ensures each member of the population has an equal chance of selection After randomly selecting a starting point in the population between 1 and n, every nth unit is selected, where n equals the population size divided by the sample size Probability proportional to size (PPS) or Monetary Unit Sampling (MUS) Stratified sampling Simple random selection Systematic selection • Easier to extract the sample than simple random selection • Ensures cases are spread across the population • Produces defensible estimates of the population and sampling error • Simple sample design and interpretation • Can be costly and time-consuming if the sample is not conveniently located • Cannot be used where there is a pattern to the population distribution • Need complete and accurate population listing • May not be possible in an unnumbered population • May not be practical if remote items selected for something 2:59 PM • Selecting the sample is more complex and requires good population • Estimates involve complex calculations • Can be expensive to get the information to draw the sample • Only appropriate if you are interested in the elements • Not appropriate if elements are underexaggerated 1/8/07 • Ensures units from each main group are included and may therefore be more reliably representative • Should reduce the error due to sampling • Typically results in lower sample sizes • Unit to be selected is a single monetary unit (e.g., dollar) • Where you want each element to have equal chance of selection rather than each sampling unit • Powerful to identify over-exaggeration ch09_4768 Page 121 121 ch09_4768 1/8/07 2:59 PM Page 122 122 IS AUDIT PROCESS QUANTITATIVE METHODS In addition to statistical analysis, a variety of quantitative methods are also available to be selected by the internal auditor. These mathematical tools are commonly used to obtain an understanding of operations and permit the drawing of conclusions in a variety of circumstances through analyzing the complexities of situations. Of the many quantitative methods available to the auditor, the following sections examine the most commonly used. Trend Analysis Trend analysis is used to evaluate the behavior of a variable such as turnover of a period of time. Such analyses can serve as evaluation criteria to determine the reasonableness of fluctuations of an extended period. Comparisons of this year’s turnover to last year’s turnover or, alternatively, this month’s turnover to the same month last year are popular. Chi-Square Tests Chi-square analyses are non-parametric tests capable of analyzing relationships between qualitative data. For example, do operating units in the South have particular patterns of operation different from those in the North? Chi-square tests can check for the independence of normal classifications and ordinal data, and require no particular distributional pattern for the data. Correlation Analysis The measurement of the extent of association of one variable with another is known as correlation analysis. Two variables are said to be correlated when they move together in a detectable pattern. A direct correlation is said to exist when both variables increase or decrease ch09_4768 1/8/07 2:59 PM Page 123 Audit Evidence Process 123 in the same time although not necessarily by the same amount. For example, one would expect inventory to decrease as sales increased. Correlation analysis is used by internal auditors to identify those factors that appeared to be related. An operational auditor, for example, may use correlation analysis to determine whether corporate performance is in line with industry standards by comparing the correlation of company costs of imported parts with the exchange rate fluctuations. Problems with how these statistics are computed; shortcomings in the internal auditor’s understanding of auditees’ operations, or real inefficiencies or misstatements can be pinpointed through correlation analysis. Graphical Analysis Graphical analysis can be useful to the internal auditor in identifying interrelationships in data, anomalies, and simple data errors. A common form of graphical representation use by the auditor is a scatter diagram, which refers to any graph of data points. The more discernible a pattern appears in the graph, the more likely one variable is related to another and therefore can be used to predict the other’s value. Where no pattern can be noted, there would appear to be little, if any, correlation between the two variables. Where a strong correlation exists, either positive or negative, the correlation value will approach 1. Where little correlation exists the correlation value will approach 0. Unfortunately, correlation values only measure linear patterns. Where there is a nonlinear relationship, correlation statistics will not disclose this. Occasionally the correlation value can be distorted by a single data point not conforming to the general pattern. While this can be readily seen on the graph, it may be less obvious in examining the correlation value. Learning Curves In conducting operational audits of performance levels of the implementation of new procedures for the quality of training of new staff, a learning curve would normally be expected to be observed. As ch09_4768 1/8/07 2:59 PM Page 124 124 IS AUDIT PROCESS employees gain experience with the new procedures or as the new employee becomes more experienced, the length of time taken to task should decrease. Learning curves are evaluated by computing the time required per unit of production each time that the cumulative output is doubled. A decrease in production time per unit of 25% would result in a 75% curve. The 60% curve would result if the production time was reduced by 40%. By measuring this curve the auditor can determine how quickly a new procedure or employee becomes productive. When a new procedure is recommended, calculating the initial time per unit under the old system and comparing it to a series of observations over time using the new procedures can objectively determine the impact of the revision to the procedures. Ratio and Regression Analysis Ratio analysis assumes a given proportional relationship between two numbers and is normally used for comparisons over time. A more advanced form of ratio analysis attempts to quantify the interrelationship in order to facilitate predictions in a regression analysis. Regression analysis is used to estimate the effect that a movement in one variable (the independent variable) causes a movement in the other variable (dependent variable); for example, if the sun shines, more cool drinks will be sold: but how many more? By performing the regression analysis the relationship, if any, can be identified and quantified and sales levels predicted. Regression analysis can thus assist the auditor in understanding and quantifying data interrelationships. Unusual variations between expectations and recorded values may be noted for further investigation. Using software, the auditor can additionally conduct a multiple discriminant regression analysis relating the independent variable to a number of dependent variables simultaneously. By determining the comparative strength of the relationships, the auditor can choose the focus area to achieve greatest impact in performance improvement. Such analysis has also been used to attempt to predict bankruptcy. ch09_4768 1/8/07 2:59 PM Page 125 Audit Evidence Process 125 As with most statistical tools, regression analysis is based on a set of underlying assumptions that must be met for its use and interpretations to be valid. Linear Programming Linear programming is an operations research tool used for the allocation of scarce resources or to determine optimal blends of raw materials. The constraints applicable are reduced to algebraic formulae, which are then solved by simultaneous equations. For example, in a production environment, machining may be capable of processing 100 units per machine, while finishing can handle 35 units per machine. The question of how many of each machine should be used for optimum production can be solved using linear programming. PROJECT SCHEDULING TECHNIQUES Accurate project scheduling techniques have long been a goal in project management. Internal auditing frequently works in project teams that often suffer from the same poor project scheduling. Program Evaluation Review Techniques The program evaluation review technique (PERT) is used to diagrammatically identify dependent and independent activities. By showing graphically which activities cannot be started until the previous activities have been completed and, at the same time, which activities can proceed simultaneously, the planner can allocate resources to those tasks having the most impact on the final completion deadline. This technique also takes into consideration operational constraints placed on the resources needed to carry out the tasks. In Exhibit 9.2, the shortest time to get from A to E while completing all tasks is calculated by calculating the longest path. Other times and paths include: ch09_4768 1/8/07 2:59 PM Page 126 126 IS AUDIT PROCESS s ay 2d A 1 day 2d ay s B F 2 days 1 day C G 3d ay s 1 day D 1 day E ys 3 da H 4 days I • Path A-B-C-D-E takes 8 days • Path A-F-G-D-E takes 5 days • Path A-H-I-E takes 9 days EXHIBIT 9.2 PERT Chart This means that the bottom path would be the most critical. The reason for this is that any delay in this path will postpone the final completion date. Any delay in the middle path that does not exceed four days will have no effect on the final completion date. Should the top path experience a delay in any of the processes of, for example, three days, then the top path will now take 11 days to complete and will become the critical path. If, by the same token, the time taken for the critical path can be reduced, then final completion date can be brought forward. Critical Path Method The critical path method (CPM) is a scheduling tool that was developed independently of PERT but uses a similar diagram. CPM, however, uses two time estimates: one for normal effort and one for “crash” effort. “Crash” time is the time required for completion if all available resources were committed to that task. GANTT or Bar Charts One of the simplest planning tools requiring no mathematical calculations is the Gantt chart. It is commonly used in organizing work and ch09_4768 1/8/07 2:59 PM Page 127 Audit Evidence Process 127 monitoring progress through the various stages of a simple project and involves the production of bar charts showing the start and completion times of individual project activities. The major drawback to these charts is the poorer representation of interdependencies. SIMULATIONS Monte Carlo Simulations Computers can be used to accelerate timescales by carrying out activities repeatedly very rapidly. By combining this with the probability of events occurring, a sophisticated model can be built. One such approach is referred to as the Monte Carlo Method. It uses the computer to simulate uncertainty via random behavior based on the probabilities entered and then estimates specified models several times to determine average performance. Game Theory The term “game theory” refers to mathematical models of optimal strategies under various incentive schemes. This is used in competitive environments to explore “what if” solutions. A non-zero-sum game is said to exist when a profit is generated in which it is possible for both participants to share. A zero-sum game denotes a situation where a profit simply transfers from a loser to a winner. Game theory is used to assist the internal auditor in understanding the reasons particular strategies are pursued in negotiation sessions or competitive price setting. Queuing Theory Businesses often have queues at service points. Elimination of these queues by increasing the number of service points would result in service points frequently being unused and costs increasing. Management frequently must decide how many service points should be provided. ch09_4768 1/8/07 2:59 PM Page 128 128 IS AUDIT PROCESS Queuing theory facilitates the use of mathematical models to minimize the total cost for a given rate of arrivals; the minimized cost includes both service costs (facility and operating costs) and waiting costs (the idle resources waiting in line or having service points idle). COMPUTER ASSISTED AUDIT SOLUTIONS In today’s environment, a review of business systems will almost inevitably involve the use of appropriate information retrieval and analysis programs and procedures. The auditor will use test transaction techniques to review system-level activity. In advanced auditing, the use of knowledge-based systems will permit the distribution of advanced audit techniques to less skilled staff. Confusingly, these are commonly referred to as Computer Assisted Audit Tools (CAATs), Computer Assisted Audit Techniques (CAATs). or more correctly, Computer Assisted Audit Tools and Techniques (CAATTs) Computer Assisted Audit Tools and Techniques (CAATTs) are needed because of the large volumes of data in multiple locations involved in the managing of a complex business environment. The use of computer assisted audit solutions involves the merging of software into an audit program. In order for this to prove effective, key control questions must be predefined in order to facilitate the use of the technology to analyze the data and provide the answers. Advantages from the auditor’s perspective include increased auditor productivity, creativity, and the application of a consistent methodology. Information retrieval and analysis programs and procedures include programs that organize, combine, extract, and analyze information. This includes generalized audit software as well as application and industry-related software. Customized audit software and information retrieval software as well as standard utilities and on-line inquiry may also be utilized for information retrieval and analysis. Where the auditor has computer skills in programming, conventional programming languages may provide a viable alternative, but a lack of such skills does not preclude auditors from utilizing such techniques. The ready availability of microcomputer-based software, which provides computing power without the requirement of techni- ch09_4768 1/8/07 2:59 PM Page 129 Audit Evidence Process 129 cal expertise, puts direct data analysis within the toolkit of any auditor. The primary requirement is an understanding of the business application and how data relates. GENERALIZED AUDIT SOFTWARE Generalized audit software (GAS) is software designed specifically for auditors in order to provide a user-friendly audit tool to carry out a variety of standard tasks required by the auditor such as examining records, testing calculations, and making computations. A common audit technique is to take a copy of a file of standard data for later comparison to a changed version of the same data. GAS can conduct the comparison and analysis. Selecting, analyzing, and printing audit samples are techniques that can significantly improve the quality of an audit by allowing the quantification of audit and sampling risk. In a high-volume system, these techniques may be the only method the auditor can employ to achieve audit satisfaction. In such systems the use of computerized sampling simplifies both the usage and interpretation of results. Most GAS comes complete with sampling and analysis functions to handle the complexities for the auditor. The auditor will commonly have to handle data that is not in a suitable format for analysis. Summarizing and re-sequencing data are required to put the information into a more usable format. Once reformatted, the software can also perform the appropriate analyses. GAS cannot resolve all of the auditors’ problems, but it can assist considerably in many of the common problem areas. It is specifically designed for the handling of volumes of data. The output can be used for further computer processing allowing audits to be linked together. The time to audit can be reduced and the auditor freed to spend time interpreting results. Because there are limited programming skills required, the audit reliance on IS staff is reduced. There are, however, limitations. Hardware and software environments may be restrictive if an inappropriate package is selected. The number of files that can be handled may be restrictive and the types of record structures may not be comprehensive. The numbers of computations may be limited and the number of reports per “pass” may ch09_4768 1/8/07 2:59 PM Page 130 130 IS AUDIT PROCESS be restrictive. This makes the selection of software a critical element in the effective use. CAATs Case Study Supplied with this book is a training version of IDEA on CD. IDEA is one of the world’s most popular and powerful GAS packages. This is included so that the IS Auditor maintains hands-on experience in order to become familiar with such tools. The software and educational case study is used with the kind permission of CaseWare IDEA Inc. APPLICATION AND INDUSTRY-RELATED AUDIT SOFTWARE In addition to GAS, audit procedures are commonly available for standard business applications such as accounts receivable and payable, payrolls, general ledgers, and inventory management. Such software is available stand-alone or as add-ons to standard GAS packages. Specific industry-related audit software is available for industries such as insurance, health care, and financial services. Most such packages require conversion of input to standard package layouts and selection of appropriate parameters. This means that a degree of IS skill is required for conversion. The software itself is normally both cost effective and efficient. CUSTOMIZED AUDIT SOFTWARE Customized audit software is software designed to run in unique circumstances and to perform unique audit tests. Where output is required in unique formats, customized audit software may be required. Such software may be expensive to develop and normally requires a high level of IS skills. It must be handled with care because running it may not tell you what you think it does; however, it may be the only viable solution in a unique processing situation. ch09_4768 1/8/07 2:59 PM Page 131 Audit Evidence Process 131 INFORMATION RETRIEVAL SOFTWARE Standard information retrieval software such as report writers and query languages, while not specifically written for auditors, can perform many common audit routines. This category of software includes report writers, program generators, and 4th-generation languages. UTILITIES Utilities are programs written to perform common tasks such as copy, sort, print, merge, select, or edit. These programs are normally parameter driven and may be used in combination with other software. They are extremely powerful and the right to use should be restricted. From an audit perspective, they see data as it exists, which adds to the degree of reliance that audit can place on their results. ON-LINE INQUIRY Interactive interrogation can provide comparison data for audit reports, confirmation of corrective action taken, and can be an additional source of audit information. Effective use requires little IS skills but an understanding of the information is essential. Armed with the appropriate access authority the auditor can obtain adequate audit evidence to meet their requirements. Auditors, however, need to be sure what they are looking at because there is ample opportunity for drawing erroneous conclusions. CONVENTIONAL PROGRAMMING LANGUAGES Standard languages such as COBOL, BASIC, RPG, PASCAL, C, and so on can prove effective audit tools but require a degree of programming experience. Such programs are normally slow to develop and expensive and may not be reliable because the auditor is not a professional programmer. They can, however, perform any audit test ch09_4768 1/8/07 2:59 PM Page 132 132 IS AUDIT PROCESS the auditor can envisage and may be used in conjunction with any other type of audit software. MICROCOMPUTER-BASED SOFTWARE Microcomputer-based software can prove a flexible and powerful tool for the auditor and may include GAS, Computer-Aided Software Engineering (CASE), spreadsheet packages (analysis, manipulation, recalculation, etc.), specialized packages (NCSS, etc.), and specialized software for auditing micros (CSAN, etc.). They have the advantages of being able to use input from multiple hardware/software platforms, are comparatively inexpensive, and result in one set of portable software to learn. Disadvantages include the fact that the auditor is not looking at the live data and that the software may not handle all data formats from mainframes. TEST TRANSACTION TECHNIQUES Test transaction techniques may be used to confirm processing controls functioning and include the evaluation of edit and validation controls, the testing of exception reports, and evaluation of data integrity controls. Total and calculation verification may be performed. The transaction test techniques could include: ■ ■ Test data. This technique involves the utilization of a copy of the live computer system through which a series of transactions is passed in order to produce predetermined results. This technique, while effective in searching for defects, is limited by the volume of data that can be handled. In addition, the results may be biased by the results the auditor expects. Integrated Test Facility (ITF). This technique, while similar in nature to test data, is effected by creation within the live system, of a dummy entity (department, warehouse, etc.), and the processing of test data against the dummy entity together with the live data. This technique has the advantages of testing the system as it normally operates and testing both the computer and manual systems. It has distinct disadvantages as well. All test transac- ch09_4768 1/8/07 2:59 PM Audit Evidence Process ■ ■ ■ Page 133 133 tions must be removed from the live system before they affect live totals, postings, or the production of negotiable documents such as checks. In addition, there may be a very real danger of destroying the live system. ITFs must be used with great care. Source-code review. This computer audit technique involves the review of the source code originally written by the programmer. In the past this has meant browsing through piles of printout. In today’s environment, sophisticated searches can be implemented using generalized audit software to establish weaknesses in the source code. Embedded audit modules (SCARFs [System Collection Audit Review Files]). In systems where audit trails may only exist as computer records and then only for a short time or discontinuously, it may be necessary for the auditor to have built in a facility to collect and retain selected information to serve as an audit trail for subsequent examination. This obviously makes the collected data a target for destruction or manipulation and it must be treated as such. Parallel simulation. Parallel simulation is a technique involving the creation of software to simulate some functional capability of the live system such as a calculation. The live data is processed through the simulating program in parallel with the live system and the outputs are compared. Review of system-level activity involves the examination of control areas with a pervasive influence such as telecoms, the operating environment itself, the systems development function, and change control. End-user computing, although not in the same category of general control, can be treated in the same manner as a general threat. ch10_4768 1/8/07 3:00 PM Page 134 CHAPTER 10 Audit Reporting Follow-up his chapter covers audit reporting and follow-up. The form and content of an audit report are detailed and its purpose, structure, content, and style as dictated by the desired effect on its intended recipient for a variety of types of opinion are considered, as well as the follow-up to determine management’s actions to implement recommendations. T AUDIT REPORTING Ultimately, the value of an audit lies in the improvements to the business situation brought about as a result of the audit. Where no such improvements take place the audit may well have been a waste of time, resources, and money. Improvements will only take place where the individuals authorized and empowered to take effective action have been convinced that some form of action is appropriate to improve the control situations. A variety of individuals will use audit reports for a variety of purposes. Executive management will typically use an audit report to gain an insight into the overall status of internal controls within a given business area and for the organization as a whole. Operational management uses audit reports to determine the adequacy and effectiveness of specific controls in achieving specific performance and control objectives. Other agencies may use audit reports to gain insight into the inner workings of specific operations and the degree of reliance that can be placed on the outputs of those business areas. In general, auditors communicate the overall findings together with recommendations for actions to be taken using the audit report. These reports are sent to those individuals who are in a position to take effective action or ensure that corrective actions are taken. Senior 134 ch10_4768 1/8/07 3:00 PM Page 135 Audit Reporting Follow-up 135 executives within the organization may also receive either copies of the report or summaries of the reports. Results of the audit are usually reported orally in the form of interim reports and closing conferences as well as in writing. INTERIM REPORTING Interim reports are those reports prepared and issued while the audit is in progress. They are typically used to either report progress on an extended audit or to notify the auditee of a finding that warrants immediate attention. They may be either written or verbal, although a written memo-form report can be a useful proof of delivery of a finding. The main advantages of interim reports are the provision of a timely feedback to the auditee coupled with a higher probability of immediate action. This can, in turn, result in a more favorable final report if appropriate action is taken. Interim reports effectively provide a follow-up opportunity during the audit itself. CLOSING CONFERENCES Before the final audit report is issued, a closing conference is common. This permits an overall review of the audit objectives and findings and is the final opportunity to clear up any misunderstandings or omissions prior to report issuance. It ensures a fair and balanced presentation and allows auditees to express their opinion. It also gives the auditor feedback on the way the audit was handled from a client’s perspective. WRITTEN REPORTS Written reports at a minimum should be produced at the end of an audit. Reports generally should be: ■ ■ ■ Accurate Objective Clear ch10_4768 1/8/07 3:00 PM Page 136 136 ■ ■ ■ ■ IS AUDIT PROCESS Concise Complete Constructive Timely Written reports should include the audit purpose, scope, results, auditor’s opinion, recommendations for potential improvements, acknowledgment of satisfactory performance, and the auditee’s reply to the auditor’s opinions and recommendations. Because the issued audit report is a reflection of the competence and professional image of the whole IS Audit function, it should be reviewed and approved by the in-charge auditor prior to issue. For many managers the audit report is the only demonstration they will see that IS Audit has fully discharged its responsibilities. This impression will be based not only on the technical competence of the report, but also the clarity of writing and the tone and style of the report. The report must communicate the auditor’s message in a clear and unambiguous way without leaving any questions unanswered in the reader’s mind. CLEAR WRITING TECHNIQUES Given that the objectives of audit communications are to inform, persuade, and influence, the writer of a report must utilize clear writing techniques to get the message across as effectively as possible. Our normal, human, method of communication uses a conversational style that tends to be more retainable than other, formal methods of communication. Unfortunately, human nature being what it is, everyday conversation takes the form of statements, questions, and answers. In a written communication the auditor is not available to answer questions that the written statements raise in the mind of the reader. As such, written communications must anticipate questions raised and answer them within the report. In order to be persuasive the auditor must, while ensuring that the point is gotten across, avoid antagonizing the recipient of the audit report. Improvements come about as a result of implemented recommendations, and recommendations will not willingly be implemented if the person responsible reacts negatively to the audit report. Where ch10_4768 1/8/07 3:00 PM Page 137 Audit Reporting Follow-up 137 control deficiencies are reported, care should be taken to avoid personal references and the audit report should criticize poor practices rather than individuals. There is a rough rule of thumb that says that the more words there are, the less persuasive the report will be. The auditor’s aim is to ensure that appropriate action is taken, which requires first that the report be read. When a manager is faced with a plethora of thick reports with very little content the most likely scenario is that these reports will be consigned to the wastepaper basket. Writing a short, high-impact report is much more difficult than writing a long, meandering essay. In order to achieve the desired results the audit report must be written with impact in mind. Sentences should be kept short, averaging 15 to 20 words, with one basic idea per sentence. Long sentences tend to be foggy, dull, and boring. When the reader gets bored he or she will start to skip through the report seeking any keywords of interest. This does not mean that the auditor should count every word in a sentence and artificially cut long sentences in two. Most auditors know the size of their writing and can see at a glance if the sentence is too long. A rough rule of thumb can be taken as, if the sentence were read aloud and the reader ran out of breath before the end of the sentence, it is too long. Generally, active voice verbs assist making sentences more readable because they are normally shorter, livelier, and more conversational. Instead of writing “. . . were asked for by the manager,” which uses a passive form of verb, try “the manager asked for . . . .” Passive voice verbs tend to be dull, unclear, and less emphatic. They also tend to be extremely formal in writing style. Some audit reports are deliberately written to be extremely formal and structured in order to emphasize the impartial and impersonal nature of the report, and under such circumstances passive voice verbs would be highly appropriate. An example of this is fraud audit reports where a deliberate effort is required to show that the opinion expressed is a professional judgment based upon the evidence gathered and not a personal opinion. A common fault with audit reports is the use of “impressive” words, which the reader may not understand or may misinterpret. “Unless the paradigm is changed the situation may be exacerbated” actually says “unless we change the way we do things, things could get worse.” The writer should use clear, familiar words in order to get ch10_4768 1/8/07 3:00 PM Page 138 138 IS AUDIT PROCESS across the message intended. While we have already noted that fewer words can have more impact, the auditor should never sacrifice clarity for brevity. If that requires ten words to be specific rather than five words to be vague, then take the ten words. Some audit reports become so cryptic that the reader has to guess the auditor’s meaning. Information systems (IS) auditing in particular will involve report recipients who come from a variety of backgrounds and who may or may not understand computing jargon. Wherever possible jargon should be avoided and, where it is unavoidable, it should be explained for the non-technical. The writer must always bear in mind that the onus of communication is on the auditor, not the reader. Long, monotonous sections of report can cause the reader to skip and browse rather than read and digest. Use of white space and headings can break up the monotony of long sections and facilitates the location of specific information. Scanning the report, speed-reading looking for keywords of interest may not, in fact, be a problem. Where the reader does not need to read the full report but only certain sections, it is useful if the auditor can draw the attention directly to those sections. This can substantially speed up the reading process and may result in parts of a report being read that would otherwise be ignored. Some auditors feel that, having written the report, all readers must read the full thing. The alternative may be that the report is not read at all. In the same way as keeping sentences short, keeping paragraphs short can make the report more reader-friendly. Other techniques to assist in ensuring the readability of reports include the use of bullets, emphasis, white space, graphics, and color. At the same time these techniques should not be used simply to pad the report or make it appear over-fancy. The objective of the report is to communicate and persuade, not to impress with the auditor’s ability to create a piece of artwork. PREPARING TO WRITE From the start of the audit the auditor will already have a mental picture of the report in mind. At the time that the scope and objectives are approved the anticipated audience is known and subsequently all audit work should be carried out with the audit report in mind. The ch10_4768 1/8/07 3:00 PM Page 139 Audit Reporting Follow-up 139 subject matter is known and the scope and objectives are known and, although the actual results of the audit are unknown at this stage, the probable areas to be included in the report should be clear by the end of the preliminary survey. Writing the audit report comes at the end of the audit after the close of field work when time is running out, and this frequently results in audit reports that are rushed and of poor quality. Adequate time must be budgeted from the start to allow the production of a high-quality, communicative audit report. Most auditors agree that the hardest part about writing an audit report is actually commencing. Some auditors find an exercise known as free writing assists in loosening-up the mental muscles. This technique involves writing some piece of unrelated text such as a letter prior to starting on the actual report. The theory is that this ensures that the brain is working in logical communication mode prior to the report writing being commenced and that idea flow is eased. BASIC AUDIT REPORT The contents of most audit reports follow a similar pattern and include: ■ ■ ■ ■ ■ ■ Background, scope, and objectives Summary of major findings Audit opinion Detailed findings and recommendations Acknowledgments of satisfactory performance Detailed technical appendices A cover is almost always desirable because it sets a professional tone from the start. It should include the report title, name and location of auditee, and the date of audit coverage. A formalities section normally constitutes an introduction and is typically one to three pages in length. It includes the date of the report, the addressee (get it right), and the background, scope, and objectives of the audit. A brief audit opinion and the general nature of the findings together with the reply expectations and a signature are required. The names of participating auditors, distribution list, ch10_4768 1/8/07 3:00 PM Page 140 140 IS AUDIT PROCESS and contents of the body of the report are also a normal part of the formalities section. EXECUTIVE SUMMARY Most audit reports include an executive summary covering the most important issues and findings from an overall business point of view. The executive summary provides a preliminary perspective to the whole report and focuses on risks to the organization and the specific effect of control weaknesses. It may be all that is read and, in many cases where such summaries go to senior executives, it is all that should be read. Two approaches are possible in the executive summary, depending on the nature of the executive audience. With a knowledgeable executive, a condense and eliminate approach may be used. This involves an abbreviated explanation of major audit findings, in order of importance to the executive and cross-referenced to the body of the report. A briefings approach that informs, advises, and interprets may be more appropriate in a specialized audit where the executives may not be fully conversant with the implications of findings. DETAILED FINDINGS Detailed findings usually constitute the body of the report. Strange as it sounds, a finding is not something that was found. An audit finding is comprised of four distinct parts: 1. Condition. Records what was found by the auditor (i.e., what the evidence showed) 2. Criteria. Indicates what should have happened in terms of control considerations 3. Cause. Indicates whether the condition was caused by the absence of an internal control or the failure of one and, if so, which 4. Effect. Indicates the impact on the business of the cause of the condition ch10_4768 1/8/07 3:00 PM Page 141 Audit Reporting Follow-up 141 Many auditors struggle to decide how much detail should be included in the body of the report. The detailed findings should include sufficient information for the reader to understand the nature of the finding, the relative importance of the finding, and what needs to be done about the finding. There can be no clear-cut rule on this because it depends on the knowledge level and experience of the audience being communicated with. During the course of the audit, the auditor should assess how much detail will be required in the final report. In order to ensure the final report is readable, exhibits and attachments are usually placed in an appendix if placing the information in the body of the report would make it overly lengthy or unreadable. All graphics, charts, photographs, and financial tabulations should be clearly labeled within the report in case they are referenced in two or three places. Where appendices are used they should be cross-referenced to the report. One of management’s common requirements is the expression of an audit opinion. This normally takes the form of an opinion on the adequacy and effectiveness of the internal control structures. The auditor must bear in mind that an opinion on adequacy is an indication that the control structures do or do not achieve management’s desired level of control. Many auditors express an opinion on whether the control structures meet their own definition of adequacy. The audit opinion provides an overall perspective to the rest of the report and forces auditors to commit themselves, but can cause a management overreaction resulting in important parts of the report being ignored because, by their nature, audit results are normally mixed. Auditee responses to findings and recommendations are normally included in the final report. This assists provision of a balanced report and can lend credibility to the report. Where such comments are included, they must be reviewed with and agreed by the auditee. This does not mean, however, that the auditee must agree with all of the auditor’s findings and recommendations. In some cases the two parties must agree to disagree with both opinions expressed within the report so that the managerial decision can be made. If the manager decides to accept the risk expressed within the report and take no action, and if such a decision is within their area of authority, the auditor has done their work in drawing the risk to management’s attention and no further audit effort is required in this area. ch10_4768 1/8/07 3:00 PM Page 142 142 IS AUDIT PROCESS POLISHING THE REPORT Because the audit report is a reflection on the professionalism and competence of the whole IS Audit function, the report must appear as professional as possible. Polishing the report involves a rigorous review prior to issue. This can be done by using a checklist to ensure the readability and understandability of the report or by using a peer group, which normally involves one auditor with no knowledge of the specific audit area so that assumptions may be challenged. Ultimately the report will be signed off by the in-charge auditor or a designated deputy. One of the major auditee complaints is that reports containing critical issues are issued late and that they are expected then to implement the recommendations with immediate effect. It is therefore critical that the auditor does not build in delays to report issuance. Commonly the audit report will involve the coordination of several writers’ efforts. In such cases is may be wise to read the report aloud and recognize the differences where individual contributors change. DISTRIBUTING THE REPORT Audit reports are normally distributed to a variety of managerial levels. The report should be directed at the first authority level able to take appropriate action. The full distribution list is normally known early in the audit process; however, auditee chains-of-command can cause internal political ramifications. Many IS Audit reports are sent to the recipients by e-mail. In general, the delivery method should take into account both the confidentiality of the reported information as well as the remoteness of the recipient. Couriering or hand-delivery may be preferred but impractical. If e-mail is used, adequate encryption techniques should be implemented to ensure the confidentiality and integrity of the message delivered. If the audit report contents are highly confidential, detective controls can be implemented to trace individual copies should a leak occur. The most obvious of these techniques is copy numbering, but intentional misspellings or rewording of critical areas may also be used. ch10_4768 1/8/07 3:00 PM Page 143 Audit Reporting Follow-up 143 FOLLOW-UP REPORTING It is, unfortunately, a truism that people do not do what is expected, they do what is inspected. The IS Audit executive should establish a follow-up process to monitor progress and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. These two alternatives lead to different follow-up activities. Where management chooses to take appropriate action on the audit findings, auditors must find out what action was taken and determine if it was appropriate. They would typically issue follow-up reports normally directed to the recipients of the original report and the key focus must be on the attainment of the control objectives, not necessarily on the implementation of audit recommendations. Where management accepted the risk of not taking action, no follow-up report may be required. Given the mixed nature of audit findings, it is to be expected that management will implement some recommendations and accept some risks. This should be noted in the follow-up report. Follow-up reports are normally directed to the recipients of the original report and the key focus is on resolution of the audit findings, not necessarily on the implementation of specific audit recommendations. It may well be that, subsequent to the audit report being issued, management circumstances may have changed in terms of risk prioritization or resource availability and an alternative course of action has been implemented leading to achievement of the same control objectives. Where the auditor feels that the alternative course of action has not adequately addressed the control objective, the auditor will need guidelines for rejecting auditee’s corrective measures. Under the circumstances care should be taken not to attempt to force audit preferences on management. The audit focus should be on control objectives and principles; management should focus on the controls themselves. To do otherwise is to risk becoming the approver. Management must decide, not the auditor. Where a management action is rejected, the auditor must take care never to attack the individuals concerned. The auditor must avoid becoming emotionally involved in disagreements. State specifically in rejections, why the rejection has occurred and which control objectives are still threatened. ch10_4768 1/8/07 3:00 PM Page 144 144 IS AUDIT PROCESS TYPES OF FOLLOW-UP ACTION The auditor will commonly review auditee responses and corrective actions, evaluate the adequacy of those responses and corrective actions, and report follow-up findings. Follow-up actions will vary significantly for differing audits in terms of the breadth, degree of focus, depth, and extent of follow-up examination. Practical considerations such as time available must be taken into consideration. Auditors tend to be optimists as far as time is concerned and followups are often used to take shortcuts. In many cases follow-ups are completely omitted. In order to reduce the time required for followups, the auditor should attempt to: ■ ■ ■ ■ ■ Follow up as many as possible during the audit itself Review written responses prior to the review Review only the documentation of corrective action for less critical findings Do not perform audit work at all on minor items Limit follow-up tests to only the problems noted It is not necessary that the follow-up be done by the original auditor or audit team. In some lower risk cases all that may be required is confirmation from management that the agreed action has been taken. In other cases the audit committee itself may seek reassurance from management that agreed actions have been implemented. ch11_4768 1/8/07 3:04 PM Page 145 PART II Information Systems/Information Technology Governance 145 ch11_4768 1/8/07 3:04 PM Page 146 ch11_4768 1/8/07 3:04 PM Page 147 CHAPTER 11 Management his chapter covers Information Technology (IT); project management; risk management including economic, social, cultural, and technology risk management; as well as software quality control management; the management of Information Systems (IS) infrastructure; alternative IT architectures, and configuration and the management of IS delivery (operations) and support (maintenance). Performance measurement and reporting and the IT balanced scorecard are also covered as are the use of outsourcing, the implementation of IS quality assurance, and the socio-technical and cultural approach to management. T IS INFRASTRUCTURES Control Objectives for Information and Related Technology (COBIT®) defines control over the IT process as involving the need to “determine the technology direction to support the business. This requires the creation of a technological infrastructure plan and an architecture board that sets and manages clear and realistic expectations of what technology can offer in terms of products, services and delivery mechanisms.” IT staff require specialist expertise and skills in order to develop a technology infrastructure plan. The impact of emerging technologies must be taken into account and validated in order to identify anticipated deviations from the plan. The development and maintenance of a technology infrastructure plan is not to be taken lightly. The infrastructure must be responsive to change and human resources strategy must also be aligned with the technology direction so that technology changes can be properly managed. This includes the use of outsourcing and partnering in order to access missing expertise and skills. 147 ch11_4768 1/8/07 148 3:04 PM Page 148 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE The architecture itself will constantly change in order to ensure the best approach is taken to satisfy user requirements as they change with increasing rapidity. A continuous improvement program will probably be required in order to ensure the rapidly changing technology is utilized in order to keep pace with a similar speed of change in user requirements. Under these circumstances, flexibility and the ability to adapt are of paramount importance. Changes to infrastructures obviously incur significant costs and cannot be achieved piecemeal. Management support at the highest level is essential in order to make the resources available to minimize resistance to cross organizational boundaries. The use of differing technology platforms within one organization can make integration a major problem, which can be most easily resolved by utilizing a common business strategy with related architectures. As such, policies are required to ensure that appropriate choices are made among internal development, use of external infrastructures, and outsourcing. This includes the identification of dependencies on key system components, hardware, software, or personnel, which are available only from a limited number of sources. Ideally, the architecture will make extensive use of interchangeable and reusable components. As with all IT, the sole constant is change and, accordingly, the management of change becomes a key control opportunity. Adequate control over the selection, acquisition, testing, installation, and ultimately disposal of individual parts of the overall architecture is now critical. Even a simple expansion of capacity to meet growing volume or performance requirements requires careful planning. Within any given architecture, IS can be split broadly into three infrastructural areas: project-based functions, operations and production, and technical services. PROJECT-BASED FUNCTIONS Confucius is quoted as stating: “In all things, success depends upon previous preparation—and without such preparation there is sure to be failure.” This is the basis for all project planning. ch11_4768 1/8/07 3:04 PM Management Page 149 149 A project may be defined as a temporary endeavor undertaken to accomplish a unique purpose, involving several people performing interrelated activities. In IS terms this would normally involve the bringing together of a variety of user and IS skills to work together in order to develop new or improved information systems. IS projects cover the specification, supply, and installation of “off-the-shelf” systems and the development of bespoke software (i.e., software uniquely developed for a specific purpose). As with any other projectbased development process, the primary focus is the development of a quality system, as specified by the user, on time and within budget. Each individual project will be unique in as much as the system being developed will be unique and individual combination of resources put together to achieve it will be unique. The project may be seen as a finite, pre-defined set of activities to lead to a specific outcome. It is finite in that it has a fixed beginning and a fixed end. It is predefined in that each individual face of the project can be planned in advance and allowances made for changes during the development process. It is a set of individual activities that can be individually controlled but which must be coordinated in order to ensure that all areas fit together appropriately so that the project may achieve its specific outcomes. Computer projects, either involving the development or acquisition of new systems or the maintenance of existing systems, consume resources in terms of money, manpower, materials, machines, and methods. Many of these resources will be drawn from crossdepartmental boundaries and will involve a mixture of skills and disciplines. Although project control is designed to minimize the risk of nonachievement of the project objectives, there is always a degree of uncertainty throughout the project. At the commencement of the project, this uncertainty will be high because the final outcome may be seen only in outline. As the project progresses, the degree of uncertainty reduces overall and specifically for the next phase of the project. In order to ensure that delivery risk is minimized, a project sponsor is required to handle the primary role of direction setting with a project manager handling task scheduling and performance monitoring. These form the fundamentals of project management. Aligned to these are the processes and practices. “Soft” issues, such ch11_4768 1/8/07 150 3:04 PM Page 150 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE as teamwork and leadership tend to be emphasized less partly due to the small size of many IS projects. Typically these processes and practices are formalized in a specific methodology. Originally these methodologies were predominantly focused on technical issues, while nowadays they focus more on the organizational benefits and management activities. Managing people, information, and resources as they proceed through the project development cycle involves tasks such as: ■ ■ ■ ■ ■ ■ ■ ■ Aligning the development of the project strategy with the sponsor’s (and other stakeholders’) business strategy Defining the requirements (in a testable manner)—these lead to specifications and solutions being designed and developed Defining and managing the project scope, schedule, resource requirements, and budget (ensuring this represents optimal financing) Installing and progressing project control systems Procuring/inducting resources into the project Building effective project teams Exercising leadership Ensuring effective decisions and efficient communications In any project management activity the most critical component is an effective project manager who works with the project sponsor and others in determining and delivering the scope and objectives of the project. In determining the scope and objectives, the project sponsor largely dictates services and performance required. These will serve as measurement criteria to determine the effectiveness of the development process. All projects consume resources and the quantity of resources in terms of manpower, skill levels, costs, and timescales may place limiters on the degrees of effectiveness achieved. In other words, the requirement for efficiency will have a mitigating effect on the degrees of effectiveness of the project as a whole. It is the balancing of the need for efficiency while maintaining an effective development process that is the project manager’s most difficult task, because it is in this area that trade-offs must be negotiated between the project sponsor and the suppliers of resources. Because projects develop over time as business requirements change and skill levels improve, resource budgeting is an iterative process whereby nearby ch11_4768 1/8/07 3:04 PM Page 151 Management 151 expenditures should be predictable in detail but long-term expenditures of resources can be led by as much as 100%. In essence, project management is “the application of knowledge, skills, tools and techniques to project activities in order to meet or exceed stakeholder’s needs and expectations from a project.”1 IT projects normally follow a common development cycle. Partly because of the special challenges posed by the intangible nature of software, and the importance of getting user involvement in a structured manner, this process tends to be both consistent and dominant. There are various versions of this: the spiral, the waterfall, and the vee. In his definitive work in 1976, Archibald2 defined the project life cycle as having identifiable start and end points and passing through six distinct phases, namely: 1. 2. 3. 4. 5. 6. Concept Definition Design Development Application Post-completion This led to the development of the waterfall cycle in Exhibit 11.1 where it can be seen that each activity “cascades” from the previous activity to lead ultimately to fully deployed information systems. In this model the difference is that the major activities overlap significantly. The major difficulty with this model is software development’s need to progress iteratively is not catered for because each project remains with the identifiable start and end points. In 1988 Boehm proposed an iterative spiral model for the development and enhancement of computer software.3 Boehm’s spiral involved four major functions, namely: next stage planning; determining objectives, alternatives and constraints/evaluation of alternatives; identifying and resolving risk issues; developing and verifying the next level product. These functions started with the development of a baseline product and then moved through several iterations until the final product was implemented. An alternative development based upon the waterfall cycle was suggested by Fish4 and is known as the vee cycle, and it follows a sequence such as that shown in Exhibit 11.2. Business strategy dic- ch11_4768 1/8/07 152 3:04 PM Page 152 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE System Requirements Software Design Analysis Program Design Coding Testing Operations EXHIBIT 11.1 Waterfall cycle tates the formulation of business requirements, which will usually incorporate explicit user requirements. These then lead to the definition of systems requirements and specifications. These allow the formation of the architectural design of the software and coding then creates the individual components of the system, which is then tested “up” the waterfall against the different levels of specification. From a control and audit perspective this form of systems development is considered the easier to audit because at each level there are standards to match against as well as there existing a separate audit stage. Within an IS environment, this approach would typically involve: ■ ■ Discovery is the point in the process when the IS or user area finds there is a market for a specific system. This phase is brief; there are few decisions to be made. Requirement is when the user can write an outline system specification that states: “We need a system capable of the following functionality A, B, C . . .” At this stage a feasibility study may include an assessment of the technical feasibility of this system, its costs, and potential benefits. ch11_4768 1/8/07 3:04 PM Page 153 153 Management Discovery Close-out User Requirements Functionality Design Sanction Audit Review Check Construct EXHIBIT 11.2 Vee cycle ■ ■ ■ ■ ■ ■ Functionality is when the user can write a detailed business specification that states all of the business, operational, and control requirements. At this stage the feasibility study may be revisited to re-assess the technical feasibility of this system, its costs, and potential benefits. Design results in the detailed system specification that specifies file layouts, screen design, the required hardware and software environment, networking requirements, and any potential limitations or requirements for new hardware and software to be acquired. Sanction is the phase wherein board approval for design and expenditure is sought prior to the commitment of resources to the longest part of the process. Construct is the purchase or development of the software including the coding, unit-testing, and documentation of the application systems. Check is used to verify that what is installed is what was intended to be installed as set out in the design documents. Also, that installation was done according to those design documents. This verification is a critical element of the ISO 9000 standard. Review involves testing sub-systems, usually with a test material to ensure that the intention of the system has been met. This phase ch11_4768 1/8/07 154 ■ ■ 3:04 PM Page 154 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE tests collections of hardware and software (systems) against the design intent and the interaction of integrated systems. Audit is the verification stage, which may be deemed to be complete when the system can meet the functional, operational, and control stipulations of the detailed business specification. ISO 9000 defines this as validation, where tests are applied to see if the customer’s requirements are addressed in reality. Close-out is the stage wherein the cycle is completed by ensuring the installed product matches the need identified during the discovery phase. As can be seen from this model, the left-hand side of the vee shows the planning stages, while the right-hand side indicates the implementation or “doing” stages. Over and above the methodology selected, project managers require competencies in multiple areas. From a task management perspective they need to be able to manage the project scope, cost, duration, and quality. At the same time they need to be able to manage their human resources with good communications while simultaneously ensuring risk is controlled and that the whole project is adequately integrated. Many of the quantitative tools discussed in Chapter 9 such as Gantt charts, PERT charts, and critical path analysis are used by management to control time and budgets. Overall the management areas of planning, leading, and controlling remain fundamental to the development process. QUALITY CONTROL One of the most difficult areas within project-based functions is the achievement of appropriate levels of quality. One reason for this is the wide variety of interpretations of the meaning of the word. The International Organization of Standardization (ISO) defines quality as “the totality of characteristics of a product or service that bear on its ability to satisfy stated or implied needs.”5 Quality involves ensuring that the customer’s agreed requirements and expectations are achieved. This may sound simple but involves two main performance areas, namely: process quality and product quality. Process quality ch11_4768 1/8/07 3:04 PM Page 155 Management 155 involves the effectiveness and efficiency of the process that creates the end product. Product quality is a measurement of the degree to which customer needs and expectations are satisfied. It is possible to produce a quality product even with a flawed process but such achievements are rare. Under normal circumstances comprehensive standards such as COBIT™ must be combined with a thorough understanding of the business and functional requirements of the new system. Issues of systems development are more fully covered in Part Three of this book. OPERATIONS AND PRODUCTION Operations and production include the day-to-day running of the information processing facility (IPF), data communications, input and output controls, output distribution, and backup and recovery including the disaster recovery plan. At its most fundamental, computer alterations could include: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Mounting and dismounting data files Loading paper into printers Aligning special forms Scheduling runs Loading programs Balancing run priorities Responding to operating system prompts Responding to application system prompts Maintaining incident logs Performing routine housekeeping tasks Responding to equipment failures Production of backup copies as defined Restoration from backup when authorized Handling “unpredictable” conditions They are also responsible for handling remote site libraries containing backups of data files, program source code, and object code. The sites may have automated library functions or may rely on manual records. In all cases, because operations are handling live data ch11_4768 1/8/07 156 3:04 PM Page 156 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE files, segregation of duties must be maintained. One critical area for operations is the distribution of output. This would normally involve the dispatch of hard-copy output to the authorized recipients, control over spool files to networked printers as well as within the information processing facility itself, and the destruction of confidential scrap resulting as a byproduct from computer operations. TECHNICAL SERVICES Technical services include the provision of reliable computing resources at acceptable costs as a basis on which to run the appropriate application systems. These services may include: ■ ■ ■ ■ Operating system support Network support Technical database support Hardware support In all cases, a higher degree of technical expertise is required in order to ensure the effectiveness and efficiency of the overall IT architecture. These functions are covered in more detail in Part Four of this book. PERFORMANCE MEASUREMENT AND REPORTING Performance measurement can be looked at in several ways: ■ It is an environment in which strategic, tactical, and operational plans are linked via a feedback process whereby performance measurement systems provide the information needed to determine whether top management strategies have been effectively translated into tactical and operational decisions. This information is essential to improve decision making and enable proactive problem correction. It is a methodology in which the course of the organization toward its vision is steered by using feedback to make ongoing adjustments, thus ensuring continued quality of ch11_4768 1/8/07 3:04 PM Management ■ Page 157 157 programs and services despite changes in both the internal and external environments. It is an iterative process consisting of: the setting of objectives, the development of strategies/plans to achieve those objectives, and the development of performance measures to assess progress toward those objectives. One popular way of measuring overall performance is the balanced scorecard approach, which was developed by Robert S. Kaplan and David P. Norton.6 This approach builds upon the traditional performance focus on financial measures by emphasizing client satisfaction, internal business processes, and innovation/learning. Each of these has, in its own way, a place in ensuring that performance is optimized. These focuses can be mapped onto the traditional organizational vision, mission, and strategy as seen through the eyes of business owners, customers and other stakeholders, managers and process owners, and employees. The owners of the business are represented by the financial focus; customers and stakeholders are represented by the client satisfaction focus; managers and process owners by the business processes focus; and employees and infrastructure by the innovation and learning focus. The financial measures deal with the measurement of the level of financial performance provided by programs and services. Examples of the financial impact of programs and services within IT can be measured through such indicators as budget versus actual expenditure; degree of cost recovery; achievement of cost budgets in systems development; and achieving the financial benefits anticipated in systems feasibility studies. Within the IS area, the client satisfaction measurement is concerned with the degree to which the IS services provided meet the needs of the users of such services and the organization as a whole. Such measures could include the achievement of performance and availability targets, satisfying users’ functionality and information needs, flexibility of systems, and degree of user confidence in systems. The measurement of the internal business generally relates to the quality of those processes used to provide the systems and services that satisfy user needs. Generic internal business performance ch11_4768 1/8/07 158 3:04 PM Page 158 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE indicators for information systems could include the achievement of time-related budgets on systems implementation, response times on operational requests, and frequency and duration of system failures including hardware, software, and communications. One other critical performance area for an effective IS function is that of innovation and learning. The dynamic nature of IT directly impacts the ability of an organization to sustain innovation and growth. Continuous improvement and innovation is required in its use of all organizational resources including its human resources, technology, products, and services. In many cases information systems can be the drivers for such innovation. Performance indicators in this area would typically include the improvements in business processes facilitated by innovation in the use of information systems, degree of management and user interaction in the modification and improvement of systems, involvement of information systems in reengineering initiatives, and amount of leverage obtained from the use of the organizational data warehouse. Obviously, any framework for measuring organizational performance must be based on the strategic objectives of the organization. Nevertheless the unique role of IS has a dramatic impact and the organization’s ability to allocate resources, utilize management information for decision making, and deliver products and services. Many organizations have no formal measurement program as yet and have still to develop and implement a balanced approach to measuring IS performance. Performance measurement must be carried out from the top down. IS goals and objectives cannot be determined until business objectives have been determined and communicated so that the appropriate strategies and goals can be established and plans implemented to achieve these. MEASUREMENT IMPLEMENTATION In order to be universally accepted, implemented performance measurement criteria must be seen as quantifiable in the development and objective of the application. In order to achieve this, the organizational culture must support accurate, comprehensive, and balanced feedback in order to facilitate effective decision making by providing the information necessary. The resources required to implement this should not be underestimated because it takes time and effort to be ch11_4768 1/8/07 3:04 PM Management Page 159 159 introduced and maintained. A “one size fits all” approach cannot be used due to the extreme variations in architectures, methodologies, and approaches undertaken in developing and utilizing information systems. Prior to implementation an impact analysis will be required in order to determine the ability of the organizational IS area to implement such an approach as well as both financial and functional impact of such implementation. Based upon the results of this analysis a controlled pilot project would normally be launched within one of the operational areas of the IS function. The area chosen should be one in which performance measurement points can be readily determined and the life cycle of improvement is comparatively short. The starting point, as ever, is the long-term business objective of the area to be improved. This may seem obvious but determining agreed objectives with a common interpretation can be problematic. Once the objectives have been agreed an appropriate measurement architecture can be developed to assess the performance area from the four perspectives mentioned earlier. Once the architecture has been agreed a strategy of transition to the new measurement approach must be developed. The pilot project will be used to adapt and streamline the performance measurement architecture prior to implementation of the full IS area. The use of a balanced scorecard helps to create a Strategy-Focused Organization (SFO), rather than a Metrics-Focused Organization (MFO), which thus facilitates the alignment of its daily activities to strategy, and communicates that strategy throughout the organization. This is critical because many organizations utilize key performance indicators, which are tactical in nature rather than strategic. Because the balanced scorecard is designed to ensure achievement of strategic objectives, a strategic focus is essential. Many of the benefits of information systems are intangible in nature making it difficult to measure their relative contribution to overall business performance. There is a tendency to conduct project management at a technical level while ignoring the original business proposition that created the project in the first place. Many IS benefits such as improved customer service and increased flexibility are difficult to interpret into financial benefits. It has been suggested7 that as many as 75% of IS interventions offer no demonstrable business value. The key word in this situation is demonstrable because traditional financial evaluation methods may not tell the whole story in an IS environment. ch11_4768 1/8/07 160 3:04 PM Page 160 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE In order to adequately express measurement criteria within the balanced scorecard, the starting point must always be the statement of business intent or mission for the entity being evaluated. In such a case the customer orientation intent may be “to deliver customer response times superior to competitors.” This could then be translated into measurement criteria by reducing the intent into measurable objectives such as customer satisfaction, acquisition of new customers from competitors, or retention of existing customers, leading to measurements such as numbers and severity of customer complaints, percentage of repeat customers, number of new customers acquired from competitors, and so forth. These are not the traditional financial measures but nevertheless express the strategic content of the information system. In a similar manner measurement criteria may be established for the other balanced scorecard perspectives. Internal business processes could, for example, be measured by percentage availability of systems, frequency of system crashes, response times, downtime, and so on. Innovation and learning could be measured by determining skills acquisitions or independence from consultants. Critically, the IS balanced scorecard measurement criteria should be able to indicate cause and effect of performance drivers rather than solely business outcomes. Kaplan and Norton recently released a follow-up to The Balanced Scorecard,8 in which they noted: The Balanced Scorecard approach retained measures of financial performance, the lagging indicators, but supplemented them with the measures on the drivers, the lead indicators, of future financial performance. But what were the appropriate measures of financial performance? If financial measures were causing organizations to do wrong things, what measures would prompt them to do the right things? The answer turned out to be obvious: Measure the strategy! Thus all of the objectives and measures on a Balanced Scorecard— financial and nonfinancial—should be derived from the organization’s vision and strategy. Control Risks and Outsourcing Outsourcing of IS services is a route chosen when: An organization determines that it does not have sufficient competence to tackle the work itself, where the costs of in-house processing are determined to be ch11_4768 1/8/07 3:04 PM Management Page 161 161 greater than the cost of outsourcing the activity, or where the risks associated with the executor function is determined to be too high to retain in-house. IT areas frequently considered for outsourcing include: ■ ■ ■ ■ Project functions such as systems analysis, design, and programming Running of selected application systems such as payroll Data capture or transformation prior to processing Operation of the IT facility In all cases measurement and performance criteria must be developed prior to evaluation of the most appropriate process. Considerations such as the scope of services, level of service requirements, quality measurements, and cost must be taken into account in advance because choosing to outsource such services can be a higher risk intervention and the decision may be difficult to reverse. Whether or not the outsourcing partner retains the organization’s original staff as part of the outsourcing agreement, there may be insufficient skills and abilities retained to rebuild an internal IT service if required. The selection of an outsourcer is a critical part of the process requiring that checks be made on both the quality of service received by the existing customer base as well as their market stability and track record. A common mistake is approaching a selected number of outsourcers to inquire as to the variety and level of services they can offer. As with any project, business and technical requirement specifications should be designed with evaluation criteria before outsourcing agencies are approached. Outsourcing contracts for information services will typically involve a longer duration than normal commercial contracts due to the longer duration of systems development and a higher cost in setup of specific architectures. As such, it is essential to ensure their contracts clearly spell out the variety of services to be provided, measurement criteria, and penalties for unacceptable performance. This would normally take the form of a service level agreement (SLA) which, in an outsourcing contract, would typically involve more detail than those in normal internal use. Performance areas such as security, right of inspection by audit, and contingency planning arrangements must be incorporated within the SLA. ch11_4768 1/8/07 162 3:04 PM Page 162 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE As with any partnering agreement the intention and the belief is that all will go well. Nevertheless, a fundamental reason for the contract is to prepare for the eventuality that things do not go well and therefore options and remedies in the event of a partial or complete failure of the agreement need to be decided in advance. This is particularly true where IT services are involved because the technical nature of such services can result in lengthy court cases regarding performance measurement and contract terms. In cases of disputes many users of such services attempt resolution by arbitration in order to avoid costly and drawn-out court battles. Where software is involved, escrow may be required for the protection of software interests. This involves the lodging of a copy of the software with an independent third party so that, in the event of the software provider failing to comply with the terms of contract or ceasing to exist, software service can be continued legally by obtaining the software from the third party. Auditing IS Management In reviewing a typical IS function, the auditor will use a standard set of indicators to determine whether management is performing at an acceptable level. These indicators could include: ■ ■ Operational ● Degree of end-user acceptance of performance levels ● Actual to budget comparisons ● Frequency of hardware and software problems ● Acceptability of computer response time ● Frequency of unauthorized purchases of hardware and software ● Frequency of upgrades of hardware and software ● Degree of capacity planning ● Adequacy of business continuity planning Systems development ● Cost and budget comparisons ● Achievement of deadlines ● Achievement of end-user objectives ● Number of uncompleted development projects ch11_4768 1/8/07 3:04 PM Page 163 Management ■ 163 General management ● Experience and training of staff ● Staff turnover ● Staff motivation ● Reliance and key individuals Such indicators would be examined using the conventional audit techniques of documentation review, observation, and interviewing in order to determine management’s intent as compared to actual performance. ENDNOTES 1. Project Management Institute (PMI) Standards Committee, A Guide to the Project Management Body of Knowledge (PMBOK® Guide), Third Edition, Sylva, North Carolina: PMI Publishing, 2000. 2. R. D. Archibald, Managing High-Technology Programs and Projects, New York: Wiley, p. 19. 3. B. Boehm, “A Spiral Model of Software Development and Enhancement.” IEEE Computer (May 1988): 61–72. 4. E. Fish, An Improved Project Lifecycle Model, Pandora Consulting, http://www.maxwideman.com/guests/plc/intro.htm (Guest Department), 2002, updated 2003. 5. International Organization of Standardization, ISO 8402: 1986. 6. Robert S. Kaplan and David P. Norton. The Balanced Scorecard, Boston: Harvard Business School Press, 1996. “Using the Balanced Scorecard as a Strategic Management System,” Harvard Business Review (January-February 1996): 75–85. 7. M. Raisinghani, “A Balanced Analytic Approach to Strategic Electronic Commerce Decisions: A Framework of the Evaluation Method,” in W. Van Grembergen, Information Technology Evaluation Methods and Management, Hershey, PA: Idea Group Publishing, 2001, pp. 185–197. 8. Robert S. Kaplan and David P. Norton. The Strategy-Focused Organization: How Balanced Scorecard Companies Thrive in the New Business Environment, Cambridge, MA: Harvard Business School Publishing, 2000. ch12_4768 1/8/07 3:06 PM Page 164 CHAPTER 12 Strategic Planning his chapter examines Information Systems (IS)/Information Technology (IT) strategic planning and looks at competitive strategies and business intelligence and their link to corporate strategy. These, in turn, influence the development of strategic IS frameworks and applications. Strategic planning also includes the management of IT human resources, employee policies, agreements, contracts, segregation of duties within IT, and the implementation of effective IS/IT training and education. T STRATEGIC MANAGEMENT PROCESS The strategic management process uses qualitative and quantitative information under conditions of uncertainty in order to integrate both intuition and analysis. Management intuition is based on judgment, past experiences, and feelings and is used in conditions of great uncertainty or conditions where there is no precedent to assist management in making decisions. At all levels within the organization, management must make decisions under conditions of uncertainty on a daily basis and it is their intuition which influences that interpretation of analyses that affects the strategic decisions taken. A key attribute of the strategic management process is adaptability to change, and organizations must monitor internal and external events as an iterative process in order to ensure timely adaptation is effected. Over the past 20 years, the magnitude of the rate of change in information technology as well as its acceleration, combined with increased access to global marketplaces and increased national and international regulation have forced change upon organizations at a rate never before seen. This increased the pressure on management to 164 ch12_4768 1/8/07 3:06 PM Page 165 Strategic Planning 165 develop adaptive strategies in order to stay in competition and even to stay in existence. Strategies, overall, are the means by which longterm objectives are intended to be achieved and could include geographic diversification, product development, service differentiation, acquisition of other organizations, divestitures, retrenchments, or even liquidation. Strategic management is an attempt to utilize existing knowledge to forecast the outcomes of events and the degree to which they can be influenced by management actions. STRATEGIC DRIVERS The start of the new millennium is typified in the computer industry by a “merger mania” with the old practice of single portfolio suppliers giving way to problem and solution-based vendors. Information vending is becoming the future direction for all. As far as the technology itself is concerned, it may be classified as: ■ ■ ■ ■ Hardware getting cheaper Communication bandwidth getting wider Software getting more powerful Users getting more confused Storage capacity is rocketing and network costs are reducing to virtually nil while PC operating systems have become mainframe-like in their sophistication. This combined with business’s eagerness to embrace technology as an enabling tool has resulted in the fundamental shifting of the manner in which business is done. Thus we see the advent of corporate structuring of data warehouses to gain strategic advantage by being the best around at converting data to information and information to insight. In addition, technology such as electronic data interchange (EDI) has shortened the business cycle beyond previous comprehension. E-commerce is another such revolution which will, over the next few years, have much the same impact on conventional business as supermarkets had on the corner shop. ch12_4768 1/8/07 3:06 PM 166 Page 166 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE NEW AUDIT REVOLUTION In the same way that business is embracing the new technologies, audit has no choice but to follow suit and utilize technology to develop innovative ways to make information out of the vast resources of data available and so proceed to the development of risk and control insights. Advanced systems include such components as Communication Networks including the Internet, intranets, and extranets. Integral to such systems are concepts such as EDI, EFTS (Electronic Funds Transfer Systems), EFTPOS (Electronic Funds Transfer at Point Of Sale), JIT (Just-in-Time), and MRP (Material Requirements Planning). Such systems will typically integrate concepts such as real-time processing with relational database management systems (DBMS) and Integrated Data Warehouses to arrive at total integrated systems for the whole organization. This will include the use of EIS (Executive Information Systems) and SIS (Strategic Information Systems). Extensive use of teleprocessing and client/server environments will also typically be found. LEVERAGING IS As corporations look toward leveraging IS with a view toward the reengineering of the business as a result of changes and pressures in their business and competitive environment, it would only be sensible to examine the status of internal audit to determine whether it too requires some re-engineering. Re-engineering as a process involves the fundamental rethinking and radical redesign of business processes to bring about dramatic improvements in performance. Improvement claimed includes: ■ ■ ■ 48% reduction in cost 80% reduction in time 60% reduction in defects As can be seen from the numbers, this is not tinkering with a few minor enhancements. At its best, it involves common sense reinvented (CSR). ch12_4768 1/8/07 3:06 PM Page 167 Strategic Planning 167 BUSINESS PROCESS RE-ENGINEERING MOTIVATION There can be several motivations for any business process reengineering (BPR). The motivation will affect the nature, focus, and probable success of the intervention. Survival as a Motivation ■ Indications for re-engineering ● Outgrowing capacity ● Value added versus revenue Under this motivation the major success factor may be the speed of automation and the primary focus is the core operation of the organization with the intention being “Don’t Automate—Obliterate.” Elimination of Competitive Disadvantage as a Motivation ■ Indications for re-engineering ● Losing market share ● Performance lag Within this scenario the most critical factor is probably an understanding of the original source of disadvantage and the primary focus is to lead the competition. This scenario is based on the concept that “If you can’t win at the game—Change the Rules.” Generating Competitive Advantage as a Motivation ■ Indications for re-engineering ● Stable market share ● Stable industry Under these circumstances, the most critical success factor is the ambition of the leader of the process and the focus is clearly on customer-value drivers. This could be described as “Cuddling up to the Customer.” Creating a Breakthrough as a Motivation ■ Indications for re-engineering ● Declining market ● New industry opportunities ch12_4768 1/8/07 168 3:06 PM Page 168 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE Success factors here include both the vision of the leader as well as the communications capability throughout the organization. Here the focus will vary depending on the industry involved but can be typified as “Breaking out of the Mold.” Ultimately, such re-engineering is intended to lead to achieving client value which, in turn, requires a narrower focus for the organization in order to deliver superior client value. Client intimacy becomes essential in order to permit the segmenting and targeting of markets precisely, as well as the tailoring of services to meet these niches. Operational excellence is an imperative throughout the process and beyond. The organization must provide reliable service at a competitive price delivered with minimum inconvenience. The products themselves must be leading-edge products that consistently enhance the clients’ use of the service. Success for such an organization means excelling at achieving client value while meeting competitive standards in operational excellence and leading-edge product delivery. IS AS AN ENABLER OF RE-ENGINEERING Processes are about handling information and, if IS is used as an enabler, not as an end product, new audit possibilities allowing inductive problem seeking and international research on a massive scale are opened. As was the case, taking a mess and computerizing it simply creates a high-speed, expensive mess. Misuse of IS can seriously impede re-engineering by reinforcing old ways and stereotypes. DANGERS OF CHANGE All change involves risk to some degree. Change involves uncertainty and by disturbing the status quo we create a threat to vested interests, we disrupt harmony, and if this goes unchecked it can kill morale by creating emotional upheaval. This ultimately can cost a fortune in managerial time and effort, cause loss of valuable people, talents, and skills, and change can become self-defeating. Change inspires resistance, which in turn can move from passive resistance to aggressive ch12_4768 1/8/07 3:06 PM Page 169 Strategic Planning 169 undermining. Fear of losing something, misunderstanding the transformation and its implications, or a belief that the change does not make sense can lead to a low tolerance for change. Hidebound infrastructures and top management misconceptions can lead to turf battles. Building around existing employees can lead to change in name only with no material effect. Used properly, even resistance can become an energy to utilize. Resistance need not always be a roadblock. In order for it to become useful the transition process itself must be understood. Process transformation takes place in clearly defined and measurable phases. There is an Ending Phase involving letting go of old values and ideas. A disengagement and disenchantment with previously cherished beliefs. This is followed by a Neutral Phase. During this phase, disorientation may lead to disintegration of assumptions, discovery of new horizons, and leads to a building of energy for transformation. The Transformation Phase itself allows the creation of those new horizons, new possibilities, and alignment of vision. SYSTEM MODELS Systems may take several forms. The most basic types of systems are those that are used on an ongoing basis to provide facilities for the day-to-day operations of the organization. These normally involve the processing of everyday business transactions. Transaction processing systems include: ■ ■ ■ Order processing Inventory Purchasing In addition to these systems supporting our normal business processing, management requires information, on an ongoing basis to inform them of the status of various parts of the organization. These Management Information Systems would include: ■ ■ Financial Manufacturing ch12_4768 1/8/07 3:06 PM 170 ■ ■ Page 170 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE Marketing Personnel A further categorization of systems comes when the information becomes used by a variety of decision makers to support business decisions. These Decision Support Systems are becoming more and more sophisticated and may be found in all business areas including: ■ ■ ■ Financial Statistical analysis Project management INFORMATION RESOURCE MANAGEMENT Information Resource Management is based upon five fundamentals: 1. Information Management. Information is valuable and must be managed as such. In many organizations, information does not appear on the balance sheet or asset register and is thus seen as something that, while important, is not really valuable. 2. Technology Management. Technology Management addresses the whole aspect of the value of technology to the firm. This includes the impact and effect on other resources as well as the gaining of strategic advantage by judicious use of the appropriate technology. 3. Distributed Management. Where systems are located can have a significant impact on systems effectiveness as well as internal control and thought must be given to the maintaining of an adequate system of managerial control. 4. Functional Management. Like other functional areas, IS must be directed and controlled in order to ensure the effective, efficient, and economic use of what is, after all, an expensive resource. 5. Strategic Management. IS holds the potential to gain and maintain major competitive advantage for the organization. Used appropriately, IS can raise the barriers of entry to competition, gain exclusivity for the information holder, and generally keep the organization ahead of the pack. ch12_4768 1/8/07 3:06 PM Page 171 Strategic Planning 171 STRATEGIC PLANNING FOR IS Strategic planning is a process of identifying long-term goals and objectives of any organization and then selecting the most appropriate approach for achieving those goals. In judging the impact that IS can have on the strategic planning process, the leveraging of the organization’s information resource can make or break the process of achieving the strategic plan. The corporate strategic plan, under the care of top management, represents the shared vision of corporate intent and provides an execution framework for a specific period of time. It sets an overall direction for the organization and lays the ground rules for the acceptance of new projects, products, and services. This facilitates the identification and selection of the best tactical and operational interventions in order to achieve strategic objectives. It allows prioritization of activities and expenditures in order to maximize the probability that successful outcomes will be achieved. Strategic planning is therefore a broad-brush approach involving a statement of corporate intent. This then must be translated into tactical plans developed to meet the overall strategic objectives. This will typically involve a variety of individual operational objectives streamlined to ensure that all work undertaken will eventually assist in the achievement of the overall corporate goal. From an IS perspective, the effectiveness of these tactical goals will depend largely on the clarity of the corporate vision being communicated to the operational managerial level. If misalignment takes place at this point, an organization can spend many years and many millions of dollars developing systems specifically designed to take the organization in the wrong direction. An IS strategy rests upon the comprehension of the corporate vision, which in turn leads to the development of an appropriate framework together with its management and control mechanisms through to its execution in the delivery of appropriate information processing systems. Development of an appropriate framework assists in achieving the vision by providing the structure within which results are measurable, repeatable, and sustainable. This is critical because IS strategy is a dynamic process as the corporate vision is dynamic dependent upon market circumstances. As with any other process it does not stand alone and must ch12_4768 1/8/07 172 3:06 PM Page 172 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE be integrated into the other business processes of the organization such as enterprise planning, budgetary control, product development, and delivery and marketing. Like all other business planning processes it must be both measurable and measured. Management and control of the operational plans are fundamental to the overall success and achievement of the corporate strategic plan. An IS plan that looks good in theory can, under poor management conditions, lead the organization far away from its original strategic intent. Given the extended nature of the corporate IS investment whereby results may be seen only after several years, it is essential that alignment of IS and organizational strategies be achieved and maintained. This alignment is one of the most difficult areas to achieve and control. If an IS project takes five years to develop there is a strong possibility that, without appropriate change management, the strategic intent in developing the system may have changed radically in the intervening time. In addition, the project itself may produce a system that is intended to support the organization’s business for the next 15 to 20 years. Without flexibility it is unlikely that the new system will maintain alignment with the overall corporate strategy. Flexibility is fundamental both within the development process itself and within the execution phase after the project system has been developed. In today’s business environments the only constant is change. It must be clearly understood by all concerned that the organization does not exist to run information systems. The information systems exist to support the organization and as it changes so must they. This involves a constant reassessment of the degree to which the overall IS strategy maintains its alignment with the overall organizational strategy, as well as the degree to which the IS operational planning is in line with its own strategic objectives. This requirement for flexibility in organizational operations has always existed; however, in the information processing age the dynamics of change have become so complicated and so rapid that inflexibility can actually result in the total collapse of the organization. A more difficult concept for many managers is that of value for money within an IS scenario. Information systems frequently produce an intangible benefit that accrues to client users rather than the information. Because most managers in the business arena have little conception of the costs of maintaining an appropriate IS infrastructure, ch12_4768 1/8/07 3:06 PM Page 173 Strategic Planning 173 information processing costs are commonly thought to be excessive and therefore frequently the effectiveness of the IS function itself is commonly measured by savings accrued and budgets achieved. These are in fact, measurements of efficiency that can nevertheless result in the IS function maintaining a focus on simply keeping existing systems running at constantly reducing costs. As a result, many IS functions understand their objective to be the delivery of high-quality, reliable systems at the lowest possible cost. In a few organizations where this cost reduction imperative is not believed to have been achieved, complete decentralization of the IS function into business units can occur, which leads to a sacrifice of scale economies and an overall increase in costs. Taken to its extreme, this may even result in the outsourcing of the IS function because of the perception of excessive costs. It should not be seen that all organizations are fixated on cost reduction. Many progressive firms see IT as being a fundamental driver toward achievement of their corporate strategy. Such firms seek innovative ways to leverage their information systems to gain and sustain competitive advantage. These firms face the danger that innovation becomes paramount and both cost and traditional quality measures may suffer as a result. It is the balance among alignment, flexibility, quality, reliability, and cost that achieves the accomplishment of the IS strategy. It is understandable that, before IS can be accepted as a main driver of the execution of business strategy, it must first demonstrate its competency in cost control and quality. Only after competency is demonstrated can IS seek to participate in realizing organizational strategies, not just operational objectives. DECISION SUPPORT SYSTEMS Another complication arises from the advent of Decision Support Systems. These systems, commonly combined with data warehousing, use databases in order to assist management in the making of fundamental business decisions. In such cases it is essential that management place reliance on the accuracy, completeness, integrity, confidentiality, and timeliness of such systems. These systems may, in turn, be extended into the concepts of EIS, which address those aspects of cor- ch12_4768 1/8/07 174 3:06 PM Page 174 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE porate governance that are of specific importance to executive management in deciding strategic direction in the first place. STEERING COMMITTEES In order to manage the process of achieving flexible, valuable systems many organizations delegate the responsibility and authority to a steering committee made up of managerial expertise in multiple functional areas of the business as well as IS itself. The concept is that each member of the committee can bring diverse skills and perspectives in order to ensure the alignment of the IS strategy with the corporate strategy and additionally to ensure that the information systems deliver the business requirements. In many committees it can be seen that individual members dominate and the synergy of differing perspectives is lost. Such committees become a “rubber stamp” for one or two individuals’ decisions. Other steering committees have been known to devolve into “talk shops” where much is said but little is decided. In a worst-case scenario the committee can become a method for accountability evasion so that no decision ever becomes an individual’s fault if it fails and therefore there is no incentive to get things right. Many individual managers express concern that the systems that are being delivered are simply re-hashes of existing systems with little improved benefit. Ultimately, systems alignment can only be dictated by those who fully understand the organization’s business strategy, and in some extreme cases this strategy is seen to be a corporate secret and is not revealed to those making tactical and operational decisions. STRATEGIC FOCUS Since its introduction in 1992, the Balanced Scorecard management framework (see Chapter 11) has been seen by many organizations as a key element in defining organizational strategy and as a facilitator in measuring strategic performance. It is not, however, the only means of achieving an IS strategic focus. ch12_4768 1/8/07 3:06 PM Page 175 Strategic Planning 175 In 1995 Treacy and Wiersema1 developed a model that can be used to guide the organization of IT internal activities. It uses the hypothesis that firms achieve competitive advantage by placing their emphasis on one of three value disciplines: operational excellence, customer intimacy, or product leadership. In order to maximize the value-added attention to its customers, IS must excel in all three disciplines. Once again, customer intimacy and understanding of the business unit’s strategic and operation objectives can be seen as fundamental to the implementation of an effective IS strategy. AUDITING STRATEGIC PLANNING As with any audit, the first stage is to obtain a business understanding of management’s intentions. This may be complicated by the size and cross-function capability of such systems resulting in the business areas considered covering virtually the whole company. From this understanding, the business objectives and thus the control objectives may be derived. This permits the auditor to identify and evaluate critical controls/processes/apparent exposures within the overall systems and design the appropriate audit procedures. Once these have been agreed, the testing of the critical facets and evaluation of the results becomes routine. As discussed earlier, another complication arises from the advent of Decision Support Systems. These systems, commonly combined with data warehousing, use the databases in order to assist management in the making of fundamental business decisions. In such cases it is essential that management can place reliance on the accuracy, completeness, integrity, confidentiality, and timeliness of such systems. These systems may, in turn, be extended into the concepts of EIS, which address those aspects of corporate governance that are of specific importance to executive management. In auditing strategic planning there is a complexity multiplier factor at work where the vulnerability of the organization to inadequacies in internal controls in the development of strategic systems is limited only by the degree of corporate dependency on the system. This factor is normally unevaluated and commonly understated, but it could threaten the ongoing existence of the organization. ch12_4768 1/8/07 3:06 PM 176 Page 176 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE DESIGN THE AUDIT PROCEDURES In testing such planning the auditor cannot always test the actual control that management relies on. Many of these planning interventions have few controls or controls that report only if there is a problem. Where there is no problem, no evidence is retained. The auditor should be wary of relying on a lack of evidence to prove a control is effective and should rather seek ways of testing to obtain evidence. This means that the auditor should always know what to look for. Bear in mind that not all controls need to be tested. There may be common controls covering a variety of threats in a common manner. The auditor should try to identify the control structures and establish the degrees of control effectiveness before forming audit opinions. ENDNOTE 1. Michael Treacy, Fred Wiersema, The Discipline of Market Leaders, Reading, MA: Perseus Books, 1995. ch13_4768 1/8/07 3:07 PM Page 177 CHAPTER 13 Management Issues his chapter looks at the broader Information Systems/Information Technology (IS/IT) management issues including the legal issues relating to the introduction of IT to the enterprise, intellectual property issues in cyberspace, trademarks, copyrights, patents, as well as ethical issues, rights to privacy, and the implementation of effective IT governance. The introduction of IT to organizations has had a dramatic impact on many aspects of their compliance with the law. Perhaps the most fundamental impact of IT on enterprises doing business has been the impact on the legal position of transactions. In order for business to continue taking place in a modern computerized environment, it must be enforceable that transactions concluded and performed in whole or in part by electronic means be regarded as legally binding. In addition, a variety of concerns regarding confidentiality, accuracy and completeness of information, identity authenticity, and protection of intellectual property have required the rethink of existing laws and legislation. The extent to which legislation has kept pace with advances in technology varies from country to country although all face the same problems. Business moving onto the Internet has created some of the greatest opportunities for fraud the world has ever known. “Cyberfraud” is a major international growth industry that has both the business and legal world struggling to keep pace. Fraud itself typically involves a false statement or omission made deliberately to induce an individual or organization to rely upon it to their prejudice. Prejudice itself may be actual or potential depending on the wording of the individual legislation. Electronic fraud, utilizing Internet technology, may come in the form of creating a false identity on the Internet, intercepting information sent over the Internet, using the Internet to T 177 ch13_4768 1/8/07 178 3:07 PM Page 178 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE spread false information, or using the Internet to access and manipulate information within the corporate information systems. There is an old saying that “on the Internet nobody knows you’re a dog” and identity misrepresentation or even identity theft have become a 21st century phenomenon. Such acts range from impersonation of an existing authorized user on a computer system, through “grooming” children on Internet chat rooms, to “phishing” for information by pretending to be a legitimate information seeker, to stealing an individual’s identity via knowledge gained on the Internet. Creating a false identity is not a new phenomenon but it is considered more difficult to detect electronically. Acquisition of goods and services from a genuine dealer by assuming a false identity and using a false credit card number is comparatively common. This is where Certification Authorities become critical. A Certification Authority is an organization that guarantees that the business or person is as claimed having checked their identity independently. This is not to say that all Certification Authorities are equal. Some merely check that a business exists and that the bank account is valid. Others go into considerably more detail and cost correspondingly more. One difficulty with the issuance of such certificates is that many customers do not have certificates and the cyber trader can either deny access to such potential customers and therefore lose business, or take a chance that the customer is legitimate even without the appropriate certificates. Given that the Internet appeals to customers who like to do things in an easy manner, as with most things, control is frequently seen to be an inconvenience. One of the more common concerns about doing business electronically is that someone will intercept transaction and payment details in a form of “electronic eavesdropping” and use them to commit the kind of fraud described earlier. Although we have had the ability to encrypt information since information processing began, most of our communication remains in clear text, easily intercepted, read, amended, and retransmitted. Circulating information over the Internet calls for little or no capital outlay and the information circulated may be erroneous, intentionally misleading, or even libelous. Misuse in this area ranges from falsely spreading rumors for financial gain, through character assassination, through the publication of propaganda for extremist groups of every sort. Much of this information sounds plausible although ch13_4768 1/8/07 3:07 PM Management Issues Page 179 179 factually it is false. Tracing the originations of such rumors is not impossible but does take effort, time, and money, which individuals and organizations may be unwilling to spend. Deliberate penetration of an organization’s systems with the intent to access and manipulate corporate information has become so common that it rarely warrants a mention in national newspapers. It has always been possible to break into any secure system, but the advent of e-commerce has effectively invited the world to have a go. Law-abiding citizens who would never consider larceny and burglary look on information larceny as a “bit of fun” and, in some cases, a challenge. The old laws regarding trespass were intended to prevent physical access and do not normally recognize logical access wherein nothing is physically damaged or removed. New laws may be required to redefine these crimes should existing laws prove inadequate. Laws defining evidence, the nature of the signature, and “proof” may need to be reviewed in the light of the advent of information processing. PRIVACY Privacy itself is concerned with the collection and use or misuse of computer store data. Many information systems retained data on individuals, which has been collected, stored and used without that individual’s knowledge or consent. Although information databases are normally used correctly and justifiably, the potential for misuse is inherent in all information systems. Countries around the world and several states within the United States have enacted privacy legislation to provide safeguards for individuals against an invasion of personal privacy by facilitating: ■ ■ ■ The individual determining which records have been collected, maintained, used, or distributed regarding themselves The prevention of records pertaining to the individual gathered for a specific purpose from being used or made available for another purpose without their consent The obtaining of by an individual of such information as has been held on the individual with the opportunity to correct or amend such records ch13_4768 1/8/07 180 ■ ■ 3:07 PM Page 180 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE The determination that information held is current and accurate for its intended use and that adequate safeguards exist for the prevention of misuse of such information Civil suit for any damages incurred as a result of willful or intentional action violating the individual’s rights under these acts Many international regulations exist when the information, particularly financial information, crosses international borders and a control such as encryption is compulsory in some legislation and banned in others. Such transborder data flow has become more complicated with the explosion of Internet traffic in an unregulated environment. COPYRIGHTS, TRADEMARKS, AND PATENTS Countries have, in the past, created enforceable rights in certain intangibles that have become known as intellectual property. This categorization includes copyrights, trademarks, patents, and trade secrets. As today’s economy grows increasingly reliant on the current proliferation of computers and computer networks, the illegal reproduction and distribution of protected material has become considerably easier to accomplish. Conventional wisdom is that copyright protection is important to protect the computer software industry. It should always be remembered because an organization’s information itself may be as important to protect as the software it utilizes. Some of the most vital information and trade secrets are held on computers, connected into networks and ultimately connected to the world at large. A trade secret may be defined as: any formula, pattern, device or compilation of information used in a business to obtain an advantage over competitors who do not know or use it.1 A great deal of time and effort is now being spent in countries such as the United States in order to ensure that an organization’s copyrights, trademarks, and patents have a legal protection within IT legislation. Obviously, the legal remedy is only of significance after a transgression has taken place, and the auditor’s role may be to ensure ch13_4768 1/8/07 3:07 PM Page 181 Management Issues 181 that practical countermeasures have been put in place by management to prevent such transgressions from occurring. Countermeasures could include: ■ ■ ■ ■ ■ Cryptography Effective access control Permissions management Biometric authentication Digital signatures and certification authorities These technologies are discussed further in Chapter 27. ETHICAL ISSUES Business ethics lay out the rules under which business takes place— fairness, honesty, integrity, and the opportunity for all participants to be winners. All stakeholders within an organization maintain an ethical responsibility to act in the best interests of the organization and all of its stakeholders. An understanding of business ethics is essential for the IS Auditor who will encounter ethical issues and dilemmas in his or her daily interaction with management and auditees in any organization. Thus it is useful to understand that the general dimensions of economic activity where management will be making decisions often present tensions between ethical and legal choices. Rossouw2 identifies three main areas as including: 1. Macro or systemic dimension. The policy framework determined by the political power of the state that determines the basis for economic exchanges nationally and internationally between governments. 2. Meso or institutional dimension. The relations between economic organizations, such as public sector entities, private sector entities and private individuals and those outside the organizations. 3. Micro or intra-organizational dimension. The economic actions and decisions of individuals within an organization. Ethics are commonly confused with individual moral principles but in fact go far beyond them. They are designed to address issues ch13_4768 1/8/07 182 3:07 PM Page 182 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE from both practical and idealistic standpoints and as such the idealism may frequently be in conflict with the practical. From the professional’s perspective they become a way of life. Wheelwright3 defined three key elements in defining the impact of ethics on decision making: 1. Ethics involve questions requiring reflective choice 2. Ethics involve guides of right and wrong 3. Ethics are concerned with consequences of decisions In respect to information systems, ethical issues commonly involve the use to which the information is put and can be seen with and for specific areas of concern, namely privacy, accuracy, intellectual property, and access. As has been described earlier, privacy deals with the collection and use or abuse of computer store data. Accuracy and its risk equivalent inaccuracy can create havoc to individuals and organizations because the use of computerized systems involves an implicit trust in the accuracy and completeness of information provided. Intellectual property rights reflect the ownership and use of information including who has the right to buy or acquire the information as well as who determines the value of intellectual property. Access, as an ethical issue, is concerned with the ability of individuals to gain entry into information and information systems. CORPORATE CODES OF CONDUCT One of the common controls in this area is the implementation of a Corporate Code of Conduct. Such codes are directive controls and do not enforce “ethical” behavior. Where they are combined with detective controls designed to identify breaches of the code and corrective controls designed to take effective action where such breaches are identified, they may serve as a means of expelling non-conforming members of a population. Codes of Conduct should be in place for all companies (recommended in 1987 by the Treadway Commission and confirmed by King II4) and should be enforced. They assist in setting an ethical tone at the top of the organization and must apply to all levels from the top down. They open channels of communications between management ch13_4768 1/8/07 3:07 PM Page 183 Management Issues 183 and employees and assist in the prevention of, for example, fraudulent reporting. Codes of Conduct are based upon a shared understanding of the values including but not limited to: ■ ■ ■ ■ ■ ■ ■ ■ Honesty. No intentional deception Integrity. One standard of conduct for all involved Morality. Acting in terms of accepted social norms Equity. Acting in a fair manner with equal treatment for all Equality. Provision of equal opportunities to compete and collaborate in business activities Accountability. To accurately record an individual’s actions and to account to the stakeholders responsibly for those actions Loyalty. Trustworthy commitment to all those with whom an individual has dealings Respect. Recognition of the worth of superiors, subordinates, suppliers, and customers These values are normally aligned to the values statement to form the basis for the agreed code of conduct. Codes of Conduct may typically take two forms: 1. Positive statement of honest intentions (all embracing but impossible to control) 2. Lists of improper behavior (easier to audit but difficult to keep comprehensive) Codes which have been observed to be most effective contain a combination of positive generalizations and specific prohibitions. They include the basic rules of acceptable and unacceptable behavior and cover corporate positions and rules concerning: ■ ■ ■ ■ Acceptance of gifts Confidentiality Conflicts of interest Standards of corporate practice It is inevitable that in the conduct of business ethical dilemmas will arise that have to be faced and resolved as a result of conflicting values among various stakeholders. There is often no way of telling ch13_4768 1/8/07 184 3:07 PM Page 184 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE which values are correct or incorrect because different people have different values that they pursue. IT GOVERNANCE The word “govern” is derived from the Latin word gubenare, referring to the steering of a ship, and the word “governor” is derived from gubenator, which refers to the captain of a ship or steersman. Business and corporate governance place the goal of business success within the context of honest business behavior and sound stakeholder relations. The purpose of good governance is to match business behavior and management conduct with the organizational intentions, mission, and objectives. Following a variety of well-publicized breaches of the principles of good corporate governance, it was inevitable that IT governance would emerge as one of the more critical issues in the IT field. In wellmanaged companies IT governance was implemented in order to ensure the overall achievement of good management principles within the organization. In others it has become just another set of rules to be complied with. Governance responsibilities include setting the strategy, managing the risks, delivering perceived value, and measuring achieved performance. These responsibilities, overall, have been driven by the need to demonstrate the transparency of risks to the enterprise, but the impact of IT and the organization as a whole has created a dependency requiring specific focus on IT governance. Risk management in these areas include the management of IT’s impact and business continuity as well as reputational risk as a result of failures within IT itself. Generally then, IT governance is intended to facilitate the sustaining of organizational operations directed toward implementation of its general business strategies in the present and in the future. IT governance itself has been defined as: “IT governance is the responsibility of the Board of Directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives”6 ch13_4768 1/8/07 3:07 PM Management Issues Page 185 185 This indicates a clear difference between IT governance and IT management. Governance is concerned with IT achieving the current and future information needs of the organization in a controlled manner. Management focuses on ensuring an ongoing supply of quality services and products at an acceptable cost. From a governance perspective, the ultimate responsibility lies with the board of directors or governing body of the particular institution. A critical part of the execution of this responsibility lies in ensuring that the managerial levels understand part of the play in achieving good governance and implement the appropriate control structures in order to achieve that. Overall, the primary responsibility for implementing the strategic plans and policies of the organization as laid down by the board rests on the Chief Executive Officer. Given the critical role of information systems in achieving corporate strategies, the IT manager has a critical role to play in achieving good governance. The IT manager sets the operating objectives for the IT function ensuring alignment with the organizational strategic objectives in order to provide the initial goals for the IT function. Management control is achieved by creating a continuous feedback mechanism for measurement of performance, comparison to objectives, refinement of processes where necessary, and realignment of objectives where required. One critical element of the government’s process is the placement of the decision-making role for IT within the organization. Centralized versus decentralized was the traditional choice, but a more modern alternative is the Federal structure combining the efficiencies of the centralized structure with the flexibility of the decentralized. Because IT governance occurs at different layers within the organization, Control Objectives for Information and Related Technology (COBIT©) addresses the governance issues via key goal indicators and key performance indicators. The Board Briefing on IT Governance includes IT governance checklists, a Board IT Governance toolkit, a management IT Governance toolkit and detailed breakdowns of roles and responsibilities in achieving good IT governance. Because both internal and external auditors are part of the conformance function of corporate governance, it is critical that IS Auditors are familiar with the roles and responsibilities laid down in this document. ch13_4768 1/8/07 3:07 PM 186 Page 186 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE SARBANES-OXLEY ACT The far-reaching Sarbanes-Oxley Act (2002)6 in the United States provides stringent legal requirements to enforce sound corporate governance requirements on all U.S. Securities and Exchange Commission (SEC) registrants as well as their subsidiaries and associated entities, wherever established and operating in the world. All contain references to the important role of Audit Committees and Internal Audit in assisting management to ensure the effectiveness of the corporate governance processes. The Act itself primarily focuses on what is required for acceptable financial reporting; however, the suggested internal control framework (Committee of Sponsoring Organizations [COSO]) to be used for compliance with the Sarbanes-Oxley Act, as recommended by the SEC, addresses the topic of IT controls, although it does not dictate requirements for such control objectives and related control activities, leaving such decisions to the discretion of each organization. Section 404 of the Act requires that the management of public companies specified within the Act assess the effectiveness of the internal control over financial reporting and report annually on the result of that assessment. Given that financial reporting in such companies is directly dependent on the establishment of a well-controlled IT environment, SEC registrants must provide assurance that their IT controls are effective within their financial reporting context. In its document “IT Control Objectives for Sarbanes Oxley,”7 the IT Governance Institute discusses the IT control objectives that might be considered by organizations for assessing their internal controls, as required by the Act. HOUSEKEEPING Housekeeping procedures are intended to reduce the risk of loss or destruction of software and information and to ensure that sensitive output does not fall into unauthorized hands. Such procedures typically relate to the use of supplies, storage of software programs, handling of files including backups, distribution of outputs, and general care of the hardware itself. ch13_4768 1/8/07 3:07 PM Management Issues Page 187 187 In a centralized information processing facility, housekeeping controls and procedures are normally well established to ensure minimization of such risks. In a distributed, user-controlled environment, however, such controls may not be as obviously required, leading to food and beverage contamination of hardware, fire hazards caused by the use of multiple electrical adapters, data files and backups lost, stolen, or strayed, and confidential information either left lying around or sent to the wrong recipients. The auditor must ensure that basic organizational controls are in place and effective in order to minimize such elementary risks. ENDNOTES 1. David Goldstone, Prosecuting Intellectual Property Crimes, Office of Legal Education Executive Office for United States Attorneys, http://www.usdoj.gov/criminal/cybercrime/ipmanual.htm. 2. D. Rossouw, Business Ethics in Africa, 2nd Edition, Cape Town, Oxford University Press Southern Africa, 2002. 3. P. Wheelwright, A Critical Introduction to Ethics, 3rd Edition, New York: Odyssey Press, Inc., 1959, p 4. 4. The Institute of Directors (IOD), The King Report on Corporate Governance for South Africa, 2002. 5. IT Governance Institute, Board Briefing on IT Governance, 2nd Edition, www.itgi.org, 2003. 6. The Sarbanes-Oxley Act (2002), 107th Congress of the United States, Washington, January 2002. 7. IT Governance Institute, IT Control Objectives for SarbanesOxley, www.itgi.org, 2004. ch14_4768 1/8/07 3:08 PM Page 188 CHAPTER 14 Support Tools and Frameworks his chapter introduces the reader to the need for support tools and frameworks such as COBIT: Management Guidelines, a framework for Information Technology/Information Systems (IT/IS) managers and COBIT: audit’s use in support of the business Support cycle. International standards and good practices such as ISO 17799, ITIL, privacy standards, COSO, CoCo, Cadbury, King, and SarbanesOxley also play a vital role in ensuring the appropriate governance. T GENERAL FRAMEWORKS Control Objectives for Information and related Technology (COBIT®) is one of the most widely accepted models of IT governance and control utilized to manage risks and implement controls within an IT environment in order to achieve business objectives. COBIT was introduced to meld existing IT standards and best practices into one comprehensive structure designed to achieve international accepted governance standards. Working from the strategic requirements of the organization, COBIT encompasses the full range of IT activities focusing on the achievement of control objectives rather than the implementation of specific controls. As such, it integrates and aligns IT practices with organizational governance and strategic requirements. It is not the only set of standards in common use, but it integrates with other standards to achieve defined levels of control. What may be classed as best practice for an organization must be appropriate to that organization based upon its needs and capabilities. Standards themselves do not achieve best practice but require careful selection, interpretation, and implementation in order to achieve an adequacy of control. At its highest level, COBIT presents 188 ch14_4768 1/8/07 3:08 PM Page 189 Support Tools and Frameworks 189 a framework for overall control based upon a model of IT processes intended as a generic model upon which specific controls can be overlaid in order to achieve a unique system of internal controls specifically tailored to the business needs of the organization. COBIT is designed to be utilized at different levels of management. Executive management can utilize it to ensure value is obtained from the significant investment in IT and to ensure that risk and control investment is appropriately balanced. From an operational management perspective, COBIT facilitates the gaining of assurance that the management and control of IT services, whether insourced or outsourced, is appropriate. IT management can use it as an operational tool to ensure the business strategy is supported in a controlled and appropriately managed manner in providing IT services. IS Auditors can utilize COBIT to evaluate the adequacy of controls, design appropriate tests to determine the effectiveness of controls, and provide management with appropriate advice on the system of internal controls. COBIT is based upon research into best practice within a variety of IT environments and is subject to continuous research and maintenance due to the dynamic nature of information technology. It is geared toward all aspects of IT governance unlike some other standards that are specific to, for example, security alone. Because of its close alignment with international accepted principles of good corporate governance, it is intrinsically acceptable to multiple layers of management as well as regulators. COBIT utilizes a framework of domains and processes in order to create a logical structure of IT activities in a manner that can be easily subject to managerial controls. The process model divides IT into 34 processes covering: ■ Planning and organizing. This domain covers all of the processes undertaken by management in order to ensure that the IT function is properly planned and controlled to provide assurance that corporate IT objectives will be achieved. Detailed processes include: PO1 PO2 PO3 PO4 Define a Strategic IT Plan Define the Information Architecture Determine Technological Direction Define the IT Processes, Organization and Relationships ch14_4768 1/8/07 3:08 PM 190 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE PO5 PO6 PO7 PO8 PO9 PO10 ■ Identify Automated Solutions Acquire and Maintain Application Software Acquire and Maintain Technology Infrastructure Enable Operation and Use Procure IT Resources Manage Changes Install and Accredit Solutions and Changes Deliver and support. This domain includes all of the processes required to deliver the appropriate service levels, manage information and operations, and ensure appropriate performance. Detailed processes include: DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 ■ Manage the IT Investment Communicate Management Aims and Direction Manage IT Human Resources Manage Quality Assess and Manage IT Risks Manage Projects Acquire and implement. This domain covers the processes involved in identifying solutions through to installation and accreditation of solutions and changes. Detailed processes include: AI1 AI2 AI3 AI4 AI5 AI6 AI7 ■ Page 190 Define and Manage Service Levels Manage Third-party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Allocate Costs Educate and Train Users Manage Service Desk and Incidents Manage the Configuration Manage Problems Manage Data Manage the Physical Environment Manage Operations Monitor and evaluate. This domain includes the processes required to monitor overall IT performance and ensure effective IT governance. Detailed processes include: ch14_4768 1/8/07 3:08 PM Page 191 Support Tools and Frameworks ME1 ME2 ME3 ME4 191 Monitor and Evaluate IT Performance Monitor and Evaluate Internal Control Ensure Regulatory Compliance Provide IT Governance Each of these is further subdivided into a variety of individual control objectives which, in turn, identify the control requirements, principal control structures, and measurement criteria. The measurement criteria are, perhaps, the most critical part of COBIT in terms of achieving corporate governance. Within each process, detailed control objectives are specified as a minimum level of managerial control. Roles and responsibilities for achieving these control objectives are spelled out and a maturity model for each process is given with measurement metrics under the headings: ■ ■ ■ ■ ■ ■ Nonexistent Initial/ad hoc Repeatable but intuitive Defined process Managed and measurable Optimized These metrics facilitate management’s and the auditors’ judgment as to the degree of compliance achieved in each of the processes. COBIT is based upon the understanding that the design and implementation of automated application controls is the responsibility of IT based upon the business needs as specified by the business process owner. General IT controls are the direct responsibility of the IT function and are therefore also covered within COBIT. Further Information Further information is available from the IT Governance Institute (www.itgi.org). Details of direct interest to the IS Auditor include the COBIT: ■ ■ Framework Control objectives ch14_4768 1/8/07 192 ■ ■ ■ ■ 3:08 PM Page 192 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE Control practices IT assurance guide IT control objectives for Sarbanes-Oxley IT governance implementation guide COSO: INTERNAL CONTROL STANDARDS As noted in Chapter 4, internal control was defined by COSO as a broadly defined process, affected by people, designed to provide reasonable assurance regarding the achievement of the three objectives that all businesses strive for, namely: 1. Economy and efficiency of operations, including achievement of performance goals and safeguarding of assets against loss; 2. Reliable financial and operational data and reports; and 3. Compliance with laws and regulations. In order to achieve these objectives, COSO defined five components that would assist management in achieving these objectives, namely: 1. 2. 3. 4. 5. A sound control environment A sound risk assessment process Sound operational control activities Sound information and communications systems Effective monitoring An internal control system would be judged to be effective if all five components were present and functioning effectively for operations, financial reporting, and compliance. COBIT originally adapted its definition of control from COSO in that the policies, procedures, practices, and organizational structures are designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. COBIT emphasizes the role and impact of IT control as they relate to business processes, whereas COSO defined internal control, described its components, and provided criteria against which control systems could be evaluated. ch14_4768 1/8/07 3:08 PM Page 193 Support Tools and Frameworks 193 The major goals of COSO were to establish a common definition of internal control in order to serve a variety of different parties and, at the same time, provide a standard against which organizations could assess their internal control systems and identify areas for improvement. COSO emphasized that the internal control system is a tool of management, not a substitute, and that controls should be integral to operating activities rather than added on. Unlike COBIT, COSO defined internal control as a process in its own right and recommended that periodic evaluation of the effectiveness of internal control be carried out from time to time. COSO also attempted to address the limitations of an internal control system including faulty human judgment, misunderstanding of instructions, management override, collusion, errors, and costbenefit considerations, all of which can serve to undermine the effectiveness of the overall system of internal control. COSO also stated that there should be separate and independent evaluations conducted of the system of internal control with the frequency and scope of such reviews dependent upon the assessment of risks and the effectiveness of management’s monitoring procedures. OTHER STANDARDS Security: BS 7799 and ISO 17799 As noted in Chapter 4, British Standard 7799 and International Standards Organization (ISO) 19977 were both developed to assist companies by ensuring security and control within electronic trading systems. The ten areas depicted within the standards facilitate the introduction of key controls as mandatory features and additional controls in higher risk organizations. Service Management: ITIL ® IT Infrastructure Library (ITIL) (www.itil.org) is intended to define the best practice in IT Service Management. It was developed by the Office of Government Commerce (OGC) and is supported by publi- ch14_4768 1/8/07 194 3:08 PM Page 194 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE cations, qualifications, and an international user group. The approach is a top-down, business-driven approach to the management of IT, which is intended to address the need to deliver a high quality IT service in order to deliver strategic business value. IT Service Management focuses on the people, processes, and technology issues that IT organizations face. ITIL, itself, attempts to assist organizations to develop a framework for IT Service Management by providing a cohesive set of best practices, drawn from both the public and private sectors. It offers a comprehensive qualifications scheme and accredited training organizations as well as specifically developed implementation and assessment tools. Project Management: PRINCE ® Projects in Controlled Environments (PRINCE) is a widely used project management method that navigates the user through all the essential elements for implementation of a successful project. It was first developed in 1989 by the Central Computer and Telecommunications Agency (CCTA) as a U.K. government standard for IT project management. Since its introduction, PRINCE has become widely used in both the public and private sectors and is a widely recognized standard for project management both within IT as well for non-IT projects. It is designed to incorporate the requirements of existing users and to enhance the method toward a generic, best practice approach for the management of a variety of projects. Criteria of Control: CoCo CoCo, sponsored by the Canadian Institute of Chartered Accountants, is intended to translate COSO into practical, implementable activities and defines three major control objectives: 1. Effectiveness and efficiency of operations 2. Reliability of internal and external reporting 3. Compliance with applicable laws and regulations and internal policies ch14_4768 1/8/07 3:08 PM Page 195 Support Tools and Frameworks 195 Within the CoCo framework, control is defined as encompassing: ■ ■ ■ ■ Purpose, which defines criteria that promote an understanding of the organization’s direction. They use techniques such as vision and strategy; risks and opportunities, planning, policy development, and use of performance targets and indicators. Commitment, which defines criteria that promote a belief in the organization’s identity and values. They impact ethical values, including integrity; human resource policies; responsibility and accountability, authority, and mutual trust. Capability, which defines criteria that address an organization’s competence. They involve knowledge and competencies, skills and tools, information, use of appropriate communication processes, coordination, and control activities. Monitoring and Learning, which defines criteria that will facilitate the organization’s evolution. They involve monitoring internal and external environments, monitoring performance, challenging assumptions, reassessing information needs and information systems, execution of follow-up procedures, and assessing the overall effectiveness of control. CoCo promotes the treatment of risk through: ■ ■ ■ ■ ■ Avoidance of risk Reducing the likelihood of risk occurring Reducing the impact should a risk occur Transferring the risk to a third party Accepting or retaining the risk This is seen to be effected using controls of the five basic types, namely: Directive, Preventative, Detective, Corrective, and Recovery controls. ch15_4768 1/8/07 3:09 PM Page 196 CHAPTER 15 Governance Techniques T his chapter covers the need for, and use of, techniques such as change control reviews, operational reviews, and ISO 9000 reviews. CHANGE CONTROL Periodically the necessity arises to modify an existing hardware and/or software configuration as a result of: ■ ■ ■ ■ ■ Hardware changes as a result of performance improvements or reconfigurations caused by changes to other systems Hardware failures during normal operations The detection of a software error during normal operations Changes to legislation affecting the organization’s business systems A change to the business operation of the organization requiring alterations within the information systems As a result of these changes in the environment, the extent of change required within the existing system configuration must be determined and the change applied in a controlled manner so as to avoid any undue disruption to normal processing. It is critical that during periods of change, the production versions of software are protected against unauthorized changes, untested changes, or even malicious changes. Change control’s objective is to ensure risk is controlled, not introduced, during a change. This means ensuring that: ■ ■ ■ 196 All changes are authorized All authorized changes are made Only authorized changes are made ch15_4768 1/8/07 3:09 PM Page 197 Governance Techniques ■ ■ 197 All changes are as specified All changes are cost effective This control requires a coordinated effort involving managers, users, information systems personnel, and IS Auditors. An effective methodology for authorizing, testing, and implementing the change in a controlled manner is a prerequisite. In most organizations this will involve the use of a Change Control Committee involving members of all of the aforementioned disciplines. This committee is normally involved in evaluating change requests for corporate or control implications, authorization of those requests, ensuring that testing and documentation of the changes has been carried out, and finally, authorizing the implementation of the change into the live environment. All requests for amendments to production programs should be made in writing and include the business justification for the change requested. A full appraisal of the impacts, justification, and alternatives considered should be undertaken with more significant changes being subject to more stringent checks. If the change is of a major nature, a feasibility study may be required. Once changes are approved by the committee, the work may be undertaken by such resources as the committee approves (normally IT with some user involvement) and, once the programmer involved is satisfied that the amended software is working as intended, independent testing should take place with the user participation prior to implementation in the production environment. Users, IT staff, and auditors should all sign off on the change to ensure that their individual needs have been satisfied. It should be stressed that when the Information Systems auditor signs off on a change, this is an indication that audit’s control requirements have been met within the change system. It is not an indication of quality assurance of the system because this is the responsibility of both the users and IT management. All changes to systems, whether hardware, software, or both, should be fully documented with the effects of all maintenance changes so that subsequent work on the relative systems can be expedited. With all possible care being taken there is still a chance that a change to a system will result in a production system failure. As such, operations recoverability procedures should be in place in the event of a system failure in the new configuration. This would typically ch15_4768 1/8/07 198 3:09 PM Page 198 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE involve securing the condition of the system and data prior to the change being implemented so that an unsuccessful change can be appropriately backed-out. Within a mainframe environment it is common to separate the production and development versions of programs using completely segregated software libraries. Once implementation has been authorized, the change controller will normally copy the amended source code into the production library. For this to be effective, access to production libraries must be restricted to the change controller only. This access control is intended to prevent both accidental and malicious amendments to production software occurring without appropriate authorization. Updating software on personal computers and local area networks would appear more straightforward because they normally involve installation of purchased packages. Unfortunately, not all purchased packages function immediately as intended. In the smaller environment of personal computers it is common that backups are not taken prior to system changes and that the introduction of a new version of software or even new software altogether may result in significant damage to the production environment. Personal computers and local area networks also require careful control over changes made. The change control processes may be different to those surrounding mainframe computers; nevertheless appropriate change control procedures must be implemented. PROBLEM MANAGEMENT The changes thus controlled are known and planned changes. The procedures involve ensuring prior authorization for all changes, supervision of the change process, adequate testing of all changes, and user sign-off on all changes. Periodically things will go wrong with a system, which necessitates an urgent repair. Such changes are not known in advance and are commonly executed and permission sought retrospectively. Such changes are controlled using Problem Management. Problem Management’s objective is to control systems during emergency situations arising from unforeseen changes. Typically this will involve bypassing of normal control mechanisms and may require direct programmer ch15_4768 1/8/07 3:09 PM Page 199 Governance Techniques 199 access to live data. This must be controlled separately and must involve user authorization, even retrospectively. AUDITING CHANGE CONTROL From an audit perspective, the IS Auditor will seek assurance that change control procedures are in place and effective over changes to hardware, software, telecommunications, or anything that affects the processing environment. Sources of evidence for the auditor would include minutes of change control committee meetings, software movement reports, access control logs, and system failure records. OPERATIONAL REVIEWS Operational auditing involves first determining management’s objectives followed by establishing which management controls exist leading to Effectiveness, Efficiency, and Economy. The auditor must determine which key performance indicators are in use and their appropriateness as well as determining the achievement of control objectives. The term operational audit is commonly used to cover a variety of audit types. An operational audit may cover the evaluation of some or all of the following: ■ ■ ■ ■ Internal controls Compliance with laws, regulations, and company policies Reliability and integrity of financial and operating information Effective and efficient use of resources Operational auditors require standards against which current operations may be compared and evaluated. It is management’s responsibility to devise and use appropriate standards to evaluate operating activities, and operational auditors will usually start with criteria that have been established by management (performance standards) or by some oversight board or agency. In the absence of standards, the auditors may have to borrow from other sources or develop some type of criteria against which to ch15_4768 1/8/07 200 3:09 PM Page 200 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE compare performance. This is often a difficult task because frameworks such as COBIT may not have been implemented in a sufficiently detailed manner and auditors should get management’s reaction to the suitability of any criteria so developed. Reasonable criteria for evaluating performance are absolutely essential for successful operational auditing, because no evaluation of operations is possible without a standard for comparison. While subjectivity cannot be completely avoided, objective criteria, which are considered appropriate and reasonable by both the internal auditors and IT, are essential for continuing success. PERFORMANCE MEASUREMENT Performance measurement is a philosophy in which feedback is used to make ongoing adjustments to the course of the organization toward its vision. For example, the information derived from budgetary or client satisfaction measurements may provide the feedback used to assess the effectiveness of an organization from a variety of viewpoints. Using this feedback, it is possible to ensure continued excellence of programs and services in response to changes within both the internal and external environment. The process commences with the setting of business objectives and the development of strategies and plans to achieve these objectives within an overall control framework. This is followed by the development of appropriate performance measures to assess progress toward the objectives. Performance measurement systems provide the feedback information required to determine if executive management strategies have been effectively converted into operational decisions. Performance measurement provides a balanced, methodical attempt to assess the effectiveness of an organization’s operations from multiple vantage points—financial, client satisfaction, internal business, and innovation/learning. The Balanced Scorecard approach can give the auditor wellstructured measurement criteria if it has been appropriately implemented. The mechanics of performance measurement are complex and the development and deployment of the process may be painful. Typically many measures will be evaluated before a key set will ch15_4768 1/8/07 3:09 PM Page 201 Governance Techniques 201 emerge. Many choices will involve industry best practices measures so that a competitive benchmark can be established. Improving performance measurement involves the development of integrated performance measurement systems that are built around a strategic theme such as business strategy or value creation. They involve measuring those aspects of the IT structure that relate the activities of people and processes in the IT organization to the intended outcomes for the IT stakeholders. Integrated performance measurement systems are a significant improvement over prior evaluation structures but still do not eliminate some of the basic difficulties of performance measurement. IT can be a complex organization offering considerably more opportunities for measurement than management can effectively employ. The difficulties lie in reducing the required number of measures to a significant few. Managers generally understand how effective measurement provides key support in the pursuit of organizational goals when the consequences of performance results are communicated and understood. Within IT they tend to support the concept of performance measurement because their experience has shown it to be effective in helping to achieve success. Managers who use performance measurement on a regular basis understand the difficulties inherent in the process. Many measurement criteria form an imperfect definition of the underlying idea and can result in rewarding “bad” behavior and punishing “good” behavior. Most IT managers understand the shortcomings of measurement systems. They are fully aware that distortions may be introduced through cost and asset allocations. They recognize that there may be an inclination to measure the things that are easy to measure, and to avoid measures that are more difficult with the subsequent distortions this creates. ISO 9000 REVIEWS The International Organization for Standardization (ISO) is the specialized international agency for standardization, comprising the national standards bodies of 91 countries. ISO is made up of approximately 180 Technical Committees, with each Technical Committee ch15_4768 1/8/07 202 3:09 PM Page 202 INFORMATION SYSTEMS/INFORMATION TECHNOLOGY GOVERNANCE being responsible for one of many areas of specialization. In 1987, ISO published the original set of quality assurance standards commonly known as ISO 9000. The ISO Quality Management and Quality Assurance System Standards provide a set of requirements for quality assurance systems. Compliance with ISO 9000 standards indicates that a producer has a basic quality assurance system in place. Increasingly, customers expect organizations to have their quality systems reviewed and audited to one of the standards of the series. This involves having an accredited independent third party conduct an on-site audit of the company operations against the requirements of the appropriate standard. Reviewing against company implementation of ISO 9000 involves reviewing: ■ ■ The methodology, including the philosophy, guidelines, policies, responsibilities, time line, and deliverables The project/process, to ensure its compliance with the methodology and to identify reasons for any deviations An important role of such reviews is the establishment of quality objectives and reviewing of progress toward achieving the objectives and fulfilling the quality policy. IT quality objectives are established to improve performance and/or the quality system and thus fulfill the quality policy and other organizational goals and aspirations. This ties in closely to COBIT’s use of control objectives. Enacted in 1994, ISO 9001: 2000 Quality Management Systems replaces the older ISO 9000, 9001, 9002, and 9003. These standards apply within every organization and can be either service or product oriented depending upon the orientation of the organization. The standards themselves specify the quality levels desired and the organization is responsible for conducting a gap analysis in order to identify areas of noncompliance. This then facilitates the closure of these gaps in order to achieve compliance. At the organization’s discretion, an external review can be carried out in order to determine compliance and, if achieved, an ISO certificate is issued and the organization recorded in the ISO registry. This registration was then valid until the next audit. From an audit perspective, auditors are concerned with ensuring that the functions and processes of IT achieve their anticipated out- ch15_4768 1/8/07 3:09 PM Page 203 Governance Techniques 203 comes and that documented proof of this exists. Of critical importance to the auditor are specific clauses requiring full documentation of the quality procedures and processes, requiring competence on the part of personnel carrying out the work subject to quality assurance, and that acquisition of resources including hardware, software, and outsourced services meet stringent quality requirements. ch15_4768 1/8/07 3:09 PM Page 204 ch16_4768 1/8/07 3:10 PM Page 205 PART III Systems and Infrastructure Lifecycle Management 205 ch16_4768 1/8/07 3:10 PM Page 206 ch16_4768 1/8/07 3:10 PM Page 207 CHAPTER 16 Information Systems Planning his chapter covers the Information Systems (IS) planning and managing components and includes developing an understanding of stakeholders and their requirements together with IS planning methods such as system investigation, process integration/re-engineering opportunities, risk evaluation, cost-benefit analysis, risk assessment, object-oriented systems analysis, and design. Enterprise resource planning (ERP) software to facilitate enterprise applications integration is reviewed. For most organizations, information resources are managed through the information technology (IT) department with three primary areas of responsibility, namely, operations, systems development, and technical support. These are not, however, the only stakeholders in the IT process. T STAKEHOLDERS Stakeholders are all of those individuals and organizations that have a direct or indirect connection to the Information Processing (IP) function of the organization. These include: ■ ■ Management. At all levels within the organization from general management to operational supervisors, management relies on the accuracy, completeness, and integrity of information processed through the computer systems. Customers. Customers wishing to do business with the organization require assurance that products and services provided will be of exceptional quality, timescales will be as promised, and that building and account information will be accurately rendered. At the same time they require assurance that goods and services will 207 ch16_4768 1/8/07 3:10 PM 208 ■ ■ ■ ■ ■ Page 208 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT be available when requested and that information held upon the customer will be kept confidential. Employees. Require assurance that the enterprise will continue to exist and function and for that the availability and integrity of information systems must be assured. They also must maintain confidence that information held upon the system about employees will be kept confidential. Organizational functions. Require assurance that the IS services will deliver the functionality required in order to ensure that they are able to achieve their operational objectives. Suppliers. Require assurance that the organization will continue to exist and will meet all debts. External audit. Require assurance that the organization will continue to exist and that the financial and operational information, drawn from the information systems, upon which they place reliance in forming their opinion as to the fairness of presentation of the financial affairs of the organization do, indeed, reflect the actual situation. Internal audit. Seek assurance that the controls function as intended in order that the organization may meet the strategic and operational goals. In order to meet the diverse needs of this universe of stakeholders, IT management must plan appropriately each of their functional areas and implement appropriate control mechanisms. OPERATIONS In a medium-sized to large organization the operations function is focused on the provision of IS services to the corporate or business unit. This includes the operation of all equipment associated with the computer systems including starting, stopping, and maintaining fully operating mainframe systems together with the peripherals as described in Chapter 1. Within the operations function a variety of roles exist including those of: ■ Operations management. Responsible for the computer operations personnel including all staff involved in the effective running of the information processing facility (IPF). ch16_4768 1/8/07 3:10 PM Page 209 Information Systems Planning ■ ■ ■ ■ ■ 209 Shift supervisors. Responsible for the overall supervision of a group of operators running the day-to-day operations of the IPF. Operators. Responsible for handling the day-to-day operations of the IPF including starting and ending of jobs, loading the appropriate data files, aligning special stationery in printers, taking backups as specified, and general housekeeping tasks. Control group. Responsible in some larger organizations for the collection, data conversion, and control of input together with the distribution of output to the appropriate users. Data librarian. Responsible for the control and safeguarding of all program and data files maintained upon computer media by the IPF. In a large organization this may be a full-time employee dedicated to this function. In some installations this function has been taken over to a large extent by automated library control software. Data entry. In most organizations today, data entry takes place within the user environment and under the control of user staff. There are, however, some organizations that have a requirement for high-volume data capturing of standardized inputs. In those organizations data entry typically falls under the control of the operations function. Where such central control exists the maintenance of the integrity of source documents from receipt to return to the appropriate user area is critical. SYSTEMS DEVELOPMENT With the advent of today’s development tools, job titles and role functionality within this area are multiplying exponentially. Nevertheless, it is still possible to differentiate among the functions carried out by individuals. The individuals associated with the development of computer systems include: ■ ■ Project leaders. Management specialists who control computer projects from planning, through assignment of tasks, through execution and monitoring, to final completion. Systems analysis. Business specialists who analyze information flow within the business environment in order to ensure that systems are designed based upon the business needs of the user. ch16_4768 1/8/07 3:10 PM Page 210 210 ■ ■ SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT System designers. Technical specialists who take the business requirements and interpret them into detailed designs with sufficient information to ensure that programmers can encode the system as envisaged by the analysts. Application programmers. Responsible for both the development of new computer programs as well as the maintenance of existing application systems. They encode the programs that will eventually run the application system as specified by the user and as designed by the designer. TECHNICAL SUPPORT In order to achieve a smooth flow of information within the organization, certain technical requirements must be met to facilitate the uninterrupted operation and integration of all system components. The maintenance of these technical requirements lies in the hands of the technical specialists. Their focus is on providing user assistance in the areas of hardware and software acquisition and data administration. In today’s complex IT world the degree of specialization is increasing but would typically contain: ■ ■ Systems programmers. Responsible for all maintenance on the system software, particularly the operating system. These individuals have ultimate power within an organization because the nature of the work requires unrestricted access to all facilities and structures to a technical level within the IT function. Because preventative controls cannot be used due to the nature of the systems programmers’ job, it is critical that, in any site, the number of individuals with this degree of power is limited and that the work carried out is monitored appropriately. Network management. Responsible for the communication infrastructure and its components including: ● Multiplexers. Permitting several telecommunications signals to be transmitted over a signal communications medium at the same time. ● Modems. Translating data from digital to analog (modulation) and translating from analog to digital (demodulation). ch16_4768 1/8/07 3:10 PM Page 211 Information Systems Planning Switches. Hardware devices allowing transmission devices and receiving devices to be connected. ● Routers. An internetworking switch operating at the OSI level 3, the network layer. ● Firewalls. A device installed at the point where networks connect into the site, which applies rules to control the type of network traffic flowing in and out. ● Gateways. A major relay station that receives, switches, relays, and transmits traffic converting from one protocol to another where necessary and operating at any OSI layer above OSI layer 3, the network layer. ● Proxies. Any facility that indirectly provides some service, for example, firewall proxies may provide access to Internet services on the other side of the firewall while controlling access to services in either direction. Network managers may also be responsible for administrative control over local area networks ensuring systems administration for hardware and software implementation is effective, and appropriate backups are taken. Security administration. Responsible for ensuring that users comply with the overall corporate security policy and that the controls designed and implemented effectively enforce adequate segregation of duties and prevention of unauthorized access to corporate assets. Quality assurance. Responsible for assisting in the design of quality standards for the IS area and ensuring that IS staff follow the quality procedures defined, and that software developed internally or purchased externally and installed locally meets user expectations and is free from significant errors. Database administrator. May be seen as part of the systems development team or as an independent technical specialist depending on the organization. The database administrator (DBA) defines the data structures used within the corporate database system, both physical and logical. The DBA’s role is to optimize the usage of and access to the database management system and includes: ● Controlling the physical and logical data definition ● Implementing database access controls, concurrency controls, and update controls ● Monitoring database usage in order to fine-tune performance ● ■ ■ ■ 211 ch16_4768 1/8/07 212 3:10 PM Page 212 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT ● ● Defining and controlling backup and recovery procedures Selecting and installing database tuning tools and utilities Like the systems programmer, the DBA, in order to carry out his or her duties, has full and unrestricted access to all live data and data structures. As such the performance of the DBA’s duties cannot be restricted by preventative controls and must be controlled by segregation of duties if possible and by supervisory review over activities and the use of the powerful database utilities. OTHER SYSTEM USERS In addition to these users, other individuals will have access to the computer systems, including end-users for whom the application systems were designed but who may also add their own user-written applications; and the help desk, who may either utilize in-house developed help desk software or who may use a propriety package and who frequently have administrative rights over user access. SEGREGATION OF DUTIES Staff members within IT have a great deal of power and authority within the computing environment. This creates the possibility that a single person could be responsible for incompatible functions such that errors, fraud, or sabotage could take place undetected. Due to the variety of job titles this may not be immediately obvious to the auditor but nevertheless segregation of duties must be enforced whenever possible. The more powerful user authorities such as the systems programmer, network controller, or DBA should be available only to a restricted number of staff. For backup purposes, a single employee having such rights is too few but several are too many. An incompatible duties matrix should be drawn up for each installation showing the individual job functionalities and where these are incompatible depending upon the nature of the organization and its IT function. As overall fundamentals, the auditor should seek ch16_4768 1/8/07 3:10 PM Page 213 Information Systems Planning 213 to ensure that, where possible, access to live information including data and programs is restricted on a “need-to-have” basis. Where there is a genuine need, preventative controls cannot be used and therefore supervisory review is essential. Areas where the auditor should seek assurance that incompatible duties do not exist include: ■ ■ ■ Access to data. Based upon organizational policy, access should be granted on a basis of least privilege. No user should have more authority than required to carry out their duties. Where additional authority is granted on a temporary basis, controls must exist to ensure that the authority is removed at the end of the temporary period. Control over assets. Based upon the organizational requirements, individuals with control over assets should not have access to manipulate records nor the authority to perform reconciliations. In today’s environment it must be remembered that information itself is a corporate asset. The amount of money owed to an organization is largely determined by what the computer records say is owed to the organization and the assets owned by the organization are determined by what the asset register says is owned by the organization Once again, where the organization is too small to enforce division of duties at an operational level, it cannot be enforced directly within the computer systems. Requiring two user IDs and passwords is of no benefit if it is the same individual who holds both. Under these circumstances it is more effective to use supervisory review, even after the event. Authorization levels. Come in various forms. Management is required to authorize user access to information and functionality within the Information Systems. In many cases there is no scrutiny of the access rights that management is authorized to grant and anything will be accepted as long as it comes in on the correct form with a signature that could be the manager’s. At the transactional level authorization is normally seen as a user function granted to a more senior staff member with the knowledge, experience, and authority to authorize specific transactions. Once again, a common failing is the granting of such rights to individuals with insufficient experience who then authorize transactions that should not have been authorized. ch16_4768 1/8/07 3:10 PM 214 Page 214 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT PERSONNEL PRACTICES In a typical IT organization, staff turnover can be a major issue in ensuring continuity of well-designed and processed systems. As such, the acquisition, training, retention, and eventual termination of staff are critical control points. In large organizations an internal IT personnel function may exist, but even in smaller installations care must be taken in management of these areas because they have a direct correlation with the quality of staff used and systems produced. In all cases employment practices must comply with the relevant federal, state, and local labor legislation. Acquisition Different organizations follow different policies in staff recruitment. Some organizations seek to recruit inexperienced staff so that they may train them themselves to their own standards. Others prefer to seek fully trained and experienced staff so that they may be productive in a minimal timescale. In recruiting staff the organization would normally seek to ensure that the new employee does, indeed, have the qualifications and experience claimed. It would also attempt to ensure that the new employee has no history that would make a person unsuitable for the position sought. In accomplishing this background checks would normally be carried out and references checked, qualifications confirmed, and, where required, aptitude tests may be carried out. A common mistake in recruitment is the bypassing of such controls in the case of temporary or contract staff. Temporary staff should undergo the same background checks as full-time permanent staff and contract staff, although covered legally by a contractual arrangement, may not be in a financial position to be held accountable should there be a breach of contract. Once a new staff member has been selected the normal employment practices of the organization should ensure that conflict of interest agreements and confidentiality agreements are entered into. Where an employee is executing critical or sensitive functions fidelity insurance or employee bonding may be used to reduce the impact of losses caused by errors or intent. ch16_4768 1/8/07 3:10 PM Page 215 Information Systems Planning 215 Following the guidelines laid down in virtually all corporate governance reports, most organizations have a published code of conduct specifying each individual employee’s responsibilities to the organization and the organization’s responsibilities to the employee. This may be in the form of employee handbook or an actual agreement that the employee is required to sign on appointment. Staff Training It is incumbent upon IT management to ensure that employees are capable of undertaking the tasks allocated to them. This will involve maintaining the skills register for each employee so that, as part of work planning, skills shortages may be identified and appropriate training scheduled. A common mistake is for the IT function to train their staff solely in information-processing skills. An understanding of the nature of the business undertaken by the organization is critical to successful achievement of IT and corporate strategic objectives. In order to avoid the dependency on a single individual cross-training can provide a backup skills level, although care should be taken to avoid incompatible duties being vested in one individual. Staff Retention Staff turnover can be a problem in many IT organizations because expensive skills are lost and new recruits will have to go through a learning curve. In light of this, management must make a determined effort to retain their staff and implement the appropriate controls to monitor competitive salaries, staff morale, and alternative employment opportunities for their staff. Once the appropriate staff has been obtained and trained IS management must turn their attention to the planning of the systems. OBJECT-ORIENTED SYSTEMS ANALYSIS Object-oriented systems analysis (OSA) is a technique that involves the study of a specific domain of interacting objects for the purpose ch16_4768 1/8/07 216 3:10 PM Page 216 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT of understanding and documenting their essential characteristics. Within an IT context, it is concerned with developing software engineering requirements and specifications expressed as a system’s object model composed of a population of interacting objects. This is in contrast to the traditional data or functional views of systems, which would involve techniques such as functional decomposition and structured analysis and design. Under OSA, an object is classed as any representation of a genuine entity or of an abstraction and OSA defines objects with data structures and behaviors together with events that trigger operations, or object behavior changes that change the state of objects. Numerous OSA techniques exist including ShlaerMellor, Jacobson, Coad-Yourdon, and Rumbaugh.1 Process-oriented analysis regards systems as being a network of interacting processes. By following this approach the analyst would focus on how the system might be designed rather than regarding the systems components and the inter-relationships. However, OSA organizes all knowledge about each system object so that information about a system object is easier to locate in object-oriented analysis than in other analysis methods. The techniques provide forms of abstraction including aggregation, generalization, and classification. As seen in Chapter 11, a method-driven approach consists of a fixed sequence of steps to follow, for example using the waterfall method or the spiral model. In practice, these steps cannot always be followed exactly. When problems occur in the development process adjustments may need to be made to the order of steps or the development processes. An OSA model is structured with the intention that reality is represented in the way systems are perceived instead of being constrained by some particular programming language or methodology. ENTERPRISE RESOURCE PLANNING ERP goes beyond OSA and is the term used to describe a broad range of business activities supported by modularized application software, which is intended to help an organization manage the important areas of its business. These areas can include product planning, materials purchasing, inventory control, servicing customers, tracking orders, and supplier interfacing as well as providing specific modules for the ch16_4768 1/8/07 3:10 PM Page 217 Information Systems Planning 217 normal financial and human resources aspects of a business. It integrates the information across functions and provides a common set of tools for the planning and monitoring of those functions and processes. Many suppliers offer an integrated suite of applications to meet the corporate needs and provide assistance in the implementation process. Used effectively they integrate all facets of the business, including planning, manufacturing, sales, and marketing. Used ineffectively they can jeopardize the survival of the complete organization. As such, any organization seeking to implement such a solution needs to be absolutely clear as to the reasoning, objective, and measurement criteria for the implementation, and audit’s involvement at the planning stage is critical. ENDNOTE 1. Claude Baudoin and Glenn Hollowell. Realizing the ObjectOriented Lifecycle, Upper Saddle River, NJ: Prentice Hall, 1996. ch17_4768 1/8/07 3:11 PM Page 218 CHAPTER 17 Information Management and Usage his chapter covers the areas of information management and usage monitoring. Measurement criteria such as evaluating service level performance against service level agreements, quality of service, availability, response time, security and controls, processing integrity, and privacy are examined. The analysis, evaluation, and design information together with data and application architecture are evaluated as tools for the auditor T WHAT ARE ADVANCED SYSTEMS? Since computer systems first came into being in the early 1950s they have been used to perform common business applications, thus automating many routine, labor-intensive business systems. Because these early systems handled and processed normal business transactions, they were called Transaction Processing Systems (TPS). These systems, in their latest forms, still play a critical role in the organization and management of today’s enterprises. It was soon realized that the data stored within the computer system could be better utilized in helping management in decision making in their respective functional areas, thus creating the Management Information Systems (MIS) of the 1960s and 1970s. Such systems were characterized by the production of reports at a managerial level to assist managers in performing their duties. During the 1980s, improvements in technology resulted in systems that were considerably more powerful and considerably less expensive. Personal computers spread throughout organizations to handle a variety of tasks independently of the Information Systems (IS) department. At the same time, new systems are 218 ch17_4768 1/8/07 3:11 PM Page 219 Information Management and Usage 219 evolving to provide real-time assistance in solving complex managerial problems not handled by the traditional MIS. Such systems became known as Decision Support Systems (DSS). Certain systems will always be developed or enhanced in order to achieve compliance with legislative changes; however organizations today are seeking considerably higher returns for their investments in advanced systems. A modern variation on such integrated systems is the enterprise wide systems such as SAP and Oracle. These systems, when fully implemented, are used as an Enterprise Resource Planning (ERP) systems and come with their own organizational risks. Unlike its predecessors, such a system crosses departmental and organizational boundaries and this is not without “political” implications. While bringing undeniable benefits to some areas of the organization, others may see the implementation as involving a great deal of work on their part for little local benefit. This can, if not adequately addressed, develop into significant resistance to change from those who do not see immediate benefits to themselves. In order to achieve successful implementation, users at all levels within the organization who are affected by the new system need to have their expectations built as to the performance levels and benefits to be expected. This area is critical to the achievement of appropriate service level agreements and system quality expectations. The size and complexity of such projects ensures that, regardless of the management effort expended on pre-planning, problems will occur and resistance will be encountered. The best that can be achieved is to minimize anticipated problem areas and maximize organizational commitment by creating realistic expectations. Measuring the Deliverables When such systems development projects are embarked upon in the full knowledge of the potential problems, the organization does so in the expectation of significant and quantifiable benefits, to the organization. In order to fully achieve these benefits metrics must be produced to indicate the progress towards quantifiable and beneficial objectives. In many cases anticipated benefits are expressed in general terms with significant difficulties encountered in measuring their ch17_4768 1/8/07 220 3:11 PM Page 220 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT attainment. This is not surprising given the history of IT in improving efficiencies by automating manual processes. Under such circumstances quantification of benefits was relatively simple. Today’s modern complex systems are geared more towards enabling organizational effectiveness which can be considered a more difficult to measure. In order for IT to facilitate effectiveness, a clear understanding of the organizational value chain is required in order to optimize the business processes in that chain. Porter1 identified five activities within a typical value chain namely: ■ ■ ■ ■ ■ Inbound logistics Operations Outbound logistics Marketing and sales Service At each stage of the value chain, IT can enable the organization to differentiate the value provided to its clients from its competition. IT can assist in driving down costs in order to create a low-cost differentiation or can be used to reconfigure the value chain to create a value-added of differentiation. The implementation of ERP packages to implement value chain changes requires tailoring of the systems to achieve an appropriate combination of interventions in order to facilitate the achievement of the organization’s revised goals. Without a clear understanding of the goals in each of the five activities within the value chain for a specific organization, IT intervention can do more harm than good. By examining the relative criticality of each activity within the value chain, the value of specific IT interventions may be quantified resulting in a metric specifically designed to measure the effectiveness of a given intervention. Such metrics are normally designed to indicate to management where improvements in performance against set objectives are being achieved on a consistent basis or not, as the case may be. Since each organization’s objectives are different, their strategy to achieve their objectives will be unique and therefore both the interventions and the measurement metrics must also be unique. The normal financial measurement metrics such as return on investment ch17_4768 1/8/07 3:11 PM Page 221 Information Management and Usage 221 (ROI) are inappropriate given the pervasive effect such interventions have one organizational performance as a whole. By the same token, a pervasive effect should not be used as an excuse to avoid any form of measurement. Unless benefits can be quantified there can be no measurement of the cost of failing to achieve the benefits. The Balanced Scorecard2 previously discussed facilitates the measurement by monitoring for specific areas of activity linking intangible benefits to observable consequences. By dividing the organization into financial performance, customer relationships, operational excellence and the ability to learn (all observable consequences), the scorecard allows a monitoring of improvements in the value chain. SERVICE DELIVERY AND MANAGEMENT As integrated systems attempt to cater for the needs of all users, processes and corporate objectives, the complexity itself introduces unexpected outcomes, errors and an inability to achieve its desired objectives. In order for systems implemented to achieve the dramatic improvements in the achievement of organizational objectives, service delivery becomes critical to ensure that users’ expectations are met consistently and that problems encountered are addressed swiftly and effectively. This is not simply a question of speedy resolution of problems but the implementation of good business practices to ensure that predictable problems are, indeed, predicted and overcome prior to significantly impacting the user or system. Service management involves the provision and operation of services to the organization by IT. Of recent years integrated frameworks for the delivery and management of IT services to the customer had been developed, principally ISO 20000 and its forerunner BS 15000. Implementation of ISO 20000 is intended to produce significant advantages to the organization including the alignment of the services provided by Information Technology with a strategic objective of the organization. By creating a formal framework for measuring current service improvement projects, it is possible to benchmark against best practices across the industry. This is intended to lead to competitive gains through the promotion of cost-effective services delivered in a consistent manner. In achieving this, IT can undergo a paradigm shift from reactive processing to proactively driving. ch17_4768 1/8/07 222 3:11 PM Page 222 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT ISO 20000 comprises two parts. Part One is a theoretical base intended to facilitate the effective delivery of managed services to meet the requirements of both the organization and specific customers. It comprises ten sections namely: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Scope Terms & Definitions Planning and Implementing Service Management Requirements for a Management System Planning & Implementing New or Changed Services Service Delivery Process Relationship Processes Control Processes Resolution Processes Release Process Part Two of ISO 20000 describes the best practices for service management and stands as a “code of practice” for the implementation of affective service management. Both parts of the standard may be obtained from http://20000 .standardsdirect.org/ Auditing Service Delivery and Management From an audit in perspective, IT service delivery can be seen as an operational audit within the areas of configuration and change management, capacity management, service level agreement management, business continuity management and incident management. In each of these areas the auditor must clearly understand the objectives sought by the organization and the measurement criteria applied by management in order to judge the accomplishment of those objectives on an ongoing basis. Configuration and Change Management As we approached the year 2000 many organizations spend large amounts of money in creating an inventory of assets specifically uti- ch17_4768 1/8/07 3:11 PM Page 223 Information Management and Usage 223 lized to provide IT services to the organization. This was done in order to determine that all components were fully Y2K compliant. Since that time, however, many organizations have allowed this inventory to fall by the wayside. This resulted in many organizations losing track of what assets they own, where they are and who is accepting responsibility for them. Configuration management involves the maintaining of a detailed inventory of the resources within the organization used in the provision of IT services. This goes beyond the traditional asset register since it must address hardware, software, networking and knowledge. It must also include information regarding the existence, location, state of maintenance, problems encountered and resolution action taken for each of the resources. The IT auditor must evaluate the process by which configuration management is carried out in order to achieve a corporate objective. In the absence of an effective change management process, an “insignificant” change in an operating environment such as the implementation of a new service pack and can cause disruption or even failure within a critical operational area. Change management ensures that all changes to all critical resources are implemented in a planned and authorized manner. The auditor must ensure that, in addition to ensuring appropriate authorization of such changes, appropriate planning, testing, and implementation and, in case of a change failure, the development of a fallback plan take place. Capacity Management Every individual resource contributing towards the provision of IT services will have a limited capacity. This includes human resources as well as technical resources. Effective Information Systems assisting in the growth of the business inevitably increase the workload on all resources. Effective service management requires effective capacity management whereby the capacity of each individual component is known, monitored and the load balanced in order to achieve optimal performance. Once again, the auditor will seek to determine that appropriate process exists to monitor resource utilization and to plan for the increasing capacity inevitably required. ch17_4768 1/8/07 3:11 PM Page 224 224 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT Service Level Agreement Management Service level agreements (SLA) are written commitments that the IT function will deliver a level of service acceptable to the user and are normally defined in terms of response time, uptime, hardware and software error rates and problem resolution time. It is common for IT to utilize software solutions to record incidents and the resolution and the auditor must determine whether SLAs exist, are adequately monitored, provided meaningful management information and are used by management to improve service delivery. Business Continuity Management This area is fully discussed elsewhere within this book. The auditor would typically seek to determine that business continuity management is carried out, has been assigned to a knowledgeable person with appropriate authorities, is tested regularly and works. Incident Management Incident management involves the recording of all incidents as they happen including the quantification of the impact on the business (users impacted, customers affected, impact on corporate image, impact on revenues and cash flow). In addition the process also seeks to determine the actual cause and appropriate resolution of the problem. The auditor must determine that an appropriate and effective incident management process has been implemented within the organization and is monitored appropriately by management. Auditing Information Management and Usage Much of the evidence the auditor will seek in auditing the usage and management of information will exist in clerical records, procedures and people’s minds. As such the traditional audit techniques will ch17_4768 1/8/07 3:11 PM Page 225 Information Management and Usage 225 come into play in order to obtain such evidence. In addition, however, much of the evidence regarding the effectiveness of management’s controls in this area will reside within the computer and, as such, will require the appropriate tools and techniques to extract the evidence in a form usable by the auditor. COMPUTER ASSISTED AUDIT TOOLS AND TECHNIQUES CAATs used will include Test Data Generators for testing all or selected parts of the systems, and Flowcharting Packages to document data flows and controls. Certain of the more sophisticated systems may require the use of specialized audit software to carry out tasks that are unique to the audit of those systems and that, due to the nature of the systems, file structures, and so on could not effectively be carried out by generalized audit software. Generalized audit software is standard software produced for auditors to permit non-programmers to carry out a variety of normal audit procedures on a variety of systems. They are designed to be as flexible as possible while remaining as user-friendly as possible. Utility programs are those standard software products that handle everyday facilities such as sort, copy, print, backup, restore, and so on. They can be invaluable audit tools in a complicated systems environment. Non audit-specific software includes those programs that were never designed as audit tools but may easily be utilized by auditors. They include report writers and general interrogation packages. In addition to these tools, the auditor has available automated tools to assist in the areas of risk analysis and audit planning. Automated working papers are possible using certain software packages and, in an extensive audit of a complicated and integrated system, such a tool may be invaluable. These tools and techniques are covered in more detail in Chapter 23. ENDNOTES 1. M. E. Porter, “What is Strategy?,” Harvard Business Review, vol. 74, no. 6, 1996. ch17_4768 1/8/07 226 3:11 PM Page 226 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT 2. W. Van Grembergen, R. Saull, S. De Haes; “Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial Group,” Journal of Information Technology Cases and Applications, 2003. ch18_4768 1/8/07 3:12 PM Page 227 CHAPTER 18 Development, Acquisition, and Maintenance of Information Systems his chapter investigates the development, acquisition, and maintenance of Information Systems (IS) through IS project management involving the planning, organization, human resource deployment, project control, monitoring, and execution of the project plan. The traditional methods for the system development life cycle (SDLC) (analysis, evaluation, and design of an entity’s SDLC phases and tasks) are examined as are alternative approaches for system development such as the use of software packages, prototyping, business process reengineering, or computer aided software engineering (CASE). In addition, system maintenance and change control procedures for system changes together with tools to assess risk and control issues and to aid the analysis and evaluation of project characteristics and risks are discussed. T PROGRAMMING COMPUTERS Computers are electronic adding machines that are told what to do and how to add up by pre-defined instructions called programs. Commercial computers are programmed in binary (base 2) mode, which consists of 1s and 0s as shown below. In the early days of computers, programmers coded each instruction as a combination of 1s and 0s and entered these directly into the computers. It took about six months to write a fairly basic program. This was the first-generation language. 227 ch18_4768 1/8/07 3:12 PM 228 Page 228 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT 0110 1001 1110 0101 1101 1110 1011 1010 0001 0101 0101 0011 This was obviously slow and expensive and a better way to program had to be found. Early attempts used Symbolic Code. In these cases, programmers wrote in a cryptic code such as the following one. The use of such codes (Easycoder, Atlas Autocode, NEAT, Assembler, etc.) speeded up systems development considerably and a simple program could now be written in two weeks. These were the secondgeneration languages and many are still in use because of the efficiency of the programs produced by such a language. PACK L MVC RATE,RATE1 HRS,HRS1 REG,4 Attempts were made to make programming into a more programmer-friendly science by introducing languages that were more meaningful to a casual reader. This resulted in two separate streams of programming language coming into being, the scientific languages such as FORTRAN (FORmula TRANslator) and ALGOL (ALGOrithmic Language), and the business languages such as BASIC (Beginners All-purpose Symbolic Instruction Code), CLEO (Clear Language for Expressing Orders), and COBOL (COmmon Business-Oriented Language). These were third-generation languages. FORTRAN PAY: REGPA=RATE*HOURS CALL TXCAL DED=WITTX+UIF+INS+PENS COBOL NET-PAY-CALC-ROUTINE. MULTIPLY RATE BY HOURS-WORKED GIVING NORMAL-PAY Fourth-generation languages such as Natural or ADS-On-Line do not follow the “first do that then do this” approach of the previous generations. These “non-procedural” languages attempt to focus on the question “what do you actually want the computer to do?” ch18_4768 1/8/07 3:12 PM Page 229 Development, Acquisition, and Maintenance of Information Systems 229 Periodically someone claims to have invented a fifth-generation language (LINC, etc.) and there are claims that, in the future, microchips will be so specialized that no languages will be required. Examples are cited that you do not have to be a programmer to drive a car whose engine is fully computer controlled. Artificial intelligence or expert systems also drive this belief. PROGRAM CONVERSIONS Although today’s programming languages are more sophisticated than early versions the computers themselves still operate in binary mode and somehow the programming language of choice must be converted to the 1s and 0s. This gives rise to two types of code. The source code the programmer writes and the executable object code the computer runs. This conversion is achieved by means of Compilers, Assemblers, and Interpreters. Compilers are programs that take third-generation source code and create a permanent copy in binary form. Assemblers handle second-generation languages in the same manner. Interpreters behave in a different manner. They take third-generation source code and create an executable copy but they do not create a permanent version of the object code and they perform their function line-by-line. From a control perspective, this split between source and object codes is critical because any person with access to the source code can change a program to make the computer do whatever they want. A system that is written using interpretive code is thus highly susceptible to alteration and fraud. Programs are written by computer programmers, end-users, systems designers, operators, auditors, and anybody else who feels like writing programs. This anarchy can rapidly lead to systems chaos if not properly controlled. Only authorized programmers and end-users should be permitted to write programs. SYSTEM FAILURES It is an unfortunate fact that computer systems do fail from time to time. The distance between these times or mean time between failures ch18_4768 1/8/07 230 3:12 PM Page 230 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT is, to a large extent, governed by events that took place during systems development. The most common of these problematic events are: ■ ■ ■ ■ ■ ■ Poor support from top management. Top management, even today, is content in many cases to leave the development of new and strategic systems to computer staff rather than being actively involved. This means that, commonly, IT staff develop systems with no management oversight and the systems become the IT staff’s interpretation of what they believe management should be looking for. This interpretation is not always accurate. Poor staff attitude. Taking their lead from top management, the users whose system it is from inception will also sit back in many cases and leave the details to the IT staff. An attitude of nonownership of the development process becomes prevalent. Unclear business objectives. In many systems, the development was triggered by a senior manager deciding “wouldn’t it be a good idea if we had a system that would . . .” The system is then developed to meet the requirements of a single manager rather that the needs of the organization. Management and users unsure of their needs. It is a common occurrence that, when asked to express their needs for IT support, management and users are unable to clearly articulate what they require. Auditors find the same problem in asking managers to explain how control is achieved. Think how difficult it would be to explain to someone exactly how you breathe. You have done it all your life, but would find it difficult to explain. It is part of the job of the IT staff to uncover the users’ business needs and translate these into potential computer support areas. IT personnel unfamiliar with user needs. In many cases the IT staff assigned to a given project have no fundamental understanding of the actual business process to be computerized. Once again this leads to misinterpretation of users’ wants and needs. Additional user requirements not previously specified. A common complaint of users is that “the system can’t do . . .” while the IT response is “you never told me you wanted to . . .” One of the most difficult areas of systems analysis is ensuring that your understanding is fully comprehensive and that all requirements are known. ch18_4768 1/8/07 3:12 PM Page 231 Development, Acquisition, and Maintenance of Information Systems ■ ■ ■ ■ ■ ■ ■ 231 Changes in user requirements. Many systems are developed over a number of years. During that time the business needs of the final user will change due to a changing business environment, new technology requirements, and changes in managerial personnel and style. Systems must be developed with as much flexibility as possible both during development and in the final product. Organizational changes during the project. Given the life of many IT projects, it would be unusual for a project to reach completion without staff changes. At either the IT or user end, loss of a key member of the development team can create havoc and seriously jeopardize the project’s viability. Failure to understand interrelationships between parts of the organization. In today’s environment, most systems implemented are designed to be integrated systems treating the business needs of a disparate group of corporate functions. In many cases management, even at the director level, are so specialized that they have no in-depth understanding of how other areas of the business function. As a result many integrated systems do not adequately map onto the business functionality required. Over-optimistic file conversions. Acquiring data and converting from previous systems is a critical task and should be treated as such. This does not happen overnight and of its own accord. It must be planned for and appropriate resources committed. Poor quality input for file conversions. In many cases the source of the data to be converted for the new system is suspect and such data must be “sanitized” or cleaned up prior to systems implementation. Poor documentation. Many systems development projects work on the basis that the documentation will be completed at the end of the project after the new system has stabilized. This is a source of two distinct forms of problem. First, the time when documentation is most needed is at the design and coding stage to ensure the final system is what was intended. Second, completion of documentation at the end results in rushed and scanty documentation, and occasionally no documentation because project time has run out. Inadequate system and program testing. Testing of systems is a complex business involving programmers, systems analysts, users, and internal auditors. The first three must satisfy themselves that ch18_4768 1/8/07 232 3:12 PM Page 232 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT the system performs as desired in that it does everything it is supposed to and conversely does NOT do the things it is not supposed to. The auditor’s role is to satisfy himself that the testing has, in fact, been done and been done to acceptable standards. SYSTEMS DEVELOPMENT EXPOSURES Failures of control during systems development can lead to a variety of business problems including: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Erroneous management decisions Unacceptable accounting policies Inaccurate record keeping Business interruption Built-in fraud Violation of legal statutes Excessive operating cost Inflexibility Overrun budgets Unfulfilled objectives These may prove to be minor annoyances or major business catastrophes to the business depending on the organization and the system concerned. The primary causes of development exposures may be summarized as: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Incomplete economic evaluation Management abdication Inadequate specifications Systems design errors Incompetent personnel Technical self-gratification Poor communications No project “kill” points Temptations to computer abuse Incoherent direction ch18_4768 1/8/07 3:12 PM Page 233 Development, Acquisition, and Maintenance of Information Systems 233 SYSTEMS DEVELOPMENT CONTROLS In order to achieve controlled systems, the development process must itself be controlled. Major controls in this area are: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Methodology (SDLC) Staff hiring policies Training Technical review and approval Management review and approval Audit participation Systems test phase Post-implementation review Checklists Documentation Project management controls to assist the process involve periodic schedule reviews, work assignment, performance monitoring, progress monitoring, and status reporting and follow-up. In other words, an IT project is managed no differently than any other long-term, highcost engineering project. The project planning elements would include appropriate project guidelines, work breakdowns complete with start and completion dates, and an effective monitoring mechanism to measure against agreed schedules. SYSTEMS DEVELOPMENT LIFE CYCLE CONTROL: CONTROL OBJECTIVES Control objectives for each stage of the SDLC would typically include: ■ ■ Methodology ● Formalized, structured methodology will be followed ● Roles and responsibilities will be clearly laid out and adhered to ● Methodology will be kept up-to-date and in step with current developments Project Initiation ch18_4768 1/8/07 234 ■ Page 234 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT Each new project will be clearly scoped prior to commencement of work ● The user department will be involved in the definition and authorization of new or modified systems ● Team assignments will result in the use of appropriately skilled and qualified staff ● Commencement of each phase will be preceded by the appropriate authorization Feasibility Study ● Alternative courses of action will be evaluated in order that an appropriate solution be selected ● Technological feasibility of the recommended solution will be assured ● All relevant costs will be included in the cost/benefit analysis ● All relevant risks will have been identified and quantified ● Project approval will be given by the appropriate management based on knowledge ● Project will be capable of being monitored through its existence Systems Design ● Design methodology is appropriate to the proposed system: ■ Life cycle ■ Structured ■ Database ■ Skeletal ■ Prototype ● Documentation will be created to standard ● Input validation requirements will be appropriate ● File structures will be as per departmental standards ● All requisite processing steps will be identified and designed into the system ● All programs will be fully specified as per departmental standards ● All sources of data required for the system will be identified and approved ● Security requirements of the system will be fully defined and approved ● Audit trails will be appropriate and approved ● Documentation of the system design will adhere to departmental standards ● ■ 3:12 PM ch18_4768 1/8/07 3:12 PM Page 235 Development, Acquisition, and Maintenance of Information Systems 235 Overall design shall include the design of appropriate testing and verification plans ● Design approval will be obtained from the appropriate levels of management Development and Implementation ● Written narratives of all programs in the system will be available and up-to-date ● Commercial packages selected will be compatible with existing operations and departmental policies ● Use of contracted programming staff will be approved and the quality of their work will be contracted for ● Operational documentation will be produced according to departmental standards ● Training plans will be produced for all users of the system ● Program testing will be comprehensive and effective ● System testing will test both for functional capability as well as operational efficiency ● Conversion planning will ensure smooth conversion to the new system ● Acceptance testing will be comprehensive and carried out by the appropriate staff System Operations ● All organizational controls will operate as designed and intended ● Cost monitoring will ensure efficient operation of the system ● Modifications to the system will only be permitted via the departmentally authorized route ● ■ ■ MICRO-BASED SYSTEMS In-house developed micro-based systems should be subject to the same controls but often are not. They are frequently substituted for IS-developed systems and suffer the same SDLC problems but, in addition, they fall under nobody’s control, and may be developed by amateurs with no specifications, documentation, controls, cost/benefit analysis, and no backups. ch19_4768 1/8/07 3:13 PM Page 236 CHAPTER 19 Impact of Information Technology on the Business Processes and Solutions his chapter examines the impact of Information Technology (IT) on the business processes and solutions, business process outsourcing (BPO), and applications of e-business issues and trends. T IMPACT In recent years, IT has changed with the business world as well as the rules and conditions under which business is transacted. The introduction of concepts such as globalization, e-Commerce, Internet technology, and the rapid changes in global market demographics have made flexibility and reliability survival attributes of the corporation. External opportunities and threats, including economic, social, and cultural, may dramatically change the organization’s need for processing information in the future. Given that the basic tenet of strategy formulation is to take advantage of external opportunities while avoiding or reducing the impact of external threats, revisiting business processes in order to make best use of corporate information becomes a survival issue. Accordingly, auditors and accountants must be fully up to date on how technology impacts their business, their industry and related industries, the legal and regulatory environment, and their profession. The appropriate uses of IT impact management strategies as well as the roles and relationships within organizations, the skills, tools, and methods of implementing strategies, and the cost structures. These, in turn, invoke new rules for competitive advantage and 236 ch19_4768 1/8/07 3:13 PM Page 237 Impact of Information Technology on the Business Processes and Solutions 237 require new training and skills. The traditional view of separation of duties changes with the elimination of many of the control structures caused by computerization. New economies-of-scale are possible and price/performance ratios are changing dramatically. Such changes have introduced continuous control monitoring (CCM) and continuous auditing. CONTINUOUS MONITORING The concept of continuous monitoring and auditing has been known for many years with little progress being made on the implementation. With the arrival of Sarbanes-Oxley’s section 404, an imperative has arisen to be able to determine, on a timely basis, when control deficiencies have occurred. A need now exists to be able to quantify the impact of potential control deficiencies and gain assurance over the ongoing effectiveness of controls. Traditionally, transactional data analysis has been used to test internal controls for exceptions to control procedures. In a modern system, such analysis frequently occurs too late to be of any practical value. One solution is to independently test all transactions’ compliance with controls at the point at which they occur. This model requires the identification of the individual control points for each business process area using an appropriate control framework, the establishing of tests to validate specific controls in order to identify suspect transactions, execute the tests on an ongoing basis, and notify the appropriate personnel of any transactional failures so that both the individual transaction and the control problem can be rectified. This continuous monitoring model is intended to provide a method of determining the effectiveness of control structures in a timely manner in high-volume systems. At a more advanced level, transactions can be scanned to seek patterns of abnormalities in order to raise alerts with known abnormalities being updated in the same way as virus definitions. The value of continuously monitoring and auditing controls has been discussed and experimented with extensively over recent years but it is only now, with the advent of sophisticated computer models, that it is technically feasible and desired. It should be noted that continuous audits are viable only when there is a high degree of automa- ch19_4768 1/8/07 238 3:13 PM Page 238 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT tion of the business processes together with adequate staff training and acceptance by management of this revised approach to the traditional annual audit. BUSINESS PROCESS OUTSOURCING BPO involves the contracting of a specific business task, such as accounts payable or call center support, to a third-party service provider. In most cases BPO is tended to be a cost-saving measure for non-core tasks that an organization requires but does not depend upon. Using technology, it has become increasingly easy to contract to a third-party service provider outside of the organization’s own country (i.e., offshore outsourcing). There is a difference between BPO and the outsourcing of IT itself. BPO involves handing over a function that may be dependent upon IT but is a distinct business function separate from core IT operations. It becomes critical that an organization can recognize a core competency (a function that must be done well) and differentiate this from an activity that will not “make or break” the organization and which could be handled more efficiently or effectively by a third party. Companies frequently choose to outsource where there is a lack of inhouse strength or in order to streamline business processes. In smaller organizations many back-office functions may be outsourced so that limited management time may be devoted to the core business of the company. Larger organizations typically choose the outsourcing route in order to improve their efficiencies. Outsourcing of a specific business process may be a critical component within a larger business strategy such that process itself becomes re-engineered to more closely fit the organization’s requirements rather than simply changing who is performing the function. BPO should not be confused with “contracting out,” which involves the organization purchasing goods or services from another organization. In this scenario, the purchaser still controls the process by defining exactly what is required and how it should be supplied. An outsourced process transfers control of the process to a supplier such that the only thing specified by the purchaser of the service is the outcome desired. The purchaser of the service determines the scope and performance levels desired from the supplier of the service with ch19_4768 1/8/07 3:13 PM Page 239 Impact of Information Technology on the Business Processes and Solutions 239 predefined measurement criteria. If this is not done specifically and precisely, it can lead to the supplier providing a service that was not agreed upon and is less than the buyer understood would be provided for the price paid. In seeking a service provider, companies must decide whether they require a niche provider or a provider of general services. Outsourcing tends to be unaffected by fluctuations in economic performance. Cutting costs in times of poor economic performance or rapid expansion in times of good performance can both create a desire in organizations seeking alternatives to in-sourcing non-core operations. In all cases, poor governance of the process combined with poor communications can have a major negative impact on the organization leading to increase costs, inefficiencies and ultimately, business collapse. In addition, leakage of confidential information from the outsourced service provider may prove catastrophic without adequate safeguards. Outsourcing can lead to staff apprehension regarding job retention and resentment over job losses to friends. This, in turn, can lead to a decline in commitment and to possible reputational risks to the organization. E-BUSINESS E-business is a wide-ranging phenomenon utilizing the greater level of connectivity among organizations and people to create opportunities that did not previously exist. At its most basic, companies can make their products and services directly available to enormous, untapped markets. At a more advanced level, e-business incorporates the use of customer relationship management systems and enterprise systems to create a vehicle for radical reforms to business concepts. These opportunities are typically seen as covering business-tobusiness (B2B), business-to-consumer (B2C), or consumer-to-consumer (C2C). In addition, the opportunities for the integration of web-based technology into the supply chain of the core business processes abound. Alternatively, web-based technology can be used to achieve strategic change through direct interaction with the customer or through a distribution channel. Providers of such services may be ch19_4768 1/8/07 240 3:13 PM Page 240 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT existing organizations utilizing new technology to achieve a more effective delivery of existing goods and services, or new entrants to the market providing products and services that did not exist prior to the advent of the Internet. The third category is the creation of new business ideas involving the generation of a new set of services based upon analysis of perceived needs rather than delivery of hard products from a portfolio available to the organization. There are many potential opportunities within the implementation of e-business. The obvious one is a conversion to low-cost administration systems in order to streamline the workplace. Additionally, the advent of such technology facilitates the re-engineering of the core business process as of the organization leading potential improvements in cost structures, servicing of service requests, and turnaround of customer orders. Within a B2B environment electronic data interchange can be used to streamline procurements electronically and ultimately the creation of a virtual vertically integrated business for closer ties with suppliers and better supply chain management. E-marketing is a rich source of new customers reachable globally in a manner hitherto unimagined. In addition to the new customers, the potential to influence buyer behavior via electronic marketing by leveraging the information base of existing purchasing behavior is enormous. ch20_4768 1/8/07 3:15 PM Page 241 CHAPTER 20 Software Development his chapter looks at the software development design process and covers the separation of specification and implementation in programming, requirements specification methodologies, and technical process design. In addition, database creation and manipulation, principles of good screen and report design, and program language alignment are covered. T DEVELOPING A SYSTEM The process of developing a new computer system is commonly known as the Systems Development Life Cycle (SDLC) and consists of a finite and predefined number of tasks, which include: ■ ■ ■ ■ ■ ■ ■ ■ ■ Analyze Design Code Test Retest Redesign Retest Run Audit As seen in Chapter 11 the SDLC can come in a variety of forms including the waterfall, iterative spiral, or vee to name but three. Regardless of the model taken SDLC will split these tasks into: 241 ch20_4768 1/8/07 3:15 PM 242 ■ ■ ■ ■ ■ ■ ■ Page 242 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT Feasibility study to decide if the project is worthwhile Outline design, which involves analyzing and designing the new business system Detailed design, where computer programs are specified, file layouts designed, and access rules laid out Code, test, and implement, where programs are written, tested, and signed-off Conversion, which involves acquiring data and converting it into the new formats Installation and live running Post-implementation review to determine what went wrong with the SDLC process itself Feasibility Study Systems proposals come from a variety of sources and for a variety of reasons. They may come from the Board of Directors as a result of a business change. They may come from the government in the form of legislative changes. They may be intended to improve business effectiveness or efficiencies. They may come because technology itself has changed. They may be required as a response to competitive forces. In all cases, the feasibility of the change and cost-desirability of the change must be assessed. This requires that the outline systems design be known. This outline design expresses the business requirements of the proposed system in terms of user requirement specifications. Outline Design These user specifications identify: ■ ■ ■ ■ ■ ■ Business functionality required of the system Actions the user is to take Decision rules to apply Services required of Information Systems (IS) Methods and timescales for user/IS interaction Assignments of responsibility ch20_4768 1/8/07 3:15 PM Page 243 Software Development 243 Detailed Design Once the outline design has been agreed, the detailed design must be defined. This involves taking the business design and interpreting it into “computerese” by defining: ■ ■ ■ ■ File and record layouts Operational constraints Processing logic definitions Access rules Problems at the specification stage include: ■ ■ ■ ■ ■ Availability of user staff whereby the Information Technology (IT) section may be left in isolation to develop the system as they see fit. Access to the right level of staff. In many cases the user staff available are not of the right authority level or lack the required knowledge base to carry out the appropriate liaison. “Technology lust,” which results in a constant search for the latest technology regardless of whether it is genuinely required. Over-extended timescales with no measurement points in between. To allow effective project planning, timescales should be short with measurement milestones at frequent intervals. In addition, over-extended timescales can mean that key staff change in the meantime, business objectives change, costs will escalate, and hardware/software may become obsolete. Inexperienced staff can cause complications because many organizations staff-up for large-scale projects with staff who may be technically competent but have no understanding of the organization, its objectives, or standards. Acquiring, Testing, and Implementation Planning Once the system has been designed successfully, it must be implemented. This involves reviewing the scope and objectives to ensure they are still appropriate, reassessing the timescales/budgets/benefits ch20_4768 1/8/07 3:15 PM Page 244 244 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT based on the fuller understanding of the system now available, drawing up implementation timescales based upon the full detailed design, allocating responsibilities for the development of the various parts of the system, and conducting a pre-implementation review to ensure that problems encountered in the past do not recur. Implementation itself typically involves: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Programming Coding Prototyping Unit testing Test linking to other modules Documentation Installation User acceptance testing Parallel running User training File conversion Live running Some of these activities may be conducted simultaneously, but that, again, is a factor of the effectiveness of the project planning process. Conversion Activities Once the system has been developed and adequately tested, conversion from the previous manual/computer system must take place. This will typically involve: ■ ■ ■ ■ ■ Acquisition of data Identification of sources Development of conversion programs Sanitization of input data File conversion System conversion is a major task and requires that strict control be enforced. Poor conversion may jeopardize the whole project on a ch20_4768 1/8/07 3:15 PM Page 245 Software Development 245 “Rubbish in—rubbish out” basis. Audit involvement is essential. Care should be taken to ensure that audit’s role does not become one of IT quality assurance. The auditor’s role is to ensure that management has adequate controls to ensure that conversion was effective. While all this is going on, maintenance must continue on the current systems. Installation Once all of the previous stages have been completed, the new software must be migrated into the production environment and immediately fall under the organization’s normal access control procedures regarding live systems. Post-implementation Review The final stage of the SDLC is the post-implementation review. This is used to determine what went/is going wrong with the development process as well as what went/is going right. Its objective is not to determine flaws in the developed system but to refine the SDLC itself by identifying skill shortcomings and improving control techniques. From this point onward the system will be subject to ongoing maintenance for the normal business reasons such as design corrections and “bugs,” mandatory changes, enhancements as the business changes, or to accommodate technology changes. The SDLC is used to control the generation of programmed systems with the objective being to produce a quality system, as specified, on time, within budget. CHANGE CONTROL Once the system has been created, it is essential that it remain intact and impossible to change in an unauthorized or uncontrolled manner. The process of achieving this is called Change Control. Change ch20_4768 1/8/07 246 3:15 PM Page 246 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT Control’s objective is to ensure risk is controlled, not introduced, during a change. This means ensuring that: ■ ■ ■ ■ ■ All changes are authorized All authorized changes are made Only authorized changes are made All changes are as specified All changes are cost effective The changes thus controlled are known and planned changes. The procedures involve ensuring prior authorization for all changes, supervision of the change process, adequate testing of all changes, and user sign-off on all changes. Normal systems maintenance involves checking, changing, and enhancing the system to make it more useful in obtaining user and organizational goals. Major causes of program maintenance include: ■ ■ ■ ■ ■ New requests from users and managers Bugs or errors in the program Technical and hardware problems Corporate mergers and acquisitions Governmental regulations that require changes in the program In addition, many application systems are more than 15 years old, and some are as old as 25 years. Maintenance may take the form of a patch, a new release, or even a new version. The cost of maintenance can be staggering. For older programs, the total cost of maintenance can be up to five times greater than the original cost of development. The average programmer can spend between 50% and 75% of his or her time on maintaining existing programs as opposed to developing new ones. Periodically things will go wrong with a system that require a repair urgently. Such changes are not known in advance and are commonly executed and permission sought retrospectively. Such changes are controlled using Problem Management. Problem Management’s objective is to control systems during emergency situations arising from unforeseen changes. Typically this will involve the bypassing of normal control mechanisms and may require direct programmer ch20_4768 1/8/07 3:15 PM Page 247 Software Development 247 access to live data. This must be controlled separately and must involve user authorization, even retrospectively. WHY DO SYSTEMS FAIL? It is an unfortunate fact that computer systems do fail from time to time. The distance between these times or mean time between failures is, to a large extent, governed by events that took place during systems development. The most common of these problematic events are: ■ ■ ■ ■ ■ Poor support from top management. Top management, even today, is content in many cases to leave the development of new and strategic systems to computer staff rather than being actively involved. This means that, commonly, IT staff develop systems blind and the systems become the IT staff’s interpretation of what they believe management should be looking for. This interpretation is not always accurate. Poor staff attitude. Taking their lead from top management, the users whose system it is from inception, will also sit back in many cases and leave the detail to the IT staff. An attitude of nonownership of the development process becomes prevalent. Unclear business objectives. In many systems, the development was triggered by a senior manager deciding “wouldn’t it be a good idea if we had a system which would . . .” The system is then developed to meet the requirements of a single manager rather that the needs of the organization. Management and users unsure of their needs. It is a common occurrence that, when asked to express their needs for IT support, management and users are unable to clearly articulate what they require. Auditors find the same problem in asking managers to explain how control is achieved. Think how difficult it would be to explain to someone exactly how you breathe. You have done it all your life, but would find it difficult to explain it. It is part of the job of the IT staff to uncover the users’ business needs and translate these into potential computer support areas. IT personnel unfamiliar with user needs. In many cases the IT staff assigned to a given project have no fundamental understanding ch20_4768 1/8/07 248 ■ ■ ■ ■ ■ ■ ■ 3:15 PM Page 248 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT of the actual business process to be computerized. Once again this leads to misinterpretation of users’ wants and needs. Additional user requirements not previously specified. A common complaint of users is that “the system can’t do . . .” while the IT response is “you never told me you wanted to . . .” One of the most difficult areas of systems analysis in ensuring that your understanding is fully comprehensive and that all requirements are known. Changes in user requirements. Many systems are developed over a number of years. During that time the business needs of the final user will change due to a changing business environment, new technology requirements, and changes in managerial personnel and style. Systems must be developed with as much flexibility as possible both during development and in the final product. Organizational changes during the project. Given the life of many IT projects, it would be unusual for a project to reach completion without staff changes. At either the IT or user end, loss of a key member of the development team can create havoc and seriously jeopardize the project’s viability. Failure to understand interrelationships between parts of the organization. In today’s environment, most systems implemented are designed to be integrated systems treating the business needs of a disparate group of corporate functions. In many cases management, even at the director level, are so specialized that they have no in-depth understanding of how other areas of the business function. As a result many integrated systems do not adequately map onto the business functionality required. Over-optimistic file conversions. Acquiring data and converting from previous systems is a critical task and should be treated as such. This does not happen overnight and of its own accord. It must be planned for and appropriate resources committed. Poor quality input for file conversions. In many cases the source of the data to be converted for the new system is suspect and such data must be “sanitized” or cleaned up prior to systems implementation. Poor documentation. Many systems development projects work on the basis that the documentation will be completed at the end of the project after the new system has stabilized. This is a source ch20_4768 1/8/07 3:15 PM Page 249 Software Development ■ 249 of two distinct forms of problem. First, the time when documentation is most needed is at the design and coding stage to ensure the final system is what was intended. Second, completion of documentation at the end results in rushed and scanty documentation, and occasionally no documentation because project time has run out. Inadequate system and program testing. Testing of systems is a complex business involving programmers, systems analysts, users, and internal auditors. The first three must satisfy themselves that the system performs as desired in that it does everything it is supposed to and conversely does NOT do the things it is not supposed to. The auditor’s role is to satisfy himself that the testing has, in fact, been done and been done to acceptable standards. Appropriate controls to ensure the development process is an overall success have already been covered in Chapter 18. AUDITOR’S ROLE IN SOFTWARE DEVELOPMENT The auditor’s traditional role is to evaluate whether the controls within the project management are adequate to provide assurance that the system will be delivered as required and whether business control processes have been incorporated in the design of the new or amended system. The auditor’s objectives are thus twofold, namely to ensure that the controls over a substantial corporate investment in the development of systems will produce value-for-money and, at the same time, to ensure that systems developed meet the internal control requirements of the business. In achieving the latter, the auditor may undertake the role of being a part of the systems development process. This is frequently seen as a hindrance to auditor independence but should rather be regarded as the most appropriate person undertaking the role of internal control consultant. The individual auditor’s independence may be compromised, but another auditor, auditing independently, should find a system with well-designed controls incorporated. This means that during the development process, the auditor will typically be required to participate in the selected project management meetings in addition ch20_4768 1/8/07 250 3:15 PM Page 250 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT to risk assessment, systems design, development, and systems delivery meetings in order to provide ongoing, proactive control recommendations. An alternate role for the auditor is the review of end-stage deliverables throughout the development process without becoming a part of the process. In this role, the auditor will review each stage’s deliverables in order to ensure that what was planned from the previous stage has been accomplished and that the planning of the next stage has been refined appropriately. In either case, the auditor requires an in-depth understanding of both the overall IT development processes adopted and the business process being computerized. The audit will result in the production of formal audit reports to the appropriate business managers including an overall assessment of the controlled progress of the project as well as areas requiring improvement in order to complete the project, as specified, within budget and at an appropriate quality level. ch21_4768 1/8/07 3:14 PM Page 251 CHAPTER 21 Audit and Control of Purchased Packages his chapter looks at the audit and control of purchased packages to introduce those elements critical to the decision taken to make or buy software. This includes a knowledge of the systems development process and an understanding of the user’s role in training required so that the outsource decision on the factors surrounding it may be made to best effect. Application software may come from a variety of sources including external software suppliers as well as internal development, and in today’s environment as many as 60% of implemented systems are packages. At the conclusion of the system design stage, the organization possesses complete specifications for both the logical and physical design of the proposed information system and should have selected the business design that best meets the organization’s needs. The “make or buy” decision must now be made depending on a variety of criteria including time constraints, skills availability, costs, and support capabilities. Vendors of possible systems will be furnished with a request for proposal (RFP) detailing the functional and performance requirements of the business system so that an alternative may be costed and evaluated. Sometimes, during this stage, as proposals from vendors are solicited and evaluated, new information becomes available to the organization that modifies its criteria for system selection. In many cases, a standard package, combined with interface programs written to meet specific corporate needs, can be utilized at a significantly lower cost. Information Systems (IS) Audit should be involved in the process of any systems acquisition in order to provide advice and assistance T 251 ch21_4768 1/8/07 252 3:14 PM Page 252 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT in the control aspects of identification of systems and vendors. In order to facilitate this, it is critical that IS Audit be informed of all systems development projects at the initial stage of project proposal and that IS Audit then liaise with the appropriate project management to assure IS Audit’s involvement during each subsequent phase. INFORMATION SYSTEMS VENDORS Systems acquisition often requires purchasing, leasing, or renting computer resources from an IS vendor, which could include: ■ ■ ■ ■ ■ ■ ■ General computer manufacturers Small computer manufacturers Peripheral equipment manufacturers Computer dealers and distributors Leasing companies Time-sharing companies Software companies In general, software can be purchased as a package and tailored for the organization or developed specifically to meet the unique needs of the purchaser. Purchasing or leasing software from a software company or vendor, as opposed to developing it in-house, is an attractive alternative for many organizations and offers a number of advantages, including: ■ ■ ■ ■ ■ Lower costs Less risk High quality Less time Fewer resources needed It should not be imagined that acquisition of a packaged solution completely removes the need for corporate involvement in the process. Using an externally developed, purchased program involves more than just paying for the package. Certain acts are still needed and the following steps are suggested: ch21_4768 1/8/07 3:14 PM Page 253 Audit and Control of Purchased Packages Step 1. Review needs and requirements Step 2. Acquire software Step 3. Modify or customize software Step 4. Acquire software interfaces Step 5. User testing and acceptance Step 6. Maintenance and modifications 253 Care should be taken to ensure that the organization is not defining requirements for features that will never be used but that could significantly add to the costs and time schedule. Installation and tuning of the most standard packages take time and effort and should not be underestimated. By the same token future modifications will undoubtedly be required and the cost and ease of maintenance must be considered. The initial stage within that the systems acquisition is the issuing of a Request for Information (RFI). REQUEST FOR INFORMATION An RFI is normally issued at an early stage in the overall development process in order to gather information on the currently available products when the acquisition of an external package is being considered. Information about potential vendor products may already be available but, by using a formal RFI, data can be gathered not only on the product but on the overall desirability of doing business with this particular vendor. At this stage detailed analysis of the intended functional capabilities would not normally have been performed and may eventually include information drawn as a result of the RFI document. In order for a supplier to adequately complete an RFI, certain information must be provided: ■ An overview of the organization, the outline functionality desired, and the operational environment (hardware and systems software) currently in place. ch21_4768 1/8/07 254 ■ 3:14 PM Page 254 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT Existing application systems with which interfaces must be developed. Once responses have been received from potential suppliers, these must be reviewed against evaluation criteria predetermined for acceptance. This review would normally entail the project team and possibly the user’s representative. IS may be involved either in their own right or as the user’s representative. A danger in this approach is that the subsequent detailed requirements definition may be colored by the project team’s awareness of the functional capabilities of specific packages, which could potentially bias selection. Once the team is fully aware of purchase alternatives, the detailed Requirements Definition (RD) stage begins. REQUIREMENTS DEFINITION The detailed RD phase defines the functional requirements of the proposed system in sufficient detail to facilitate selection of the appropriate vendor package. User involvement at this stage is critical as is that of the IS Auditor. This document defines the business requirements of the proposed system together with the business controls to be effected within the new system. At this stage, technical specifications may or may not be included. Where there are known technical constraints it would be expected that these be detailed within the RD, particularly if there are predetermined hardware and/or software requirements. It should be noted that the adequacy and quality of the RD will have a major impact on the degree to which the packaged solution will meet the business requirements of the organization. Quality assurance of this document rests within the IS function and within the user area. Audit involvement at this stage is to ensure that both of these functional areas have completed their appropriate tasks prior to sign off. The user function must determine that the requirements definition accurately and completely reflects the functional requirements for the proposed system. IS must ensure that the requirements definition is feasible within the technical infrastructure in place or envisioned. Audit must always remember that any proposed system will, eventually, require to be audited and IS Audit may have its own func- ch21_4768 1/8/07 3:14 PM Page 255 Audit and Control of Purchased Packages 255 tional requirements to be included within the definition document. Once the requirements definition has been satisfactorily completed, a RFP document is drawn up. REQUEST FOR PROPOSAL Where one or more packages meet the requirements defined within the RD document, an RFP will be sent to the vendor to elicit bids for any or all of: delivery, tailoring, and implementation of the packaged solution. This document is based upon the RD document but should also include information on the user base to be supported by the system and a description of the operational environment within which the system will operate. Deadlines for submission and implementation schedules would also be laid out at this point together with the standard corporate terms and conditions relating to normal acquisition procedures. The access control and hardware/software constraints within which the selected package must operate will be detailed for proposed vendors as will the support requirements both during the installation process and from an ongoing support perspective. The supplier will be required to provide details on the nature and level of support provided together with associated costs including the level and experience of support staff to be assigned. The responsibility and costs of future upgrades can also be determined within this RFP because these can contribute a significant cost over the lifetime of the package. The manner in which upgrades are implemented (new releases, patches, or service packs) should also be specified in this stage. If maintenance of the proposed package remains the responsibility of the supplier, then information regarding the ongoing viability of the supplier company may also be requested. Such information would typically include the number of years the vendor has provided the services and software, client references, financial status, and size of the installed package base. Once supplier proposals have been received they must be evaluated against predetermined criteria in order for selection to take place. In selecting among package alternatives, the team must evaluate the vendor’s track record in completing or installing similar applications as well as the degree to which the package itself matches the business requirements. The financial stability of the vendor must be ch21_4768 1/8/07 3:14 PM 256 Page 256 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT determined and, if required, financial statements can be requested. Client lists can be used to determine the current level of satisfaction within the installed base of the vendor’s packaged solutions. Care should be taken not to simply contact reference sites selected by the supplier in order to present the best possible image. Where ongoing support post-implementation is to be provided, the proposal will be evaluated against criteria such as the degree of support available within the organization’s geographical area including numbers and expertise of support staff. Response times must be specified in the event of a problem identification and costs of ongoing support as well as new releases must be predetermined. It should be clearly understood by all concerned that, even at this stage, the decision to go ahead has not yet been taken and it may be determined from supplier proposals that the envisioned system is no longer desirable or feasible. IS Audit should ensure that a positive decision to go ahead or not is taken and that the system does not proceed by default. Once the decision to proceed has been made and the supplier selected, the contract is normally negotiated and completed. The terms and conditions of this contract are critical, particularly if the relationship was intended to be an ongoing one. Like any contract, it is drawn up in the honeymoon period where everyone intends and hopes that the relationship will prove mutually beneficial. Like any contract, it is needed most when relationships deteriorate and the terms and conditions become major matters of contention. INSTALLATION Once the contracts have been agreed and signed, the expectation is that the package will be delivered and the installation will happen as a matter of course. The reality is that the installation, even of a package solution, must be planned carefully in order to ensure a smooth implementation. The installation of packages frequently requires some programming of interfaces and customization of the package. As with any other programming this must follow the traditional life cycle including the appropriate analysis, design, programming, and testing phases. Data acquisition and conversion programs must also ch21_4768 1/8/07 3:14 PM Page 257 Audit and Control of Purchased Packages 257 be planned and, where necessary, data must be sanitized (cleaned-up) prior to conversion into the new system. SYSTEMS MAINTENANCE As previously stated, systems maintenance involves checking, changing, and enhancing the system to make it more useful in obtaining user and organization goals. Major causes of program maintenance include: ■ ■ ■ ■ ■ New requests from users and managers Bugs or errors in the program Technical and hardware problems Corporate mergers and acquisitions Governmental regulations that require changes in the program In addition, many application packages are more than 15 years old, and some are as old as 25 years. Maintenance may take the form of a patch, a new release, or even a new version. The cost of maintenance can be staggering. For older programs, the total cost of maintenance can be up to five times greater than the original cost of development. The average programmer can spend between 50% and 75% of his or her time on maintaining existing programs as opposed to developing new ones. SYSTEMS MAINTENANCE REVIEW Systems maintenance review is the process of analyzing existing systems to ensure they are operating as intended and may be event or time driven. Factors to be considered in conducting systems reviews include: ■ ■ ■ ■ Response time Training Reliability Mission ch21_4768 1/8/07 3:14 PM 258 ■ ■ ■ ■ ■ ■ ■ ■ Page 258 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT Goals and objectives Procedures Communications Hardware and software IS personnel IS budgets Efficiency Documentation Such reviews involve critical evaluation of all systems components. This would include not only the software but also any databases, telecommunications, personnel, and procedures. OUTSOURCING Instead of having its IS employees complete systems implementation, an organization can choose to outsource this activity. That is, the organization can hire outside companies to do some or all of the implementation work in the same manner as any other outsourcing of a business process (see Chapter 19). ch22_4768 1/8/07 3:16 PM Page 259 CHAPTER 22 Audit Role in Feasibility Studies and Conversions his chapter looks at the auditor’s role in feasibility studies and conversions. These are perhaps the most critical areas of systems implementation and audit involvement should be compulsory. In considering the auditor’s role in feasibility studies and conversions, we must consider where they fall in the Systems Development Life Cycle (SDLC). The typical SDLC comprises: T ■ ■ ■ ■ ■ ■ ■ ■ Problem definition and feasibility study Analysis and design Language selection Coding Testing and debugging Documentation Conversion Implementation FEASIBILITY SUCCESS FACTORS As previously noted, acquisition of information systems involves first, definition of a computer strategy including the evaluate of the organizational requirements. Second, establishment of the requirements including a thorough examination and evaluation of potential alternative courses of action. Third, the precise specification of the requirements including interfacing all future systems with existing hardware and software constraints, conditions of supply, and future modification. Fourth, evaluation of alternative sources of supply, and finally, the acquisition and installation of the systems. The second stage is typically carried out via a feasibility study. 259 ch22_4768 1/8/07 260 3:16 PM Page 260 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT Factors to be considered in audit involvement in feasibility studies are those surrounding the probability of a successful outcome. These usually focus on the overall desirability of a system from a corporate perspective, as well as the likelihood of successful implementation. Where the system is to be developed in-house as an option, the skills required to develop it must be considered and in any event the skill levels required to run the system will be an obvious factor. Both the cost of development/acquisition of the systems and the cost of eventual running must be considered. If the degree of integration with existing systems and with existing hardware is low, there may be a requirement for special bridges into these systems. This commonly means that significant parts of the systems being replaced end up being retained indefinitely, and much of the cost advantage is lost. It is part of the auditor’s role to ensure that such hidden costs have been considered and that the critical success factors have been correctly identified. In order to ensure that internal controls over the process are both efficient and effective, the auditor must determine that an effective structure exists to ensure that a proper analysis of the IS requirements can be made and that the acquisition or development procedures can be effective in ensuring the selection and acquisition of appropriate hardware and software. The auditor must determine that the appropriate evaluation criteria have been established in advance of the feasibility decision and the feasibility process has proceeded in an unbiased manner in order to ensure that the IS requirements of the organization are met in the most efficient and effective way. The feasibility study must cover points such as a clear statement of the business and information processing requirements that the new or amended system is intended to cover. In addition, the integration of the new or amended system into the existing information technology (IT) architecture must be spelled out in order to maximize the probability of success of the developed or acquired system. Where system alternatives have been considered, the feasibility study must demonstrate the strengths and weaknesses of each alternative considered so that the final decision to proceed or not to proceed can be clearly understood. Where an in-house developed solution is decided upon, the feasibility study may be incorporated into the overall systems definition document but should nevertheless include sections on: ch22_4768 1/8/07 3:16 PM Page 261 Audit Role in Feasibility Studies and Conversions ■ ■ ■ ■ ■ ■ ■ 261 Overview of the proposed system in business functionality terms Technological alternatives considered together with the costbenefit analysis of each Analysis of the alternative courses of actions compared to the selection criteria Analysis of the costs and benefits associated with each alternative Operational, security, and control risks associated with each alternative together with the control structures considered for risk minimization of each Availability of resources internally and externally to carry out the appropriate development or implementation SDLC methodology to be applied under each alternative including the monitoring mechanisms to ensure systems delivery on time and within budget At this stage the auditor must determine that the detailed requirements of the user area have been properly identified and agreed and the costs and benefit estimates used in the feasibility study are reasonable and have been derived from the appropriate sources. Time, resource, and cost budgets must be complete and structured in detail so that ongoing monitoring and project control can be effected. The auditor should be alert for information that may be incomplete or inaccurate in selecting among alternatives or, indeed, for selected alternatives that are not supported by the information provided. Where inadequate details have been included regarding the planning, control, and project management of the system, the auditor must draw this to management’s attention. While it is not the role of the auditor, at this stage, to evaluate IS skills availability, nevertheless it is part of the role of the auditor to ensure that such an evaluation has taken place in order to ensure the required skills are available both from a technical and business perspective to ensure a successful implementation of the project as well as the ongoing maintainability of the future system. As can be seen, the feasibility study document is a critical part of the development process in order to ensure a high probability of successful implementation. Insufficient attention paid to this stage can result in the development or acquisition of expensive, inappropriate systems that do not fully address the IS requirements of the organization. At this stage little expenditure has been made but a wrong ch22_4768 1/8/07 262 3:16 PM Page 262 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT decision here can lead to many millions being invested to little effect as well as the loss of significant amounts of time in gaining strategic advantages. Too many feasibility studies are conducted as a matter of course although the go-ahead decision has already been made and the feasibility study is simply intended to support this decision whether or not there are clear benefits, tangible or intangible, and whether or not there are unacceptable risks in either the development process or the implementation of the intended system. It must be clearly understood by all concerned that an acceptable finding of the feasibility study could be not to proceed with any systems development or acquisition. The typical structure of a feasibility study would normally include: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Executive summary of the business objectives, anticipated costs, expected benefits, and possible risks of the proposed investment Business background and needs or opportunities leading to the desire for intervention in this area including any statutory requirements The service delivery requirements and impacts on existing IS processing as well as other user functional areas Business disruptions anticipated as a result of the development, conversion, and implementation process including the acquisition or training of staff within the user area Evaluation criteria used to select among alternatives Alternatives considered as specified above Proposed solution in terms of specific deliverables, technical tools required to support the solution, changes to business processes and organizational structures required to support the implementation of the eventual system Project management roles and responsibilities as well as the proposed project organization, controls, quality assurance strategies, estimated time frame, and the major project phases, roles, and responsibilities Cost-benefit analysis proving the viability and desirability of the proposed solution Ongoing maintenance plan together with costs and resource requirements once the system has been fully implemented ch22_4768 1/8/07 3:16 PM Page 263 Audit Role in Feasibility Studies and Conversions 263 Once a decision has been made to go ahead based on the feasibility study, systems development may proceed as detailed in Chapter 18. Once the system is ready to implement, conversion to the new system must take place. Again, this is a critical phase that can make or break the successful use and long-term viability of the new system. Audit involvement at this stage is essential. CONVERSION SUCCESS FACTORS Successful systems conversion is not a matter of chance. The roles in the conversion process must be defined at an early stage so that those responsible may identify the existing sources of data that will be used as well as identifying any new sources of data required. An assessment must be done of the quality of data available and any conversion routines required must be identified and specified. Given the one-time nature of such conversion routines, there is a temptation to minimize the system testing. These conversion routines will require their own testing cycle to ensure their effectiveness, but once again this will largely be a factor of the quality of the input data. Rubbish in—rubbish out! The auditor must ensure that this has been taken into account and any data sanitation programs required have been developed and implemented. The measuring of the effectiveness of sanitation programs is a management function that may also require auditor evaluation. The overall conversion effectiveness must ultimately be evaluated and conversion signoff must be confirmed. It is critical that the auditor determine how the conversion process will be verified to ensure the accuracy, completeness, and validity of the data converted. ch23_4768 1/8/07 3:17 PM Page 264 CHAPTER 23 Audit and Development of Application Controls his chapter looks at the audit and development of application-level controls including input/origination controls, processing control procedures, output controls, application system documentation, and the appropriate use of audit trails. T WHAT ARE SYSTEMS? Systems may be defined as a set of elements or components that interact to accomplish goals and objectives. These systems may take the form of systems that perform business-related activities (application systems) or systems that help the computer itself function (operating systems). In this chapter, we will concentrate on the auditing of application systems. Characteristics of good systems include all of the following attributes: ■ ■ ■ ■ ■ ■ ■ ■ 264 Accuracy Completeness Economy Reliability Relevance Simplicity Timeliness Verifiability ch23_4768 1/8/07 3:17 PM Page 265 Audit and Development of Application Controls 265 CLASSIFYING SYSTEMS Systems themselves come in all shapes and sizes and may be categorized into: ■ ■ ■ ■ ■ Simple versus complex. Simple and complex systems face the normal risks of inaccuracies, incompleteness, and so forth but complex systems, by their very nature, are more likely to experience these problems, because the more complex a system becomes, the harder it is to adequately test and the easier it is for a systematic error to go undetected. Open versus closed. Open systems are more vulnerable to both errors as well as attempted penetration. This is a factor of the number of sources of input and output as well as the degree of systems interactivity. Stable versus dynamic. The higher the degree of instability of a system, the more likely it is that changes will be made to the system that are not clearly thought through with all of the side effects taken into account. Additionally there is a greater probability of rushed and inadequate testing in a highly dynamic systems. Adaptive versus non-adaptive. Adaptive systems are designed to be flexible and all things to all people. As such it is comparatively easy to tailor these systems erroneously. By the same token, nonadaptive systems may be run in an inappropriate manner and supplemented with unofficial add-on sub-systems with all of their inherent error opportunities. Permanent versus temporary. Permanent systems are designed, implemented, and maintained within a controlled environment. Temporary systems may fall outside of this system of internal control and may be undertested, undocumented, open for all to change, and generally out of control. They also have a habit of becoming semi-permanent unintentionally. These categorizations affect the way we approach the audit because the varying categories face different types and levels of risk. In all cases systems are expected to perform efficiently, effectively, and economically. ch23_4768 1/8/07 3:17 PM Page 266 266 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT CONTROLLING SYSTEMS Application systems may be controlled in several ways and by several individuals. At a macro level, system variables will be determined by the business decision maker to cover such items as: ■ ■ Will the payroll be daily, weekly, or monthly? Will the financial ledger be produced monthly or in 13 four-week periods? On a day-to-day basis the system parameters, controllable by the system operator, will be used to alter variables that require amendment such as report dates, file control dates, and so on. CONTROL STAGES Control over applications is exercised at every stage and begins at the start of the development of the system. This takes two basic forms: control over the development process itself and ensuring adequate business controls are built into the finished product. Major control stages would include: ■ ■ ■ ■ System design System development System operation System utilization SYSTEM MODELS Systems may take several forms. The most basic types of systems are those that are used on an ongoing basis to provide facilities for the day-to-day operations of the organization. These normally involve the processing of everyday business transactions. Transaction processing systems include: ■ ■ Order processing Inventory ch23_4768 1/8/07 3:17 PM Page 267 Audit and Development of Application Controls ■ 267 Purchasing In addition to these systems supporting our normal business processing, management require information on an ongoing basis to inform them of the status of various parts of the organization. These Management Information Systems would include: ■ ■ ■ ■ Financial Manufacturing Marketing Personnel A further categorization of systems comes when the information becomes used by a variety of decision makers to support business decisions. These Decision Support Systems are becoming more and more sophisticated and may be found in all business areas including: ■ ■ ■ Financial Statistical analysis Project management INFORMATION RESOURCE MANAGEMENT Information Resource Management is based upon five fundamentals: 1. Information Management. Information is valuable and must be managed as such. In many organizations, information does not appear on the balance sheet or asset register and is thus seen as something that, while important, is not really valuable. 2. Technology Management. Technology Management addresses the whole aspect of the value of technology to the firm. This includes the impact and effect on other resources as well as the gaining of strategic advantage by judicious use of the appropriate technology. >3. Distributed Management. Where systems are located can have a significant impact on systems effectiveness as well as internal control and thought must be given to the maintaining of an adequate system of managerial control. ch23_4768 1/8/07 3:17 PM Page 268 268 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT 4. Functional Management. Like other functional areas, information systems (IS) must be directed and controlled in order to ensure the effective, efficient, and economic use of what is, after all, an expensive resource. 5. Strategic Management. IS holds the potential to gain and maintain major competitive advantage for the organization. Used appropriately IS can raise the barriers of entry to competition, gain exclusivity for the information holder, and generally keep the organization ahead of the pack. CONTROL OBJECTIVES OF BUSINESS SYSTEMS In order to achieve the potential benefits of properly managed information systems, they must themselves be generated and operated in order to achieve specific control objectives. These would include the general control objectives of: ■ ■ ■ ■ ■ Accuracy Completeness Validity Integrity Confidentiality In addition the differing system types may have additional control objectives as well as differing priorities within the general control objectives. System types could include: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Order processing Invoicing Inventory control Accounts receivable Accounts payable Purchasing Shipping Receiving Payroll General ledger ch23_4768 1/8/07 3:17 PM Page 269 Audit and Development of Application Controls ■ 269 Specialized systems ● Banking systems ● Retail systems ● Manufacturing systems ● Electronic data interchange (EDI) GENERAL CONTROL OBJECTIVES In addition to the overall objectives for information processing of: ■ ■ ■ Integrity of information Security Compliance there are specific control objectives at every stage of processing, for example: ■ ■ ■ ■ Input control objectives ● All transactions are initially and completely recorded ● All transactions are completely and accurately entered into the system ● All transactions are entered only once Controls in this area may include: ● Pre-numbered documents ● Control total reconciliation ● Data validation ● Activity logging ● Document scanning ● Access authorization ● Document cancellation Processing control objectives ● Approved transactions are accepted by the system and processed ● All rejected transactions are reported, corrected, and re-input ● All accepted transactions are processed only once ● All transactions are accurately processed ● All transactions are completely processed Controls over processing may include ch23_4768 1/8/07 270 3:17 PM Page 270 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT Control totals Programmed balancing ● Segregation of duties ● Restricted access ● File labels ● Exception reports ● Error logs ● Reasonableness tests ● Concurrent update control Output control objectives over hardcopy, file outputs, and on-line inquiry files ● Assurance that the results of input and processing are output ● Output is available only to authorized personnel Typical controls here could include: ● Complete audit trail ● Output distribution logs Program Control Objectives ● Integrity of programs and processing ● Prevention of unwanted changes Typical controls here could include: ● Ensuring adequate design and development control ● Ensuring adequate testing ● Controlled program transfer ● Ongoing maintainability of systems ● Use of a formal Systems Development Life Cycle (SDLC) ● User involvement ● Adequate documentation ● Formalized testing plan ● Planned conversion ● Use of post-implementation reviews ● Establishment of a quality assurance (QA) function ● Involvement of internal auditors ● ● ■ ■ ■ ■ Testing of these controls will require the auditors to seek evidence regarding their adequacy and effectiveness as detailed in Chapter 9. Where such evidence resides within the information system itself, computer assisted audit tools (CAATs) will probably be required. ch23_4768 1/8/07 3:17 PM Page 271 Audit and Development of Application Controls 271 CAATS AND THEIR ROLE IN BUSINESS SYSTEMS AUDITING In order for the auditor to successfully draw conclusions about the effectiveness of the control environment within which applications operate, automated tools (CAATs) will normally be required. These may include: ■ ■ ■ ■ ■ Test Data Generators. Automatic producers of data for systems testing. These take away the drudgery of preparing test data to try out the various pathways through systems as well as ensuring that all desired avenues of testing are carried out. Flowcharting Packages. This audit tool is becoming increasingly popular with auditors who wish to document information flow, control points, and operational procedures. Such packages allow the maintaining of up-to-date records with a minimum of rework. Specialized Audit Software. Specialized audit software is software written explicitly to achieve some desired audit objective. It may be utilized for any purpose the auditor chooses but, because it was designed to achieve specific ends, it may prove inflexible where audit objectives and sources of evidence are rapidly changing. In addition, such software is typically expensive to develop because there is a limited market. Generalized Audit Software. This is some of the most common software in use by auditors today. It incorporates general interrogation routines as well as statistical sampling and prefabricated audit tests. This is seen to be the major growth area for CAATs over the next few years. Utility Programs. This software, supplied with the hardware or systems software, is designed to perform common and repetitive tasks such as sorting files, printing, copying, and comparing files. As such these can be powerful tools for the auditor to employ. Because of the power of some of these utilities, special authorization may be required to access the requested data. Determining which of these tools would be appropriate depends to a large extent depends on the audit objective and selected tech- ch23_4768 1/8/07 272 3:17 PM Page 272 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT nique. These techniques are normally performed for one of two objectives: either to verify processing operations or to verify the results of processing. No single technique is infallible and none tells the whole story so that the auditor will typically choose a variety of techniques in order to satisfy multiple objectives. Typical techniques would include: ■ ■ ■ Source code review. In this technique, no specific tool is needed although a utility may be used to produce a printout of the appropriate program source code (the English-like coding for the program). Once printed, the auditor may “play computer” to determine what is actually happening within an application. Source code review can be time-consuming and tedious and may, in the end, prove little. Program source code tends to be voluminous and may be poorly annotated so that the auditor may have a problem in even deciding where to start. Nevertheless it can be a powerful technique to examine the logic within limited parts of a program. This always presupposes that the auditor is satisfied that the source code matches the live running program. Confirmation of Results. This technique involves the interrogation of systems containing information about a third party (debtors, creditors, etc.), selecting a representative sample of that data, and requesting confirmation from the third party of the accuracy and completeness of the data. This technique, while it may be the only way of obtain such confirmation, suffers from several drawbacks. It is slow and replies may arrive anything up to one year later. It is uncertain and in many cases produces a less than 10% return. It may be biased in that replies tend to predominantly favor the third party. Few will contact the auditor to insist that their debt has been understated. Test Data. This technique involves transacting data through the system in order to achieve predetermined results. Because this affects the files transacted against it, it is normal to use a copy of the live programs and test versions of files. This has its own problems in that the auditor must be satisfied that the program tested is, in fact, a copy of the live program. In addition the volume of test data passed through the system is normally limited and tests must be selected to test both correct data as well as a variety of erroneous data. This is problematic because the auditor may be ch23_4768 1/8/07 3:17 PM Page 273 Audit and Development of Application Controls ■ ■ ■ ■ 273 biased in the selection of test data by his or her expectations of the system. Integrated Test Facility. This technique is a variation on the test data technique. In this test the live system and data files are used and a dummy entity, for example, a department, is established on the live file. Test data is then processed along with live data to transact against the dummy department. This has the advantage of testing the live system in the environment under which it normally operates. It also has several disadvantages, among which is the prime disadvantage that the live data is being affected and any unwanted, adverse effects will impact this data. A system error detected thus may, in fact, crash the live system and the auditor will have some explaining to do. Even if this does not happen, the auditor must ensure that the test transactions are removed before live figures, payments, control totals, or even tax records are interfered with. This may not always be possible. Some systems, in order to preserve the integrity of the audit trail, deliberately prevent the removal of transactions. Snapshot Technique. This technique takes a known transaction and follows it through the processing logic of a program taking “snapshots” at pre-specified places within the program. These snapshots take the form of memory and data dumps. This is a highly specialized technique that requires a relatively high level of computer expertise to interpret the results. It is commonly used by programmers to localize and trace fault areas within programs. Sampling. Audit sampling is a technique whereby an auditor can examine large volumes of data by looking at a smaller sample in a specific manner that allows the auditor to predict the condition of the larger mass of data with a known level of accuracy and confidence. Prior to computerized techniques being available, many sample tests were discredited due to poor knowledge of sampling theory on the part of the auditor, poor selection technique, and poor interpretation of the results. With today’s powerful Generalized Audit Software as well as with the more sophisticated statistical software, such misapplication should be a rarity and statistical sampling is becoming an easy and effective technique. Parallel Simulation. This technique is used to determine the accuracy and completeness of processing. It involves taking live transaction data and reprocessing it through a program that is not the ch23_4768 1/8/07 3:17 PM Page 274 274 SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT live program but that theoretically duplicates the functionality of the live program. The results of processing, live and test, are then compared and any discrepancies are investigated. This is most commonly used to test the accuracy of programmed calculations and it is essential that the parallel program originate from a source other than that of the original program. COMMON PROBLEMS As pointed out previously, no CAAT is perfect and problems will be encountered with each. Common problems the auditor will encounter include: ■ ■ ■ ■ Getting the wrong files Getting the wrong layout Documentation is out of date Prejudging results The auditor’s first rule of thumb should be to never believe what the first printout tells you, particularly if you wrote the program yourself. In any application system the auditor should attempt to identify the controls the user relies on. Bear in mind that documentation is often misleading and that not everything needs to be audited. Program logic should mirror the business logic so that if the auditor understands the business needs and controls, system testing becomes much easier. AUDIT PROCEDURES In carrying out an audit of a business system a predefined generic audit program can be followed, namely: ■ ■ ■ ■ ■ Identification of users’ control concerns Identification of system components Identification of system processes Identification of known controls Identification of known control weaknesses ch23_4768 1/8/07 3:17 PM Page 275 Audit and Development of Application Controls ■ ■ 275 Verification of controls Evaluation of control environment CAAT USE IN NON-COMPUTERIZED AREAS Not all CAATs are applicable only in computerized areas. Computerized tools may assist the auditor in: ■ ■ ■ ■ ■ ■ Risk analysis Sample selection Operation modelling Analytical review Regression analysis Trend analysis Not all of these need happen on computerized information. By the same token, computerizing the audit does not necessarily mean computerizing the old techniques. New audit approaches are possible and innovative automation can make internal auditing more attractive as a career and thus improve staff stability. DESIGNING AN APPROPRIATE AUDIT PROGRAM As with any audit program we start with the Business Objectives of the application area under review. Based on those we may, together with the user of the system, define the Control Objectives. Having established theses we may determine the Audit Evidence required to prove or disprove the control objectives. At the same time we will identify the Source of such evidence. This will dictate the Manner of obtaining the evidence, that is, the Technique. Once this has been established the Extraction of the required evidence becomes a matter of using the correct tool to apply the appropriate technique. If these steps are properly followed, the Evaluation of the results becomes simple because the auditor knows what evidence was sought to prove which control objectives and whether such evidence was indeed found. Reporting then follows as per any other audit. ch23_4768 1/8/07 3:17 PM Page 276 ch24_4768 1/8/07 3:18 PM Page 277 PART IV Information Technology Service Delivery and Support 277 ch24_4768 1/8/07 3:18 PM Page 278 ch24_4768 1/8/07 3:18 PM Page 279 CHAPTER 24 Technical Infrastructure his chapter examines the complex area of the Information Systems/ Information Technology (IS/IT) technical infrastructure (planning, implementation, and operational practices). IT architecture/standards over hardware including mainframe, minicomputers, client-servers, routers, switches, communications, and PCs as well as software including operating systems, utility software, and database systems are revealed. Network components including communications equipment and services rendered to provide networks, network-related hardware, network-related software, and the use of service providers are covered as are security/testing and validation, performance monitoring and evaluation tools, and IT control monitoring and evaluation tools, such as access control systems monitoring and intrusion detection systems monitoring tools. In addition, the role of managing information resources and information infrastructure through enterprise management software and the implementation of service center management and operations standards/guidelines within COBIT, ITIL, and ISO 17799 together with the issues and considerations of service center versus proprietary technical infrastructures are explored. Effective and efficient information systems are the cornerstones of most enterprises today. For the systems to be capable of adaptation to the variations in business-processes and the introduction of new products and services, an appropriate technical infrastructure is required. The infrastructure is the skeleton upon which the systems supporting the business are overlaid and the achievement of an application portfolio that effectively supports the business unit in a T 279 ch24_4768 1/8/07 280 3:18 PM Page 280 INFORMATION TECHNOLOGY SERVICE DELIVERY AND SUPPORT cost-competitive manner requires an IT architecture carefully designed and tailored for the specific organization. To properly support the business, this infrastructure must be carefully planned in advance. In the late twentieth century many systems expanded and diversified into an uncontrollable mess of diverse technologies and systems. The challenge for many organizations is the integration of these existing structures into one cohesive, appropriately designed architecture. An appropriately designed architecture can facilitate businesses in achieving the correct balance between the strategic needs of business innovation and the requirement for stability within information systems. Flexibility is the key because business needs and technological advancement enforce a rapidly changing infrastructure requirement. The infrastructure architect has now become an accepted role in the overall IT strategic planning process and the advent of electronic commerce has considerably increased the complexity of this role. The balancing of the IS/IT infrastructure into an effective architecture requires expertise in a variety of disciplines in order to seek solutions to business problems through this election and implementation of appropriate information technology. This architectural design involves the integration of a wide variety of technologies, operating environments, products and services, application environments and networks, as well as a diverse array of hardware and software. When Y2K occurred, many organizations began an exercise to identify and locate the various components of that infrastructure in order to ensure that they were all year 2000 compliant. For many, this was the first attempt at a consolidated asset register and organizations were shocked to see the networks of incompatibility that had built up over the years. Making sense of this plethora of divergent architectures became critical in achieving a smooth transition to modern effective information processing. This goes beyond the role of a traditional asset register and seeks to determine environments, problem management, maintenance and release levels of all hardware, system software, communications components, and application software at the mainframe, network, and PC level. This information is fundamental to the implementation of effective configuration management. For configuration management to be effective, four specific functions must take place: ch24_4768 1/8/07 3:18 PM Page 281 Technical Infrastructure 281 1. Identification. The technical specification, location, and identification of all individual components within the technical infrastructure 2. Control. The human element with authority to maintain and modify each individual component 3. Status. The monitoring of the operational status, versions, release level, patches, and options selected 4. Verification. The scrutiny and review of all component information to ensure its accuracy, completeness, and integrity, without which integration cannot be designed It is critical that all components are fully and accurately recorded so that appropriate combinations can be selected to provide specific services at an agreed control level with the knowledge that such combinations can be integrated effectively. In addition, should one component fail, such information will be essential for swift replacement. Where standardization is possible the technical infrastructure can be rationalized and simplified thus minimizing systems destruction in the event of a failure. From a systems development perspective a clear architecture covering the technical infrastructure simplifies the development process and permits the modularization of the application systems. Maintenance may be reduced and reliability enhanced due to the use of standardized components. ITIL (the IT Infrastructure Library)1 is an internationally accepted approach to IT service management that provides a cohesive set of best practices, drawn from the public and private sectors internationally and supported by the British Standards Institution’s standard for IT Service Management (BS15000). It comprises a series of documents used to facilitate the implementation of a framework for IT Service Management (ITSM). This framework defines how service management can be applied within specific organizations. Because it is a framework, it is designed to be totally customizable for use within any form of business or organization that has a reliance on an IT infrastructure. In addition, extensive support for the development of a common manageability infrastructure can be found within the Enterprise Management Forum, which “works to develop a common manageability infrastructure that can be used by both applications developers and management system vendors to create an open ch24_4768 1/8/07 282 3:18 PM Page 282 INFORMATION TECHNOLOGY SERVICE DELIVERY AND SUPPORT management environment in which complex solutions can be constructed without artificial barriers to their management”2 and which is independent of software and systems vendors. AUDITING THE TECHNICAL INFRASTRUCTURE With the increasing stress laid upon regulations and standards such as Control Objectives for Information and related Technology (COBIT), ISO 17799, and Sarbanes-Oxley, the requirement to prove adequacy of control over key information processes is now of critical importance. One critical component of such process control is the technical infrastructure and architecture itself. The technical complexity and flexibility of the infrastructure is such that the periodic manual audit may prove ineffectual in providing adequate assurance of the ongoing control effectiveness. Because each individual component has its own internal control processes that may add to, or detract from, the overall system of controls, a simple security review has now become a complex operation involving assessing the adequacy of the security systems deployed including firewall rules, server privilege settings, access control lists, authentication procedures, bypass limitation, and the interaction of all of these. As a result, the concept of continuous auditing using the appropriate computer assisted audit tools (CAATs) comes into its own in this area. A continuous audit permits auditors to monitor an organization’s systems using appropriate sensors and digital agents. Rules of procedure are defined within the digital agents and corporate systems are continuously monitored against the standards with any discrepancies being immediately flagged and reported to the auditor. Such monitoring is done electronically and automatically with the audit routines executing as required in real time, 24 hours a day, 7 days a week and could include technical areas such as: ■ ■ Monitoring network file shares to ensure that no system offers full access permissions to default, anonymous, or guest logins Monitoring access control lists to ensure that no changes are made to the individuals or groups authorized to have specific levels of access into live databases ch24_4768 1/8/07 3:18 PM Page 283 Technical Infrastructure 283 One constraint is the impact such monitoring has on the performance of the organization’s systems and the relevancy of such monitoring must be carefully considered prior to implementation. Executing multiple audit routines on high-volume, transaction-based systems in real time could be significantly detrimental to normal business processes. In standard audit operations such as file interrogations, data extraction and analysis can be performed using a generalized audit software package such as the IDEA system included with this book. Depending on the complexity, however, the requirement for immediate reporting in complex areas may require that the audit tools be highly integrated with the organization’s systems and operate continuously using embedded audit modules (EAMs) or System Collection Audit Review Files (SCARFs). One of the most critical considerations in implementing a continuous audit protocol is that auditors require the proficiency to implement and understand the various aspects of information technology at an in-depth level. Continuous auditing can only be implemented if the auditors fully understand the critical control points, rules, and exceptions. The use of specialist IS technical auditors may be required in establishing that continuous audit in such a manner that can be monitored and maintained by the conventional IS auditor. It should be noted that there is a distinct difference between continuous monitoring and continuous auditing. Continuous monitoring is designed to obtain information about the ongoing performance of a process or system and is the responsibility of management. Continuous auditing has an audit objective of accumulating sufficient evidence to communicate to management their current status regarding the risk control objectives the standardized audit report.3 In the absence of continuous auditing, the auditor can still gain satisfaction as to the adequacy of controls over the infrastructure by ensuring that management: ■ ■ Maintain an activity audit trail with real-time monitoring particularly of those powerful entities within IT who have virtually unrestricted access and who can change the infrastructure at will. Enforce access control standards and operator level with particular emphasis on role-based access control to network infrastructures. Once again, monitoring via the activity audit trail should detect and alert the appropriate personnel. ch24_4768 1/8/07 284 ■ ■ ■ 3:18 PM Page 284 INFORMATION TECHNOLOGY SERVICE DELIVERY AND SUPPORT Ban the use of standardized administrator passwords shared by multiple operators, administrators, and superusers. Enforce change management on all infrastructure changes as well as changes to application systems. Facilitate independent inspection of infrastructure management records on demand and independently produced. The auditor’s role in this arena is a highly technical one and will require continuous professional development in order to stay abreast of changes to technology and the control implications to a particular organization’s infrastructure. COMPUTER OPERATIONS CONTROLS The structure of the IT department will vary considerately among organizations. The structure of the individual department will obviously depend on constraints such as workload and size but will typically involve an operations function, a project-based or programming function, and technical services. The computer operations department is the location of the staff involved in the day-to-day operation of the Information Processing Facility. This may be a large mainframe environment or a small local area network. The operations function is responsible for many of the routine tasks associated with the effective and efficient running of an installation including: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Mounting and dismounting data files Loading paper into printers Aligning special forms Scheduling runs Loading programs Balancing run priorities Responding to operating system prompts Responding to application system prompts Maintaining incident logs Performing routine housekeeping tasks Responding to equipment failures Production of backup copies as defined ch24_4768 1/8/07 3:18 PM Page 285 Technical Infrastructure ■ ■ 285 Restoration from backup when authorized Handling “unpredictable” conditions The operations department may itself be subdivided into a control section responsible for monitoring information passing into, through, and out of the computer operations area. In addition, a data preparation section may exist separately although considerable progress has been made and moving this function into the user area. Computer operators remain responsible for the accurate and efficient operation of the scheduled jobs on the computer and reporting to the chief operator or shift supervisor. Some organizations additionally utilize a separate tape librarian to handle the vast quantity of physical tapes, disks, and other backup media. The operation department is responsible for maintaining physical security over the computer, peripherals, magnetic media, and the data stored. This includes the various measures designed to minimize the impact of such disasters as flood, fire, malicious damage, and so on. Data must be secured against accidental or deliberate disclosure, modification, or destruction. Processing controls must exist to ensure the organization receives complete, accurate, timely, and secure processing of data. This includes on-site and off-site file and program libraries. Included in these libraries will be safety copies of data as well as program source and object codes. Automated library software can assist in ensuring the library is maintained in an appropriate form. Ensuring segregation of duties, handling the distribution of output, and dispatch of hard copy as well as controlling access to spool files and networked printers are usually functions of the operations department. OPERATIONS EXPOSURES These include the normal range of exposures including human error, hardware failure, software failure, and computer abuse as well as potential disasters. The prime error areas in daily operation are the data entry procedures as well as operator commands entered from the control console. Using wrong generations of files or wrong versions of programs can be catastrophic should they occur and an everpresent danger is simple media damage in handling. ch24_4768 1/8/07 286 3:18 PM Page 286 INFORMATION TECHNOLOGY SERVICE DELIVERY AND SUPPORT OPERATIONS CONTROLS Controls within the operational area are primarily performance and compliance controls associated with running of computer jobs. These would typically include the use of: ■ ■ ■ ■ ■ Predefined run schedules Computer and manual run logs System performance statistics Budgetary controls Supervision PERSONNEL CONTROLS Because operations departments are so heavily dependent upon people, it becomes critical to ensure that the personnel aspects are adequately controlled. This includes segregation of duties where typically we would seek controls to ensure: ■ ■ ■ ■ ■ ■ IS cannot initiate transactions Systems and programming independent from operations Programmers cannot operate the machine Operators cannot access file libraries Electronic data processing (EDP) librarian is an independent function Data processing staff have no control over corporate assets In addition we would seek to ensure that operations staff are be rotated, must take holidays, and do NOT attempt to correct programs. SUPERVISORY CONTROLS The nature of the operations function make it very easy to implement effective supervisory controls. Such controls would include the approval of run schedules, the monitoring of operations, the scrutinizing of the daily console log, the reviewing of the manual reports, and continuous observation. ch24_4768 1/8/07 3:18 PM Page 287 Technical Infrastructure 287 Generally 80% of machine utilization can be predicted—but there will always be additional user demands, program reruns, reprocessing of files, and the handling of unforeseen problems. Machine usage can itself be categorized into machine time spent in: ■ ■ ■ ■ ■ Compilation Test Rerun Maintenance Production This allows operational efficiency and effectiveness to be determined. Reruns will always be required from time to time because of machine failure, operator failure, application failure, operating system failure, or simply high volume or critical input errors. OPERATIONS AUDITS Reviewing an operations area involves initially obtaining an organization chart of the function together with job descriptions of the staff. These would then be reviewed to ensure proper segregation of duties particularly in smaller departments. In addition lists of equipment, networks, system software, and running applications will be required. Personnel of the operations section have hands-on access to the hardware, software, and networks of the organization. As such, it is imperative that the personnel practices utilized in this section be above reproach. The personnel policies of the operating department must be reviewed with respect to delegation of duties when staff are absent because of illness, vacation, or for any other reasons. Termination procedures must be scrutinized in order to ensure that no weakness occurs when staff leaves. The view of the operations function itself would include scrutiny of computer room access in order to determine: ■ ■ ■ Who is permitted access to the computer room? Under what circumstances will outsiders be permitted access? How is control over computer room access enforced? ch24_4768 1/8/07 3:18 PM 288 Page 288 INFORMATION TECHNOLOGY SERVICE DELIVERY AND SUPPORT Operation of computer equipment would include scrutiny to determine who is authorized to operate such equipment. The auditor must examine operating instructions to ensure that installation standards exist and are followed for operating system software, application software, restart and recovery procedures, and handling disposition of inputs and outputs. Operator actions will be scrutinized to determine whether controls exist in areas where operators have discretion, such as amending parameters while systems are running. This would also include scrutiny of incident logs covering reporting of system failures, restart and recovery, emergencies, and any other unusual situations. It should be noted that logs will include both manual and automated logs and that comparisons may be done between the two in order to determine that management is informed of all deviations from normal procedures. From time to time operators may have to cope with emergency circumstances that could involve making urgent modifications to production programs, job control language, and procedure libraries bypassing the normal procedures. In these circumstances it is critical that adequate documentation is maintained of all operator actions and the reasons for these actions. Operators have access to powerful utilities that can typically dump data, production programs, or even memory at execution time. Such access must be monitored closely by management in order to ensure that no unauthorized procedures are carried out. Evidence must be sought of adequate supervision of operators including management or shift supervisor sign-off of logs. ENDNOTES 1. OGC—IT Infrastructure Library (ITIL): http://www.itil.co.uk/. 2. The Open Group Enterprise Management Forum: http://www .opengroup.org/management/. 3. Further information on continuous auditing may be obtained from the Institute of Internal Auditors in their Global Technology Audit Guide 3. Institute of Internal Auditors: http://www .theiia.org/download.cfm?file=19897. ch25_4768 1/8/07 3:18 PM Page 289 CHAPTER 25 Service Center Management his chapter introduces service center management and the maintenance of information systems and technical infrastructures. These involve the use of appropriate tools designed to control the introduction of new and changed products into the service center environment and includes such aspects as security management, resource/configuration management, and problem and incident management. In addition, the administration of release and versions of automated systems as well as the achievement of service level management through capacity planning and management of the distribution of automated systems and contingency/backup and recovery management are examined. The key management principles involved in management of operations of the infrastructure (central and distributed), network management, and risk management are outlined as are both the need for customer liaison as well as the management of suppliers. Before we can examine the issues and service center management, a clear definition is required of what constitutes service delivery. Service delivery involves the ongoing management of the Information Technology (IT) services in order to ensure that they are in line with the agreement between the service provider and the customer. Service delivery is generally taken to be the sum total of a variety of individual tasks to be undertaken by IT management. T CONTINUITY MANAGEMENT AND DISASTER RECOVERY Continuity management is covered in more detail in Chapter 30, but must be seen within a service center management context as the process by which plans are designed and implemented to ensure the 289 ch25_4768 1/8/07 290 3:18 PM Page 290 INFORMATION TECHNOLOGY SERVICE DELIVERY AND SUPPORT ongoing availability of information processing services in the event of a serious incident or accident. Continuity is too critical a component for reliance to be placed on purely reactive measures, and a proactive approach to reduce the probability of serious disruption is a critical part. Information processing has now become so integral to achievement of the business objectives of organizations that non-availability of the services can seriously jeopardize the ongoing viability of many organizations and a variety of business sectors. Recent international studies have indicated that organizations suffering a computer disaster without an effective contingency plan in place stand a good chance of being out of business within the next 12 months. The length of time before business collapse is dependent upon the nature of information services provided and the criticality of availability to the primary business functions. One common failure in the way in which continuity management is approached is to see it as a purely IT function. This approach removes continuity management from the governance framework of the organization as a whole and regards it as a technical problem to be managed within a technical department. IT continuity management must be seen as an integral part of Business Continuity Planning with information-processing being seen as a critical resource, but not the sole resource, for the ongoing survival of the organization. From this aspect, continuity management can be seen as a partially technical solution to a business problem. The cornerstone of continuity management is the Business Impact Analysis, which identifies the critical processes within the organization and, from an IT perspective, identifies the data flow and support structures provided by information systems. Based upon this, critical systems, both manual and computerized, can be prioritized together with the inter-relationships among them. Once prioritized, risk analysis can be carried out for each of the service areas in order to identify specific threats and vulnerabilities to information and other assets at risk in order to determine the appropriate control structures to balance these threats and vulnerabilities. In some cases, countermeasures may be as simple as a reverting to manual procedures or utilizing backup copies of data files. In many threat scenarios this would be insufficient in order to assure recovery and continuity and a fullblown contingency plan may be required. The contingency plan must include recovery options for a variety of scenarios from partial inter- ch25_4768 1/8/07 3:18 PM Page 291 Service Center Management 291 ruption to total loss and must be tested and reviewed frequently in order to match the changing circumstances of the organization both in terms of business protocols and IT usage. This should not be seen as an inexpensive exercise because properly done, contingency planning will involve a variety of resources and consume considerable time. Nevertheless, the cost must be viewed in the light of the cost of doing nothing, which could be the cost of bankruptcy. Having ensured the ongoing availability of information processing resources, the next question that arises is whether the information processing resources provided have sufficient capacity to deliver the agreed level of service, in the agreed place, at the agreed time, and at the agreed cost. In order to ensure the appropriate capacity management, workload and performance levels must be monitored over a period of time so that resource forecasting can be based upon demand forecasting and application sizing. Capacity planning is not simply a question of throwing more resources at the problem, but improving process efficiency by systems tuning and elimination of redundant files and processes can significantly reduce systems overheads and lower the capacity levels required to maintain adequate performance levels. Once it has been established that the information systems will probably survive (continuity management) with sufficient resources (capacity management) to carry out the work, the question of individual systems availability must be addressed. Availability does not simply address whether or not an application system exists but also includes the resilience of the total system including all components (to withstand failure), the ease with which it can be maintained, the reliability, which is normally taken as the average time between failure of a particular system, the ability of the system to withstand internal or external attack with intent to breach security, and the ease of recoverability in the event of a component failing. The financial aspects of service center management involve the acquisition of the whole infrastructure and the most cost-effective price to the organization. This does not necessarily mean that the price of acquisition will always be the lowest because the aforementioned aspects such as reliability and availability must be taken into consideration. Only when costs are fully known and attributable to individual business functionality can cost benefit be truly and accurately identified. ch25_4768 1/8/07 292 3:18 PM Page 292 INFORMATION TECHNOLOGY SERVICE DELIVERY AND SUPPORT The information systems (IS) auditor needs to be familiar with the many terms encountered in costing service center management. Most important of these is the distinction among: ■ ■ ■ ■ Direct costs, which are related to the specific item or function and can be attributed to it in a feasible way. Indirect costs, which are related to the specific item or function but cannot be attributed to it in a feasible way. Indirect costs are then allocated or assigned the law using an appropriate cost allocation method. Variable costs, which change in direct proportion to the volume of outputs. Fixed costs, which do not vary with volumes produced, but are fixed, for example, equipment rentals, payable irrespective of usage. Different costing approaches are used by different organizations with varying implications. These are typically determined not only by the specific business processes or services provided, but also by the types of costing systems generally in use in the sector that the organization is engaged in, such as manufacturing, service, or merchandising sectors. An IS Auditor may become involved in operational audits of the service center to determine the reasonableness of costs attributable to individual user areas. Disagreements commonly arise regarding the assignment of fixed and variable overhead costs to individual users of services particularly in a mainframe environment where the majority of hardware costs cannot be related to individual users using direct costing. In such environments, system usage is a commonly used alternative. Such allocations of cost may directly affect the remuneration of user managers who may seek to have a look at it costs transferred to other users in order to defend bonuses or departmental profitability. One final area of cost within a service center is the overall cost of quality, which can impact both performance evaluation and customer satisfaction. Specific costs within these areas include prevention costs to ensure delivery at the service level specified, appraisal costs incurred in monitoring service delivery, internal failure costs where costs are incurred as a result of failures within the service center itself, ch25_4768 1/8/07 3:18 PM Page 293 Service Center Management 293 and external failure costs, which involve failures detected only after they reach the user and where a service has to be re-performed. Overall, Service Level Management involves ensuring that the services requested and agreed on with functional user management are delivered on an ongoing basis as and how they have been committed to be delivered. Achieving service level management is dependent upon the achievement of all the other areas of service delivery previously mentioned, thus providing a framework upon which an effective and efficient range of services can be delivered in a secure manner. This management is normally measured against a Service Level Agreement, which is the formal document specifying the level and cost of services in all of the performance areas of the individual service center. This is a contractual document entered into between IT and the user business areas to which services are supplied. This document specifies the performance criteria, security levels agreed, and cost structures to be applied in delivery of service. MANAGING SERVICE CENTER CHANGE It is well understood that most service center problems occur when changes are made either as a result of upgrading of system components or as a result of failure in a single component. Managing of change within the server center refers to the making of changes in a planned and managed fashion in order to effectively implement new hardware, software, networks, and security in an ongoing manner within the organization. The variety of change management best known within IT circles is probably the version control or release levels of operating systems and this is commonly used for the distribution of new and changed products into a distributed environment. In addition to these, however, changes within the service center can be triggered by failure of infrastructure or the desire to improve infrastructure and can be hardware based as well as software based. Software products are available that can assist management in controlling and managing both planned changes and unexpected problems and also handling software bugs and reporting such incidents. ch25_4768 1/8/07 3:18 PM Page 294 ch26_4768 1/8/07 3:19 PM Page 295 PART V Protection of Information Assets 295 ch26_4768 1/8/07 3:19 PM Page 296 ch26_4768 1/8/07 3:19 PM Page 297 CHAPTER 26 Information Assets Security Management he administration of security focusing on information as an asset is commonly problematic and may frequently be observed as a patchwork of physical and logical security techniques with little thought to the application and implementation of an integrated approach designed to lead to the achievement of specific control objectives. This chapter examines Information Assets Security Management and covers Information Technology (IT) and security basics as well as the fundamental concepts of Information Systems (IS) security. T WHAT IS INFORMATION SYSTEMS SECURITY? IS security may be defined as security around and within the computer and associated equipment as well as the people using it. The U.S. Federal Information Security Management Act (FISMA) of 2002 defines information security as: The term “information security” means protecting information and Information Systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— ‘’(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; ‘’(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and ‘’(C) availability, which means ensuring timely and reliable access to and use of information.”1 297 ch26_4768 1/8/07 3:19 PM Page 298 298 PROTECTION OF INFORMATION ASSETS This includes attempts at authorized access and the use of dataprocessing resources for unauthorized purposes. The scope of computer security includes: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Physical security Personnel security Data security Application software security Systems software security Telecommunications security Computer operations security Vital records retention IS insurance Outside contract services Disaster recovery plans Computer crime and fraud From this it may be seen that the scope of computer security is virtually all-embracing and covers just about everything that could go wrong. One of the most significant aspects of computer security is its capacity to protect us from the effects of our own mistakes. Implementing effective computer security is complicated by the myths that surround it such as: ■ ■ ■ ■ ■ ■ ■ Computer security is a technical problem Security breakdowns only happen to other firms Major threat is the data processing staff Major threat is outsiders Only a computer wizard can perpetrate a computer fraud Computer security is physical security It is not my problem In all of these myths the major impetus is toward a situation where nothing needs to be done or, if something must be done, it must be done by someone else. In fact, computer security is the responsibility of all employees from management down. Management concerns regarding security focus on the effects of a breakdown in security rather than the technical implementations of a security system. ch26_4768 1/8/07 3:19 PM Page 299 Information Assets Security Management 299 These concerns would typically include that: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Accounting, financial, and operating records may be falsified Unauthorized employees may access confidential data Authorized employees may prove to be risk agents Employees may sell confidential data to competitors or others Computer facilities, hardware, and software may be subject to damage by disgruntled employees Unauthorized outsiders may attempt to break in Data integrity could be undermined by inadequacies in security Computer software that is not secured, is obsolete, or is inappropriate will lose its competitive edge Business viability could be jeopardized in a disaster situation Insurance coverage on IT equipment may be inadequate Self-insurance may be too risky and/or too expensive Gap between computer technology and computer security is widening Erroneous management decisions based on altered or manipulated data may occur Data inadequacies and transaction processing delays may disrupt business activities Data processing departments security goals and objectives may not be compatible with the organization’s information security goals and objectives resulting in inefficiencies and ineffective security Employees may sell software developed internally to outsiders for money From these it can be seen that the emphasis is on business problems associated with the interruption of effective security measures rather than on the effective implementation of appropriate control techniques. The responsibility for such implementation falls on IT management together with user management. IS Audit has a responsibility to examine the technical implementation in order to determine whether executive management’s business control objectives are being attained on a continuous basis. It can also be seen that information assets security management can be reduced to three basic principles, namely integrity, confidentiality, and availability. ch26_4768 1/8/07 3:19 PM Page 300 300 PROTECTION OF INFORMATION ASSETS Integrity of information is the fundamental basis for trust in computer systems. Integrity can be seen as the property that information remains unchanged unless there is a specific intention to change it in an authorized manner. Integrity can be threatened either at a logical level where information can be changed programmatically or its physical level by corruption of the media containing the information. Computer viruses and other malware can corrupt information to the extent that the users of the information may have no choice but to scrap all of the information and start again. Failure to maintain confidentiality in commercial enterprises could result in problems ranging from minor embarrassment and inconvenience through to disclosure of an organization’s results from a multimillion dollar research project and anything in between. At a governmental level, such failure could cost lives in a terrorist situation and could even, alternately, lead to war. The consequences of denial of availability can be seen on a daily basis at a minor level. Ranging from an ATM being offline to a website being unavailable, we have all been inconvenienced to a greater or lesser extent. At the corporate level, however, extended unavailability and an inability to service customers can be life threatening to many organizations. Selection of appropriate control techniques will depend upon management’s perceptions of the vulnerabilities and threats in the environment and the consequent risk exposure faced. Some risk is desirable because it is normally not cost effective to attempt to eliminate all risk, and management must strike a cost-effective balance in mitigating risk. Risk will be assessed by: ■ ■ ■ ■ ■ Assessing the impact of losses or damage to the assets in question Identification of vulnerabilities Identification of sources of threat Selection of the appropriate control techniques Assessment of the residual risk after the control techniques have been applied CONTROL TECHNIQUES Information assets security can be enhanced by a variety of techniques including preventative controls, access controls, and use of appropriate technology. ch26_4768 1/8/07 3:19 PM Page 301 Information Assets Security Management 301 Procedural controls will be implemented within both the IT area as well as the user operating environment. It is the combination of specific control elements that overall achieve an adequate security architecture. This would typically include the elements of workstation security, communications security including both encryption and message authentication, as well as reconciliations and general business controls such as segregation of duties and use of authorizations. WORKSTATION SECURITY At the physical level we would seek that the workstation be located in a secure area with limited access and be hazard protected against threats such as fire, dust, electrical surge, or even theft. At the logical level, controls such as restricting the number of users and restricting authority levels, when coupled with adequate user authentication, would be sought. PHYSICAL SECURITY Physical security itself goes beyond simple protection against workplace hazards and includes unauthorized access to hardware, software, and documentation. Authorization procedures must be protected to prevent abuse as must originating transactions and outputs. In many organizations physical security falls below acceptable standards. LOGICAL SECURITY Logical security involves determining who can go where and whether they are authorized. This means that identification of users as well as authentication of users is a prerequisite for any subsequent security measures such as determining the authority level of users. User access should be granted on a strict need-to-have basis and access rights must be kept current at all times. This includes both local and remote users and involves ensuring a highly effective mechanism exists for both original authorization as well as the authorization for changes of users. ch26_4768 1/8/07 3:19 PM Page 302 302 PROTECTION OF INFORMATION ASSETS USER AUTHENTICATION User authentication involves gaining of assurance that a user is who he says he is. Users may be authenticated by a variety of techniques as detailed in Chapter 27. COMMUNICATIONS SECURITY Data that is communicated between two computers or between a workstation and a computer must be secured against eavesdropping or even manipulation. This means a combination of securing the communication medium, which could be cables, fiber optics, or even satellite; securing the message, commonly encrypted; and message authentication. ENCRYPTION Cryptography is the name given to the use of mathematical algorithms to transform data. Its primary use is the protection of information and it is a fundamental tool used in underpinning many aspects of computer security including data confidentiality, data integrity, user authentication, and electronic signatures. Under this heading, we may see that encryption is a technique whereby a message is rendered unreadable by scrambling up the data (“encrypting” it) in such a way that the legitimate recipient can unscramble or “decrypt” the message easily, but an unauthorized recipient would only see garbage. Encryption is probably the most common form of protection and conceals the content of the message. It also makes undetected message corruption difficult. It should be noted that it may be illegal in certain countries to encrypt data on the normal telephone lines, or Public Switched Network to give them their correct title. In such cases, encryption may be permitted subject to the decryption keys having been provided to escrow agents where, with the application of the appropriate law or court order, law enforcement officers can gain access to decrypt if required. To avoid abuse, keys may be split and given to several escrow agents. ch26_4768 1/8/07 3:19 PM Page 303 Information Assets Security Management 303 Many common commercial encryption products are based on DES (Data Encryption Standard, a U.S. licensed product) although many Internet encryption products are based on the two-key or public key system. Encryption does not prevent message destruction/loss or knowledge of the fact that there was a message. Nor does it have any effect on message inaccuracy, incompleteness, or untimeliness. Encryption, therefore, must be seen as only one of a variety of control techniques required. HOW ENCRYPTION WORKS There are two essential components in encryption, namely an algorithm (mathematical formula) and a key (randomizer). There are many techniques that are used in combination in order to achieve effective encryption. Perhaps the simplest is the Caesar shift attributed to Julius Caesar. In this technique, the alphabet is written down. Beneath it a second alphabet is written but offset left or right by a specific number of characters. The letters to be converted are located on the top alphabet and read off of the underneath alphabet. In the following example the word BED on the top line translates to EHG on the bottom line. A B C D E F G H ..... X Y Z D E F G H I J K ...... A B C As long as the recipient knows which direction to move the second alphabet and by how many letters, the message can be decrypted by reversing the process. The second common technique is the use of a transposition cypher. In this case the message is split into five-letter groups and the order of the letters in each group switched. Again if the recipient knows the order of switching, decryption is simple. Other techniques such as railfence cyphers exist but are not commonly used. Unfortunately, this simplistic form of cryptography is vulnerable to letter-frequency analysis because each letter in a piece of text has a known frequency of use in every language. In addition letter combinations can also be detected and decrypted. As a result a methodology is required to randomize the output of the encryption in such a ch26_4768 1/8/07 3:19 PM Page 304 304 PROTECTION OF INFORMATION ASSETS manner that it is easy to decrypt but difficult to crack. This is done using a secret key as a randomizer into the algorithm. There are two primary types of key systems. Single key systems (symmetric encryption) use one single key to encrypt and decrypt. In this type of system both the encryptor and decryptor must know the key because it is the same key. Where, for example, the file is encrypted on a computer disk, this form of encryption can be highly effective. Probably the best known single key system is the Data Encryption Standard (DES), published by NIST as Federal Information Processing Standard (FIPS) 46-2 (1993). DES remains the most widely accepted symmetric encryption system and is the standard against which other single key systems are measured. Where the purpose of encryption is to conceal the contents of a message sent between two individuals, this is less satisfactory because knowing the key in two places doubles the chance of an unauthorized outsider gaining access to the key. In this situation, the two key or public key system (asymmetric system) is normally more effective. Using this methodology, one key (A) is used to encrypt the message and the other (B) to decrypt it. The process may be reversed using key (B) to encrypt and key (A) to decrypt. It is impossible in a public key system to encrypt and decrypt the same message with either (A) or (B). Using this technique, an individual or organization can place one key in the public domain while retaining the second key as a secret key. Any message sent to the individual would be encrypted using the public key but only the individual could decrypt it using the private key. By reversing the process, an individual can encrypt using the private key, attach his or her identification and send the encrypted message to a second party. The second party can read the identification of the sender, look up the public key, and decrypt. Any individual intercepting the message could do the same but only the originator could have sent it. Using combinations of single and double public key systems, end-to-end authentication can be achieved such that only one person could have sent the message and only one person could receive it. ENCRYPTION WEAKNESSES While it is an important control mechanism, it should not be assumed that encryption automatically gives acceptable levels of security. ch26_4768 1/8/07 3:19 PM Page 305 Information Assets Security Management 305 Encryption techniques suffer from several potential weaknesses including the length of key. The key must be long enough to be difficult to guess, but short enough to be efficient in use. Management of a key may be a problem, particularly in a single key system where both communicating parties must know the key. Availability of algorithms makes secure encryption difficult. Most of the commonly used algorithms are published and available. The latest high-security algorithms are classified as highly confidential and, in the United States, there are severe penalties for leaking such information. The reversibility of cyphertext is a balancing act between efficient encryption and effective encryption. Easily reversed cyphertext is highly efficient but not very effective and vice versa. Another problem of a management nature is the use of common words as encrypted passwords. This makes the encryption breakable not by guessing the word, but by repeating the process with a dictionary and seeking matching encrypted results. POTENTIAL ENCRYPTION Encryption is used to protect data inside as well as outside the boundaries of a specific computer environment. While it remains within the organization, the data is directly under its control and a variety of control techniques will be used. Once it is placed on communication lines, however, logical and physical access controls cease to be effective and data encryption may be the only choice. It should be noted that encryption is not a technique used exclusively for communication. Sensitive data on disk may be encrypted as well as communications from terminal to modem, modem to carrier, and carrier onward. DATA INTEGRITY Within a conventional computer system, it is bordering on the impossible to recognize whether data has been changed, added, or erased without first taking precautions to ensure that such modification would be detected. For example, “problems were found in purchasing” in an audit report could be modified to “no problems were found in purchasing.” Controls do exist to detect such eventualities (cyclic ch26_4768 1/8/07 3:19 PM Page 306 306 PROTECTION OF INFORMATION ASSETS redundancy checks and the like) but cryptography can be an effective control to prevent undetected modification. It cannot prevent the modification from occurring but, should it occur, the data will not decrypt and therefore will be immediately recognized that modification has taken place. Where cryptography fails in maintaining data integrity is where a data file has been completely removed. Under these circumstances, other control mechanisms to verify the integrity of complete disks or disk volumes may be required. When the integrity relates to transmitted messages, cryptography can be used to derive a message authentication code (MAC) from the clear text itself and appended to the data. This may be for all transmitted data or it may involve key fields only. At the other end, the MAC can be re-derived and compared to the one sent. If the two codes are identical, end-to-end message integrity can be assured. A variation on this is the use of public key cryptography to verify the integrity by creating a secure hash or message digest. The hash is an abbreviated form of the message in encrypted format, which is then signed with a private key. Anyone receiving the message can recalculate the hash and then use the appropriate public key to verify the integrity of the message. If the two values match, the recipient can have a degree of confidence that the message arrived uncorrupted although not necessarily unread. DOUBLE PUBLIC KEY ENCRYPTION This is a more advanced form of a two-key crypto system that is used where the highest levels of communications security are desired. In this form, the plain text is encrypted with sender’s private key (only the sender could have encrypted and sent). The sender then attaches their identification. The whole message is then re-encrypted using the receiver’s public key and transmitted. When received, the receiver decrypts using his private key (only the receiver could decrypt). The receiver now sees the original message still encrypted with the sender’s key, but also sees the sender’s identification in clear. With this information, the receiver can identify the sender and look up the public key. The receiver can then decrypt the sender’s message using his public key. This gives assurance that only the sender could have sent, only ch26_4768 1/8/07 3:19 PM Page 307 Information Assets Security Management 307 the receiver could receive. This is known as end-to-end message authentication. STEGANOGRAPHY Steganography has been defined as “the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message; this is in contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured.”2 This involves the hiding of information by embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images. Thus, it is possible to hide a confidential, encrypted message within an innocuous photograph and send that as an e-mail attachment to a third party. Without knowledge that the photograph contains the message, it is unlikely that an interceptor would even know that such a message existed. The genuine recipient would be in a position to extract the message and, using the appropriate key, to decrypt it. This has the added advantage over cryptography that there is no knowledge that the confidential message exists and therefore no attempt will be made to break into the message. Among its uses is the creation of digital watermarks to be used in electronic copyright protection. These “electronic fingerprints” are then hidden in files so that they appear to be part of the original file and are not easily detected. Should the copyrighted material then appear in an unauthorized place, steps can be taken to prove ownership of the copyright. Alternatively, steganography can be used simply to maintain the confidentiality of valuable information. It is becoming a common technique in countries where encryption is illegal or where the authorities have the legal right to demand the decryption key. Steganography can, however, also be used for unauthorized or illegal purposes. Confidential corporate data could be copied and concealed within a legitimate message and then transmitted in a normal e-mail where a firewall could have identified an unauthorized attachment. In addition, pirate software, pirate music downloads, ch26_4768 1/8/07 3:19 PM Page 308 308 PROTECTION OF INFORMATION ASSETS and unauthorized applications or images can be concealed on corporate information resources. The detection of steganographically encoded packages is not impossible and the simplest method of detecting modified files is to compare them to the originals. This, however, requires that clean copies of the files are available for comparison purposes. If the files containing the packages are not standard files, readily available, it is unlikely that they will have been retained for comparison purposes. INFORMATION SECURITY POLICY In order to have effective and integrated assets security management, an information security policy is required to provide the fundamental guidelines used in assessing the value of the information assets and the impact should an untoward event occur. At the same time, management can express the level of risk they are willing to accept. The corporate policy must spell out in detail: ■ ■ ■ ■ ■ ■ ■ That information is seen to be an important asset of the organization and must be protected as such That in protecting its information assets, the organization will comply with all applicable laws and regulations and will ensure that its employees will do so also That access to information will be granted to individuals as required to perform their business function That the confidentiality of information be maintained whether it concerns personal information on individuals, classified or sensitive information, copyright or intellectual property That information must be appropriately protected against unauthorized modification either on computer systems or in communication That information be available as and when required to support the authorized and the judgment business functions of the organization That appropriate control structures will be implemented to ensure their integrity, confidentiality, and availability of information ch26_4768 1/8/07 3:19 PM Page 309 Information Assets Security Management 309 For such a policy to be effective, organizational commitment to enforcement is critical from the highest level to the lowest and enforcement must be seen to be effective. ENDNOTES 1. National Institute of Standards and Technology: http://csrc.nist .gov/policies/FISMA-final.pdf. 2. Wikipedia, the free encyclopedia: http://en.wikipedia.org/wiki/ Steganography. ch27_4768 1/8/07 3:21 PM Page 310 CHAPTER 27 Logical Information Technology Security n this chapter, logical access control issues and exposures are explored together with access control software. The auditing of logical access to ensure the adequate control of logical security risks using the appropriate logical security features, tools, and procedures are also detailed. I COMPUTER OPERATING SYSTEMS In the early days of computers, a single group of individuals designed, manufactured, programmed, and operated unique machines. Programming was commonly executed by using plugboards where wires were connected to control the basic functions of the computer. Each individual plugboard was a single program that operated on its own to carry out numerical calculations. By the early 1960s, computers were being manufactured as standard machines to be operated in a standard manner and individual job roles became apparent for operators, systems designers, and programmers. It now became a requirement that computers operate, on an ongoing basis, from application program to application program with minimal operator intervention. Computers were becoming more complex with capabilities such as multiprogramming, time-sharing, virtual memory, and spooling all causing complexities in the normal operations of mainframe computers. To simplify the process, software was written to manage the basic functionality of the computer in a standard format and provide an easier interface to the user-written, application systems. In today’s networking environment, networked operation systems and distributed operating systems are commonplace and auditors 310 ch27_4768 1/8/07 3:21 PM Page 311 Logical Information Technology Security 311 faced with a confusing array of operating environments and technologies. Operating systems can be classified into: ■ ■ ■ ■ ■ ■ Mainframe operating systems. Handling batch processing, transaction processing, and time-sharing Server operating systems. Serving multiple users at once over a network facilitating the sharing of hardware and software resources Multiprocessor operating systems. Also known as parallel computers or multi computers, these are variations on the server operating systems PC operating systems. Intended to provide an easy interface for one single user Embedded operating systems. Designed for palmtop computers and PDAs as well as controlling single devices such as mobile telephones or microwave ovens Smart card operating systems. Primitive operating systems normally handling one single function TAILORING THE OPERATING SYSTEM Operating systems are, by their nature, designed to be all things to all people. In order for them to perform as desired for a specific user they must be tailored to the needs of that user. This is normally done by selecting among potential alternatives using parameters. These parameters can drastically affect the manner in which security is implemented, or is not implemented, within a given operating environment. To a large extent these parameters may be unknown to the user until something goes wrong within the environment. Tailoring the operating system specifically for security goes beyond the scope of this book and is specific to each individual operating environment. Nevertheless, some common fundamentals apply in all operating systems: ■ Only authorized personnel should be capable of changing operating parameters and such changes should be independently scrutinized by a knowledgeable third party. ch27_4768 1/8/07 3:21 PM Page 312 312 ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ PROTECTION OF INFORMATION ASSETS Powerful utilities that run under the control of the operating system should be accessed by limited number of individuals because these can, in some cases, bypass other security features of the operating system or even amend the operating system itself directly. Critical directories should have access restricted in a similar manner. Default users and accounts should either be removed or have their passwords changed immediately upon installation. Certain rights can be granted to individuals that go well beyond the normal scope of user rights and can affect internal functionality of the operating system. Once again, the number of users with these rights should be limited. Appropriate log files should be created and retained to record security events and these log files must be scrutinized on a regular basis. Share permissions granting users and programs access into remote volumes or servers should be restricted on a need-to-have basis. Trust relationships between domains should be minimized to as low a level as possible taking into consideration the practicalities of trusts required. System integrity should be monitored on an ongoing and frequent basis using appropriate software to verify that system configuration parameters, ownerships, permissions, and application software have not been changed maliciously or accidentally. Firewall should be in place to ensure that only authorized accesses are permitted under user access outwards is controlled. Antivirus and malware protection should be utilized to protect the operating system itself against malicious damage. AUDITING THE OPERATING SYSTEM In truth it is unlikely that the auditor will ever actually audit the operating system itself. Rather the auditor will examine the operating environment and the way in which it has been implemented and controlled in order to ensure that the internal controls within that environment function as intended. Appendices D and E give sample audit programs for auditing typical operating environments. ch27_4768 1/8/07 3:21 PM Page 313 Logical Information Technology Security 313 With no computer assistance available, the auditor can still look for normal controls such as segregation of duties, authorization of work, and so forth. It is also possible to seek abnormalities such as excessive machine usage, regular late hours, and the like. A more effective audit will involve using the computer to audit the computer. This will typically involve the use of Computer Assisted Audit Tools (CAATs) using generalized audit software such as IDEA, specialized audit software, or utilities. Prior to the use of such CAATs it is essential that the auditor knows what he or she wants to do. General browsing is expensive, does not inspire confidence and, worst of all, it usually does not work. From your manual audit you should know what you want to look at, where to find it, how to get it, and what you will do with it. Using CAATs in interrogation of files can be highly effective if: ■ ■ ■ You know they have not been doctored You have the right files You know what you are looking at The auditor should always bear in mind the axiom that, to be wise, never believe what the first printout tells you. Ultimately, the auditor is not there to exercise control, the manager is, and the auditor should check the controls the manager relies on. SECURITY Access to computer systems consists of both logical and physical access aspects and must, in general, provide support for: ■ ■ ■ ■ ■ Management Users Data processing Internal audit External auditors and all parties concerned who have an interest. ch27_4768 1/8/07 3:21 PM 314 Page 314 PROTECTION OF INFORMATION ASSETS CRITERIA Hardware, firmware, and software co-exist and the auditor cannot regard one aspect in isolation. It is the interaction of these components that provides complexity and the auditor should look upon access control as a complex exercise in risk management technology. This exercise may be aided by utilizing the features within the operating system itself as well as security software. Packages such as RACF, ACF2, TOP SECRET, and the like exist within the IBM OS/390 operating environment but even librarian packages controlling access to source libraries such as LIBRARIAN or PANVALET may assist. The overall objective is to ensure control over access to data files. This includes the prevention of unauthorized amendments or disclosures and means that access to on-line data files as well as authorization of data file usage and physical security over data files become essential. The usage of standard utility programs to directly access such data files must be controlled whether by authorized users or by the members of the Information Technology (IT) function itself. Functional capabilities within application systems must be segregated which, in turn, means that there must be highly effective user authentication. If there is not a high degree of certainty that a user is who he or she claims to be, then the use of user profiles defining access authorities becomes ineffective. SECURITY SYSTEMS: RESOURCE ACCESS CONTROL FACILITY This IBM-supplied product is designed to run under the control of large-scale operating systems such as OS/390 or VM. The Resource Access Control Facility (RACF) components include the: ■ ■ ■ ■ User profile detailing what resources the user can access User password (hidden) User attributes and authorities Group option to protect all new data sets In addition, there are Connect Profiles and Group Profiles showing what grouping of users exist, who are the members of such groups, ch27_4768 1/8/07 3:21 PM Page 315 Logical Information Technology Security 315 and their authorities. Resource Profiles also exist containing the resource details, owner-user/groups, Universal Access Code (UACC), and authorized users/groups together with their access authorities. RACF profiles may be maintained by the person(s) so authorized in user/group profiles. In these contexts, Users represent individuals, while Connect Profiles associates users and groups and groups consist of one or more users. Resources that can be protected by RACF include: ■ ■ ■ ■ ■ ■ ■ DASD data set DASD or tape volume TSO or IMS terminals IMS and CICS transactions Groups of IMS transactions Specific applications Installation defined resource (e.g., “Fetch”) User attributes that may be assigned include: ■ ■ ■ ■ ■ ■ ■ Special. Full control over RACF profiles Auditor. Full responsibility for auditing security including logging options and auditing options Operations. Any maintenance operation on RACF protected resources such as copy, reorganize, catalog, or scratch CLAUTH. User defined profiles for specified class of resource (user, dataset, tapevol, etc.) GRPACC. Group access to data set created by user ADSP. All permanent DASD data sets automatically defined to RACF REVOKE. Excludes RACF-defined users from accessing Given the power associated with these attributes, Special, Auditor, and Operations should be restricted to a minimum number of persons within the site. AUDITING RACF An audit program to investigate RACF implementation would involve the auditor in several ways: ch27_4768 1/8/07 3:21 PM Page 316 316 ■ ■ ■ ■ ■ ■ ■ ■ PROTECTION OF INFORMATION ASSETS Identify RACF protected resources using printouts from security officer in order to obtain details of: ● RACF options (e.g., security, console, SETROPS, etc.) ● Logging options Record administration procedures for modification, revoking, emergency procedures Identify whether resources subject to audit are protected (e.g., certain data files) Analyze resource profile Identify users/groups of above resources Obtain their attributes/group authorities Evaluate adequacy of security and perform tests Identify who can control the security (e.g., RVARY, SETROPS, new profiles) Other RACF considerations for the auditor to bear in mind are that RACF protection can be “Zapped” using powerful utilities available within the operating environment. RACF “migrates” among multiple CPUs and user access authorities may not be transferable. RACF data sets must be backed up and recovered in order to maintain integrity during recovery. User exits may be present that may reduce RACF’s effectiveness. ACCESS CONTROL FACILITY 2 An alternative security product is Access Control Facility 2 (ACF2), supplied by Computer Associates. Within this software all resources are protected by default when it has been fully installed. ACF2 can run in five separate modes of operation controlled by parameter. These Global Systems Option (GSO) mode options include: ■ ■ ■ ■ ■ Quiet Mode. Disables ACF2 data set rules only Log Mode. Permits access but records the fact Warn Mode. Issues warning but allows access Abort Mode. Logs, issues messages, bars access (default) Rule Mode. Individual access rules are defined Such access rules may be made up of portions of: ch27_4768 1/8/07 3:21 PM Page 317 Logical Information Technology Security ■ ■ ■ ■ ■ ■ 317 Data set names User ID string Volume number Accessing program name Accessing program library name Expiration date of temporary rule TOP SECRET Yet another alternative security product is Top Secret, also supplied by Computer Associates. Within this software all resources are also protected by default when it has been fully installed. Top Secret can run in four separate modes of operation controlled by parameter: ■ ■ ■ ■ Dormant Mode. The system is active but no security checking is done Warn Mode. Checks violations and logs them but does not prevent them Implement Mode. Operates as in Fail for defined users and as in Warn if undefined Fail Mode. All users must be defined and all resources are protected Top Secret is user oriented with the authorities held in an encrypted database. Resource access is by ACID (ACcessor ID) and each user has an ACID. Under Top Secret all resources must be owned and there can only be one owner. When operating in full (Fail) mode protection is by default for all methods of access to all DASD data sets. All other resources are protected on an exception basis. From these it can be seen that a security package, while assisting in increasing security levels, is not a universal panacea for all security problems. In order for such a package to be even minimally effective, there is a need for security administration procedures for the establishment/modification/bypassing/emergencies/ revoking of protection and the security profiles must themselves be protected. ch27_4768 1/8/07 3:21 PM Page 318 318 PROTECTION OF INFORMATION ASSETS USER AUTHENTICATION User authentication involves gaining of assurance that a user is who he or she claims to be. This is fundamental to any internal control because the segregation of incompatible duties relies upon knowing who the persons performing those duties are. While no authentication method is foolproof, in general terms, users may be authenticated by: ■ Something they know. Authentication based upon knowledge commonly involves the use of Personal Identity Numbers (PINs), which are normally short and frequently written down. Passwords are probably still the most common form of knowledgebased authentication used within computer systems today. Passwords may be any combination of letters, digits, or special characters but should in general be: ● Hard to guess ● Easy to remember ● Well guarded ● Frequently changed Passwords are the most common form of user authentication but suffer from some major drawbacks: ● The initial password assignment can be a problem in that, if users are not forced to change the initial password, the password will commonly remain unchanged and therefore be known to the security administrator. ● The system must hold a password file somewhere within itself. If this password file is not adequately protected, it becomes a separate source of vulnerability within the system. ● Users must remember their passwords and this leads to short, easily guessed passwords. Longer or more difficult passwords are commonly written down and kept near the terminal where they are needed. ● Passwords must be changed periodically to be a effective control. Passwords that remain unchanged for an excessive period of time will frequently become common knowledge. ● Users must enter their password into the system and these passwords can be obtained through the simple expedient of looking over the password holder’s shoulder as it is entered. ch27_4768 1/8/07 3:21 PM Page 319 Logical Information Technology Security 319 In a well-designed password system the default password must be changed by the user before it can be used. Password changes must be system enforced and must exclude previous passwords. Passwords over communication lines must always be encrypted. Passwords must be of a minimum length, contain at least one alpha and one numeric character, and never be displayed on the screen. Something they have. These are typically hand-held devices such as Smartcards, Microchip cards, or Laser cards, which contain User Identification parameters. These operate in challenge and response mode in that they are used to establish an interactive session with additional random challenges being issued and requiring that a response be keyed into the device. To be effective, the device must be secured at the user end. It should be emphasized that such authentication will not protect privacy and will not prevent the taking over of a session. Something they are. Biometric measurement is based on physical characteristics of the computer user and may include the use of techniques such as: ● Fingerprint scanning ● Voice recognition ● Optical scanning ● Holographic recognition ● Signature recognition ● Password entry rhythm ● ■ ■ Biometrics are highly effective as an authentication technique, particularly when combined with other authentication techniques but have a significant drawback in that, should the biometric authentication be compromised, the user may have no way of modifying the authentication. BYPASS MECHANISMS User authentication is intended to gain assurance that a user is who he or she claims to be. Such security controls may be circumvented by mechanisms such as trapdoors/backdoors. ch27_4768 1/8/07 320 3:21 PM Page 320 PROTECTION OF INFORMATION ASSETS These software loopholes are deliberately left in systems to permit entry in an unauthorized manner. They are normally hidden and used when needed; however, anyone can use them if they are aware of them and know how to activate them. Such bypass mechanisms are very popular in mainframe environments and are normally introduced by insiders. Several reasons are given for needing trapdoors. The systems programmers may claim to need to modify the operating system without restarting the computer. They may want to issue operator commands from a user or programmer terminal or even require unlimited access at 3 A.M. Generally these are not a good idea for several reasons. Backdoors may be found by the wrong persons who trip over them and, because there is usually no built-in security, all access controls may be bypassed. Under normal circumstances, all systems maintenance should, at all times, go through change control as normal. In addition, the machine should be operated by the operators and no one else, and the security system should not be bypassed at will. ch28_4768 1/8/07 3:22 PM Page 321 CHAPTER 28 Applied Information Technology Security his chapter looks at the application of Information Technology (IT) security including communications and network security. The principles of network security, client-server, Internet and web-based services, and firewall security systems are all detailed together with connectivity protection resources such as cryptography, digital signatures, digital certificates, and key management policies. IT security also encompasses the use of intrusion detections systems and the proper implementation of mainframe security facilities. T COMMUNICATIONS AND NETWORK SECURITY In considering how a network security should be implemented, one of the most difficult areas to establish is exactly where the network starts and ends. For many organizations, this is where primary security is established with a “peripheral” defense. In the same manner as a peripheral defense over the physical building, network peripheral defenses work on the basis of having a limited number of entry points, each securely guarded. Unfortunately not all networks work in the same manner and most have considerably more entry points than a normal building. In addition, this form of defense suffers from the same deficiencies as a peripheral defense around a building in that, once inside the building, it is assumed that the intruder has a right to be there and, in many cases, no further security checks are done. Another parallel can be found between the security checkpoint at the entrance to a building and the firewall on the network. In both cases it is commonly assumed that they are 100% effective and that every enterer who manages to pass this point has a right to be wherever they 321 ch28_4768 1/8/07 3:22 PM Page 322 322 PROTECTION OF INFORMATION ASSETS are. It is also assumed that all threats are external in origin and that there are no significant security threats originating from an internal source. Before any such assumption can be made a security risk analysis is required. As with all controls, the control objectives and risks faced must be clearly understood prior to the design of an effective control environment. Assets at risk must be identified and the sources of risk understood so that a structure of controls can be developed to specifically address both the likelihood and impact of potential vulnerabilities. As discussed in Chapter 6, risk management can take a variety of forms and utilize different techniques and can never be 100% effective in identifying all possible risks. Nevertheless an effective security risk assessment can go a long way toward identifying significant security risks and assisting in the development of appropriate control structures. Common risks organization may face from failures of network security include: ■ ■ ■ ■ ■ Loss of reputation Loss of confidentiality Loss of information integrity User authentication failure System unavailability These risks, considered at a detailed level and rated based on the organizational criticality of the assets, are risks that can be used to identify the appropriate control mechanisms to secure communications and networks. After individual risks have been identified and classified according to their nature and threat potential, security strategies can be developed to ensure that the assets required to support the business functionality of the organization are adequately protected. Solutions can be implemented that test individual workstations (the organization’s own as well as those employed by outsiders including those connected via wireless connection and employees’ home computers) for compliance with the organization’s security policies including the use of firewalls, operating system patches, security settings, antivirus, and malware protection software. Workstations that satisfy the security requirements are initially granted access to the network but may be re-tested during the connection to ensure ch28_4768 1/8/07 3:22 PM Page 323 Applied Information Technology Security 323 ongoing compliance. Workstations that fail security testing may be quarantined from the network. NETWORK PROTECTION In the early days of networking, computer networks involved the connection of several computers into one single network. In today’s environment networking encompasses networks of networks encompassing hundreds or even thousands of individual workstations. In order to avoid requiring each individual user to sign on to each individual workstation in the network, systems of trust zones have developed whereby large networks can be subdivided into logical zones based upon the degree of control that the organization can directly exert on that specific zone. As a result, individual parts of networks can be classified as: ■ ■ ■ ■ Network areas containing sensitive systems with all accesses falling under the direct control of the organization where users and systems can be validated and authenticated to the degree specified by the organization with authority levels and access rights also being under direct control. Unauthorized access in such an area could be highly detrimental to the organization and as such, this area of the network would be seen as hostile zones. Network areas that contain information resources which are open to the public but which require user identification and authentication would be seen as untrusted zones. Network areas that contain information resources which are open to be restricted number of authorized outside users who are identified and authenticated would be seen as semitrusted zones. Network areas with no outside access containing systems requiring full access by internal users and systems who can be validated and controlled directly under the authority of the organization would normally be seen as trusted zones. Within the individual zones, security requirements can be well defined and appropriate controls implemented but it is in the intermixing of trust zones that network security starts to take on an enormous degree of complexity. Wherever there is a doubt regarding the interfacing of zones, the safe assumption is that the zone from where ch28_4768 1/8/07 324 3:22 PM Page 324 PROTECTION OF INFORMATION ASSETS a connection originates is of a lower security level and the zone being connected to the security must be enforced with this in mind. It should always be borne in mind that any network security is as strong as its weakest link and that all workstations on a network should utilize a secure operating system. Many operating systems are intrinsically insecure and even those that can be secured are frequently implemented in an insecure manner. In those network areas exposed to greater threats the operating environment may require further strengthening to make them hardened operating environments. HARDENING THE OPERATING ENVIRONMENT Where high-value information assets are at risk or where there is a high degree of unrestricted access, attention should be paid to the degree of insecurities commonly found in standard operating environments. Modern operating systems come complete with a variety of sophisticated security capabilities but initially that is all they are, capabilities. For these to become effective controls, thought must be given to those services and network ports actually required and all those not required should either be eliminated at the workstation or filtered at the firewall. Many of these services permit the use of unencrypted protocols such as FTP or TELNET, which can, if uncontrolled, facilitate “sniffer” attacks for electronic eavesdropping on network traffic. In addition, the use of Anonymous FTP can enable an unknown outsider to download confidential information from a server and its use should be discontinued wherever possible. Today’s operating systems are continually upgraded by the vendors of the software in the form of service packs and software patches available online. Where such updates are security related, it is the responsibility of the network administrator to decide whether a given patch is appropriate for the network and to ensure that it is applied within the appropriate operating systems. Default system accounts and passwords should either be renamed, disabled if not in use, or removed where possible. Default passwords should always be changed and no account should be accessible without the use of a password. Where guest accounts are specifically desired without password control, care should be taken to ensure that network access permissions are kept to a minimum. ch28_4768 1/8/07 3:22 PM Page 325 Applied Information Technology Security 325 The easiest way to share resources on a network is simply to give everyone access to everything, which completely eliminates any security protection the organization thought it could rely on. All directory and file permissions on each machine should be reviewed periodically and the permissions granted adjusted according to the criticality and sensitivity of information held at the particular machine. Access should be granted on a “need-to-have” or “least privilege” basis where users are granted access only to those assets and functions actually required in order to perform the activities authorized by the organization. In order to effectively implement such access control, the users’ functional requirements within the business itself must be subject to a segregation of duties analysis in order to ensure that one individual cannot carry out incompatible duties. It is not possible to enforce an appropriate least privilege environment within the computer where segregation of duties does not exist within the business. Antivirus and malware protection software is generally available on most networked computer systems but not all systems are kept up to date with the latest virus and malware definitions. Additionally, many systems have the software installed but not in active use with the usage being at the discretion of the workstation user who may or may not be security aware. Detective controls involving the use of system log files can facilitate intrusion detection as well as network recovery after an untoward event. For such log files to be effective they must be scrutinized on a regular basis for any abnormalities and retain for sufficient time for such abnormalities to become apparent. Access to these logs must be restricted to the individuals authorized to scrutinize them and update access should be barred to all users. CLIENT SERVER AND OTHER ENVIRONMENTS Client server is an architecture in which the functionality and processing of a system are split between the client workstation and a database server. The client and the server are separated both physically and logically and it is the client-server system that coordinates the work of both of these components to complete assigned functions. This separation facilitates the mixture of hardware and operating ch28_4768 1/8/07 326 3:22 PM Page 326 PROTECTION OF INFORMATION ASSETS environments. It is the distribution of functionality in client-server systems that increases the vulnerability of the systems to viruses, fraud, and misuse with the cost of security being balanced against the cost to the organization in system corruption. In many client-server environments, the network component remains largely insecure on the assumption that identification and authentication take place at the workstation and logical access restrictions takes place at the client with no possible security implications on the network. The problem is compounded when a single login is used to access all servers on the network. This is commonly done for customer convenience but, once again, electronic eavesdropping on the network can occur using packet sniffers to breach confidentiality or to gain passwords so that direct access into the server may be obtained. As with many intranetwork communications, encryption is a badly neglected control that could obviate many of these risks. A common risk in client-server environments is that management places reliance on a single individual in charge of administrating the security of the environment. This reliance may put the organization at risk of loss of a key individual should the person move on to another organization or at risk to potential incompetence or dishonesty on the part of the administrator. FIREWALLS AND OTHER PROTECTION RESOURCES Firewalls are designed to control access to and from a given network and ensure the old connections pass through the firewall where they can be examined and evaluated against a networks access policies. A firewall provides an organization with a mechanism for implementing and enforcing network access security policies by providing access to control both users and services. It is therefore an enforcement mechanism transforming directive but discretionary controls into preventative controls. Used correctly, firewalls can greatly enhance network security by filtering those services that are inherently insecure in order to prevent services from being exploited by unauthorized outsiders while still enabling the authorized use of such services. This can significantly enhance privacy by preventing outsiders from obtaining information about the site or the uses of the site using services such as finger, ch28_4768 1/8/07 3:22 PM Page 327 Applied Information Technology Security 327 which can be used to display information about users within a site. They can also control access in both directions in order to bar inward access to unknown outsiders or to bar outward access to unauthorized sites. In addition, firewalls can record information regarding accesses, invalid access attempts, and statistics on network usage. Depending on the firewall selected, intruder detection of probes or attacks can trigger alarms to the security administrator. From this it should not be assumed that firewalls are the ultimate in protection and no other mechanisms required. Many organizations have a network structure that is not conducive to the implementation of a firewall. Under these circumstances, implementation of an appropriate file may require significant restructuring at considerable cost and inconvenience. In this instance the organization may decide to select a control mechanism other than the standard firewall implementation. In addition, where a firewall is used as a funnel for all access to the Internet, there is a temptation to assume that all accesses are now protected. In reality, any user with an available modem port can connect to an outside telephone line and connect directly to the Internet thus allowing access into the network behind the firewall. Where an organization uses a solitary firewall access route there is no protection from insider threats behind the firewall. To control these problems, individual firewalls are required on each workstation on the network with appropriate security levels being set. On many networks this is seen to be a major inconvenience to the administrators potentially preventing them from accessing workstations at will. As with any other protection mechanism, one disadvantage of a firewall that will eventually be felt is that it can block a service that, sooner or later, the user will wish to use. For a firewall to be truly effective, authentication beyond a simple password is required and organizations are increasingly looking toward the use of digital signatures and digital certificates. Digital Signatures A digital signature uses similar technology to asymmetric encryption in that the “signature” is a mathematical summary (hash) of the information encrypted using the equivalent of the signer’s private key. ch28_4768 1/8/07 3:22 PM Page 328 328 PROTECTION OF INFORMATION ASSETS Once received, the message is rehashed by the receiver. The attached message hash is then decrypted using the sender’s public key and, should the two hashes match, the receiver can accept that only the sender could have sent the message and it has not been tampered with. Digital signatures do not conceal the content of messages because the message itself is not encrypted but nevertheless, where assurance is required that the message came from an authenticated source; digital signatures can be an effective enhancement of communication authentication. Within internal networks, digital signatures can be used as a stronger authentication method than handwritten signatures. Documents with signatures written on them can be photocopied or scanned and the message altered. With digital signatures such alteration would be immediately noticeable because the two hashes would not match. Digital Certificates A digital certificate is an electronic verification issued and digitally signed by a certification authority (CA). These certification authorities utilize public key infrastructures (PKIs) and issue digital certificates indicating the certification of an organization’s or individual’s public key together with the privileges for which the certificate’s holder has been certified. In order for a public key to be certified, the perspective subscriber registers his or her public key with the certification authority and requests a certificate. After approval, a certificate is generated and issued to the subscriber. This means that, within an electronic commerce environment, all parties participating in transactions are able to positively identify the other parties with whom they are dealing. When transactions involving millions of dollars occur via the Internet it is critical that the authenticity of identities claimed be confirmed. Use of the certificates is not, however, limited to Internet transactions of an e-commerce nature. Any electronic communication, where the authenticity of the transmitter is critical, can make use of digital certificates. Within the internal network they can be used to control logical access while digital certificates stored on smart cards can be used to restrict physical access to controlled areas. ch28_4768 1/8/07 3:22 PM Page 329 Applied Information Technology Security 329 INTRUSION DETECTION SYSTEMS Notwithstanding all of the controls previously noted, from time to time attempts may be made to breach network security and these can be detected using an appropriate intrusion detection system (IDS). Early versions of these generally functioned in a similar manner to antivirus software in that they retained a database of common attack patterns and monitored the network seeking these patterns. This method of pattern seeking has a fundamental flaw in that, should the attack be indistinguishable from conventional network traffic, it may be overlooked. More advanced IDSs are based on anomaly detection seeking network activity that is different from the normal pattern. As far back as 1987 Dorothy Denning described a “model of a real-time intrusiondetection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse.” 1 Where an earlier IDS would typically use a predefined set of rules or filters designed to trap a specific, malicious event, an IDS with anomaly works from a baseline of “normal” activity. Any behavior that deviates from the baseline is identified and reported. Denning’s original model used statistical analysis to identify deviant behavior. Other models attempt to use a logic-based description of expected behavior to identify “normal” activity identified in a rules database. These intrusion-detection systems and anomaly detection systems, used in conjunction with firewalls, can create effective defense mechanisms for both networks and hosts. ENDNOTE 1. Dorothy Denning, An Intrusion-Detection Model, IEEE Symposium on Security and Privacy, February 1987. ch29_4768 1/8/07 3:23 PM Page 330 CHAPTER 29 Physical and Environmental Security n this chapter, we will examine physical security, with respect to Information Technology (IT), which refers to the safeguarding of the hardware, buildings, and media containing the data and programs, as well as the infrastructure used to support the processing of data. Physical security encompasses control measures to mitigate the risks of natural events (e.g., flood, earthquake, severe weather conditions) as well as man-made problems (e.g., fire, destruction, theft, civil unrest). Environmental security encompasses the support structures that are the foundations of the physical environment including power, air conditioning, heating, and lighting. Controls must be appropriate to the threats faced and therefore physical security becomes dictated by the risks in the environment. These can be broadly categorized into: I ■ 330 Physical damage and destruction. This type of damage could be temporary or permanent and may require repair or replacement of the system components affected. As in any control environment, a combination of preventative, detective, and corrective controls will be required to adequately offset the impact of physical damage and destruction. Damage could be accidental as a result of a natural event and could range from minor (such as physical damage to a data medium where a backup is available) to catastrophic (such as physical damage to the whole installation and its personnel with no hope of an immediate recovery). Alternatively, physical damage can come about as a result of direct malicious activity either from insiders or from individuals outside the organization. A common result of physical damage may be ch29_4768 1/8/07 3:23 PM Page 331 Physical and Environmental Security ■ ■ 331 short- or long-term disruption of the delivery of information services. The extent of potential losses, and therefore the degree of control desirable, will be dependent upon the duration of the interruption as well as the criticality of the service interrupted. Theft of equipment. It is not unheard of for mainframe computers to go missing over the weekend from a secured corporate building, but theft of network servers, workstations, and notebook computers are commonplace as are thefts of individual components such as hard disks, computer memory, and even the humble mouse. As with any corporate asset, computer equipment must be protected against direct physical theft. Loss of data confidentiality. Confidentiality may be lost when physical control over confidential outputs becomes degraded. Information outputs that may be classed as confidential or even corporate critical can frequently be found thrown out with the trash or even donated to a local children’s play group so that the reverse side can be used as scrap paper. With the advent of portable, lightweight computers, theft, not only of the information but of the computer containing it, has become common. In many cases where laptop computers have been stolen it is assumed that the thief was after the computer itself. This may indeed be the case but as a byproduct the thief has also acquired a rich source of potentially damaging and confidential information. The days in which theft of information meant the theft of filing cabinets are long gone and today’s information thief can obtain all that is required using a DVD burner or even a memory stick. All that is then required is physical access to the network on which the required information is stored. Again, a common source for loss of data confidentiality is theft of backup copies of media. Even communication lines are vulnerable to attack if physical access can be gained. When problems are encountered in the use of computer equipment, it is common to either call in the experts or hand over the offending system to them. This is effectively placing physical control of the hardware containing sensitive corporate information in the hands of strangers with little or no way of knowing whether confidentiality is breached and sensitive information viewed or even copied. ch29_4768 1/8/07 3:23 PM Page 332 332 PROTECTION OF INFORMATION ASSETS In all cases the design of an appropriate control system will depend upon management’s perceptions of where the losses are most likely to occur and which would involve most corporate pain. CONTROL MECHANISMS Physical Access Control Physical access controls are intended to manage the movements of personnel, media, and hardware in and out of a controlled area as well as within that area. Controls may include: ■ ■ ■ ■ Identification of the risk areas within the computer environment that require higher levels of access control so that access may be granted, once again, on a need-to-have basis. Adequate peripheral protection in the form of fences and walls with restricted points of access and control measures such as scanning for undesirable items being taken in including explosives, firearms, as well as computer hardware not belonging to, and therefore not under the control of, the organization. Card or biometric access systems and closed circuit television monitoring would typically be used. Locks on doors normally take the form of the traditional key locks, card locks, combination locks, or biometric locks. Both key and card locks are dependent upon the physical security and restricted number of the keys and cards respectively that have been issued. Card locks are also vulnerable to the individual entering through some form of turnstile and passing the card to a second person who then reuses it to gain entry. Combination locks, while seeming more secure, are vulnerable to simple observation. In some instances it has been noted that closed circuit television cameras have been directed at the locks and are recording all combinations entered. Biometric locks, such as those containing thumbprints scanners, provide a higher level of access security but even they, in common with all locked doors, suffer from the problem of one person opening the door and three people entering. A formal identity card system in use with strangers in an area challenged by staff members to produce identification. ch29_4768 1/8/07 3:23 PM Page 333 Physical and Environmental Security ■ ■ ■ ■ ■ ■ ■ 333 Identification and access restrictions within those areas containing the support infrastructure such as communication lines, electrical power conduits, source documents, and pre-printed outputs such as checks. Within the area being protected physically, there may be additional areas of even higher security where access can be gained more readily because of being within the outer peripheral defense. In modern office blocks it is common to find prefabricated interior wall panels that can be moved around to suit the office environment but that provide little protection against physical assaults and, in many cases, only go as high as a suspended ceiling. In such a case it is comparatively simple to remove a ceiling tile and go over the wall into the “secure” area. In similar fashion, raised floors are also vulnerable should they extend beyond the peripheral wall. Motion detectors may be used in “lights-out” computer rooms where there is normally no human movement to detect as soon as the periphery is breached. Use of shredders of the appropriate type can ensure that scrap leaving the secured area is not vulnerable to an outsider searching the trash cans. Even DVDs can be passed through the modern shredder although care must be taken where microfilm or microfiche is used to ensure that the shredder reduces the material to a small enough size to be effective as a confidentiality control. Disposal of outdated or obsolete equipment commonly carries with it the risk that the equipment will contain components or information that is confidential to the organization. In the case of disposal of hard disks and other storage media, destruction may be a safer option. When equipment is sent for repair, sensitive media should be removed whenever possible and, if this is not possible, security should be taken into consideration in deciding whether the equipment should in fact be repaired or whether it should be scrapped and replaced. This may seem wasteful but the replacement cost of a hard disk is low while the cost of lost confidentiality could be high. Use of scanners, de-gaussers (which can wipe magnetic media clean), and physical searches may be required to prevent the removal of corporate assets from these closed areas. ch29_4768 1/8/07 3:23 PM Page 334 334 PROTECTION OF INFORMATION ASSETS Environmental Controls In addition to controls governing physical access, controls around the security of the environment to prevent losses due to fires and other hazards are required due to the potential for total destruction of the information processing facility as well as the threat to human life. Heat, smoke, noxious gases, and even damage from fire extinguishers and hoses can all play a role in destroying Information Systems. Fires require three things, namely: 1. Heat. Fire starts when sufficient heat exists to cause a fuel source to burn. Heat can come from a variety of sources such as overloaded electrical systems, poorly stored combustible material, human carelessness, or deliberate intent. 2. Fuel source. With an adequate supply of oxygen, even steel will burn and in most office environments fuel in the form of combustible material such as paper, wooden desks, plastic, and the like are almost inexhaustible. 3. Oxygen. Fires require a replenishing source of oxygen in order to maintain flame. Office air conditioning and open windows can accelerate the flames while automatically shutting down systems and the use of fire retardant materials can slow down the progress of a fire. One area of concern is that many materials within an office environment contain their own source of chemical oxygen so that simply smothering it to remove the oxygen supply is ineffective. Fire prevention works by denying the fire any or all of the three requirements for combustion. Most fire extinguishers work by denying the fire access to oxygen as well as by removing the heat (e.g., water, carbon dioxide, and halon fire extinguishing systems). The fuel source can be denied, in many cases, simply by keeping the environment clean and removing threats from multiple electrical adapters and carelessly stored scrap paper. Where chemical fires are involved, denial of oxygen is more difficult because it requires breaking the chemical chain reaction inducing combustion. The more quickly a fire is detected, the greater the probability that it can be extinguished before significant damage to property or personnel is done. Fire can spread with a speed that astounds most peo- ch29_4768 1/8/07 3:23 PM Page 335 Physical and Environmental Security 335 ple and early detection, combined with some basic firefighting knowledge, can quickly extinguish a small fire before it becomes a large fire. In designing fire control and prevention systems, care should be taken to ensure that the extinguishing of the fire does not create more damage than the fire itself. Water damage from sprinkler systems and use of inappropriate dry-powder fire extinguishing systems on electrical fires may reduce the fire damage overall but may create local problems in the area where the fire originated. Nevertheless, such systems are highly effective in limiting the spread of a fire and protecting human lives. Physical Environmental Controls Information Systems are, to a large extent, dependent upon the physical environment within which they run. Loss of power, and inadequate temperature and humidity control can be highly disruptive if appropriate care is not taken. Because computers, by their nature, require electricity to function, an uninterruptible supply of electricity at a constant voltage and amperage is a prerequisite to smooth functioning of the Information Systems. This can be assured using a variety of manners including use of dedicated power supplies; uninterruptible power supplies (UPS), use of chokes on the power lines to ensure constant voltages, and the use of standby generators in the event of a prolonged power outage. Many modern desktop and notebook computers will run happily in a typical office environment but mainframe computers and more critical servers will require an environment where the temperature is kept within acceptable tolerances and humidity is adequately controlled. Should these systems fail, the information processing will, at best, shut down and at worst may suffer significant permanent damage. Building Collapse Following the events at the World Trade Center on 9/11, structural collapse has come to the fore as a physical threat to computer systems. In reality it has long been a threat due to a variety of causes ch29_4768 1/8/07 3:23 PM Page 336 336 PROTECTION OF INFORMATION ASSETS both natural and manmade. Earth tremors, severe weather conditions such as tornadoes, poorly built structures, and even impacts at ground level have been known to cause a structural collapse of offices containing computer centers. This is before the threat of explosion and terrorism is even considered. As preventative measures, physical security combined with the proper design and construction of buildings remain the strongest defenses while, from a corrective perspective, in the event of a catastrophic collapse the contingency plans (see Chapter 30) come into their own. IMPLEMENTING THE CONTROLS As with all other controls, physical and environmental security controls do not exist in a vacuum. They coexist with, influence, and are influenced by logical security controls and controls surrounding the effectiveness and efficiency of information processing. As with any other control, they consume resources in the forms of labor, machinery, and money. As such, controls in this environment are frequently implemented after a breach of physical and environmental security has occurred when the cost of control can be seen to be justified. Some controls in this environment are required by legislation in particular where human life is at risk so that fire exits, fire escapes, fire detectors, and extinguishing systems are all typically required by law. Other controls are implemented where the cost of not implementing them could prove highly expensive, publicly embarrassing or even life-threatening to the organization. In most cases controls are implemented where the impact is seen to be cost beneficial, that is, where the cost, whether high or low, is significantly offset by the benefit accrued. ch30_4768 1/8/07 3:23 PM Page 337 PART VI Business Continuity and Disaster Recovery 337 ch30_4768 1/8/07 3:23 PM Page 338 ch30_4768 1/8/07 3:23 PM Page 339 CHAPTER 30 Protection of the Information Technology Architecture and Assets: Disaster Recovery Planning or many years, business continuity has been recognized as a fundamental component of management’s role in achieving good corporate governance. This has frequently been confused with the concept of computer Disaster Recovery Planning (DRP) resulting in the responsibility of being seen as belonging to the Information Systems (IS) processing function instead of where it belongs, at the top. It is a management responsibility to ensure that an organization’s business processes that deliver value to its stakeholders will continue to function despite the occurrence of unforeseen circumstances. The Business Continuity Plan (BCP) therefore refers to those activities intended to ensure the ongoing running of the organization during a period of disruption of normal operation Information Technology (IT). DRP refers to those activities required to minimize the disruption on the organization of a loss, short to long term, of information processing facilities. With the complex integration of IT as enabling and driving mechanisms for those business processes, it has become apparent that an organization’s Information Systems are a critical resource, although not the only resource required to ensure business continuity and even corporate survival. Thus the computer disaster recovery plan is a critical component of the overall business continuity plan and sufficient care is required in the production of the DRP to ensure that the risks associated (see Chapter 6) with the IT process are appropriately mitigated. As previously stated, preventative controls are never 100% F 339 ch30_4768 1/8/07 340 3:23 PM Page 340 BUSINESS CONTINUITY AND DISASTER RECOVERY effective and therefore controls must exist to mitigate the effects once an untoward event has occurred. The original concept of the DRP was to maintain a standby hardware platform that could be utilized in the event of something critical happening to the normal site. The standby site could be provided and maintained either by the organization itself or by a third party who would lease time on the site in the event of a disaster. In the days when mainframe computers dominated the business environment, this was seen as an adequate response and degrees of “warmth” of such a site indicated the degrees of readiness. In such a scenario a “hot” site was seen to be one in which the hardware, communications capability, and systems software were all available instantaneously with only the current version of the data files to be restored. The hot site was typically situated close enough to the main site to be of immediate use but far enough away not to be vulnerable to the same physical threats (e.g., flood, earthquake, and the like). A “warm” site consisted of a computer room and computer, perhaps shared, where a disaster would result in the loading of the appropriate operating environment, application systems, and data files so that recovery could take place in an acceptable time frame. A “cold” site consisted of an empty computer room with an agreement contracted with the hardware vendor that, in the event of an emergency, a computer could be supplied quickly and configured appropriately for the organization. Obviously there were degrees of “warmth” between hot and cold that could be tailored to suit the individual requirements of specific organizations. In many cases, combination plans required immediate access to a hot site (expensive) with medium term transfer to a warm or even cold site (considerably cheaper). The proliferation of local area networks (LANs) and client-server environments brought an awareness that the DRP had to cater for not only the mainframe architecture but also the distributed environment increasingly fundamental to the IT viability of an organization. This transition also had to cater to the fact that the hardware itself was increasingly the easiest and quickest item to replace while the communication links and the people to utilize the systems were increasingly more difficult to back up. The increasing awareness of the vulnerability of information processing to natural disasters such as tsunamis and floods as well as dis- ch30_4768 1/8/07 3:23 PM Page 341 Protection of the Information Technology Architecture and Assets 341 asters caused by human beings such as terrorist attacks have caused organizations to rethink the appropriateness of the established solutions and, in some cases, to realize that one DRP may not be enough to cater for all eventualities. RISK REASSESSMENT The foundation of any BCP or DRP is a risk assessment involving the identification and analysis of potential vulnerabilities and threats. As usual, risk assessment begins with the identification and evaluation of the assets and information at risk together with a threat analysis and an evaluation of the effectiveness of the controls intended to mitigate the risk. This results in an identified list of potential threats, the probable likelihood and anticipated exposure, as well as the controls required to mitigate the threats including those corrective controls that will become part of the DRP. From an IT perspective, it also includes the establishment of the impact on the individual parts of the organization of the short-, medium-, and long-term unavailability of any IS resource. This study facilitates the prioritization of the recovery process and the identifications of systems’ inter-relationships including the relationship between clerical systems and computerized systems. DISASTER—BEFORE AND AFTER Perhaps the best prepared organizations are the ones who have lived through a calamity. Among the threats faced by an organization are: ■ ■ ■ ■ ■ ■ ■ ■ ■ Fire Flood Building collapse Explosion Industrial failure Power failure Viruses Deliberate sabotage Computer abuse ch30_4768 1/8/07 3:23 PM Page 342 342 ■ ■ ■ ■ BUSINESS CONTINUITY AND DISASTER RECOVERY Deliberate action by staff “Hacking” into systems Internet penetration Terrorism As can be seen, many of these risks have nothing to do with computer systems but remain for the enterprise as a whole. There is a tendency to focus upon the Information Systems to the exclusion of all else within the organization, and this is as dangerous as not looking at contingency planning at all. Disasters may be looked at in four basic categories: 1. DISASTER A LOSS OF CAUSES People Building Factories Finance Credibility Materials Computers (Permanent loss) Explosion Aircraft crash Total fire Flood Industrial action Earthquake Terrorism and sabotage Economic sanctions 2. DISASTER B LOSS OF CAUSES Hardware Software In-house data (Temporary loss) Explosion Fire Flood Industrial action 3. DISASTER C LOSS OF CAUSES Software and the ability to recover in-house data Explosion Fire Freak atmospheric force Flood Poor operating standards Deliberate destruction Bad systems design ch30_4768 1/8/07 3:23 PM Page 343 Protection of the Information Technology Architecture and Assets 343 4. DISASTER D LOSS OF CAUSES Software: Partial loss only and the inability to recover Poor operating standards Computer operational error Deliberate destruction Bad systems design In all these cases a different approach to recovery planning is required. The plan for evacuation of the building to a new location is inappropriate if the disaster involves the loss of a small but vital file. As such a DRP must be capable of responding to a variety of “disasters” and provide optimal solutions for each. CONSEQUENCES OF DISRUPTION Should disruption occur the consequences may include any or all of: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Loss of revenues Delays in invoicing Lost interest Lost sales Lost future business Incurred costs Extra manning Increased interest on loans Loss of discounts Inefficiency From a production control perspective in a manufacturing company, problems would typically include lost production and schedule disruption, while, from a legal perspective. penalty clauses could jeopardize the whole enterprise. At a minimum there will be ill will generated among customers, shareholders, and staff. Preparedness for a disaster may be categorized as: ■ Poor. Organization highly vulnerable to damage to its data processing capability; could jeopardize corporate survival. ch30_4768 1/8/07 3:23 PM Page 344 344 ■ ■ ■ ■ BUSINESS CONTINUITY AND DISASTER RECOVERY Weak. Disaster would result in conspicuous interruption of IT services; could result in loss of business. Adequate. Organization could recover from the loss of computer capabilities at some cost and public embarrassment. Good. Organization could recover from the loss of computing capability with some cost but little embarrassment. Very Good. Organization is ready for virtually any eventuality. Disaster should have no material effect on the business. WHERE TO START As with any other form of business analysis, the beginning involves understanding the business. In DRP terms this means modelling the business, identifying data flow and dependencies, and identifying the critical systems as well as any dependent systems (including manual systems). Computer system may be identified by types, for example: ■ ■ ■ ■ ■ ■ ■ By operating objectives Centralized Stand-alone Distributed Real time On-line Batch These can then be assigned degrees of priority. Priorities to include: ■ ■ ■ Business loss rating Alternative service level required Maximum down time tolerable Systems may be categorized by the effect of stoppage and by identifying any essential interfacing systems identified (computer and manual). Once systems have been prioritized, all systems, including manual systems, must be documented. Relationships must be identified and the effect of stoppage quantified. ch30_4768 1/8/07 3:23 PM Page 345 Protection of the Information Technology Architecture and Assets 345 A commonly omitted consideration is ensuring that alternative: ■ ■ ■ ■ ■ Accommodation People Stationery supplies Office equipment Control procedures have been identified and that work in progress has also been considered. Data used within each system needs to be graded by application and therefore by strategic importance as well as by alternate methods of sourcing and degree of pain in loss. In a comprehensive plan data may even be rated by disruption period. Each application is therefore graded although not all of its data is of the same importance. Where unique software has been produced by a third party specifically for the organization, escrow copies may be required to be lodged in case of emergencies. For recovery purposes it is important to establish: ■ ■ ■ ■ ■ ■ ■ The minimum configuration required Whether continuity agreements with vendors exist If backup procedures have been agreed If there is compatibility of equipment If there is compatibility of firmware If security arrangements have been agreed If testing of hardware backup arrangements is carried out regularly (and successfully) In addition controls such as redundant hardware, that is, hardware in excess of current requirements, dual controllers for peripheral devices, switchable communications capabilities, and duplicated communications lines should be considered. Uninterruptible Power Supply (UPS) systems and standby generators may assist in preventing power problems from becoming fully fledged disasters. TESTING THE PLAN In order to carry out a successful test of the plan, management needs must be fully defined and approved. The plan must cover all in-house ch30_4768 1/8/07 3:23 PM Page 346 346 BUSINESS CONTINUITY AND DISASTER RECOVERY and third-party risks and define all “retained” risks and testing should be as realistic as possible. A full-scale test would normally involve management and the users as well as IT personnel. Effective recovery does not simply mean getting initial systems up and running on the day of the disaster but the achievement of full recovery back to normal working conditions. Certain fundamentals are required to perform any form of recovery such as: ■ ■ ■ ■ ■ Appropriate backups retained for appropriate lengths of time An appropriate hardware configuration including communications An appropriate venue for users in the event of the loss of their normal accommodation Appropriate procedure manuals in sufficient detail for inexperienced staff to carry out recovery Supplies of pre-printed stationery if required including negotiable documents such as checks AUDITING THE PLAN The BCP and DRP will both require reviews by the IT auditor in order to ensure that management has implemented controls to a reasonable level to ensure successful continuity and recovery. As with any other audit, planning of the assignment is critical to successful implementation and, as usual, starts with the business objectives of the function to be reviewed. The audit involves investigating and evaluating the policies, application systems covered, user data defined, hardware required, systems software needed, and the realism of the testing. Overall the auditor must evaluate the probability of successful business continuity. In addition, the confidentiality and integrity of information must be assured throughout the recovery process. There are three main phases within such an audit: 1. Verifying the adequacy of the plan 2. Determining the effectiveness of the implementation of the plan 3. Determining the mechanisms by which the plan is kept up-todate and in line with corporate requirements ch30_4768 1/8/07 3:23 PM Page 347 Protection of the Information Technology Architecture and Assets 347 Verification of the adequacy of the plan is dependent upon the IS Auditor’s familiarity with the business requirements of the organization and the Information Systems in use to support those business requirements. The degree of dependence on information processing of the individual business areas is used to determine the prioritization of the recovery process. The auditor’s objective is to determine whether the plan, as formulated, should give the organization the capability of short-term recovery and eventual return to full operational capability under a variety of circumstances, within a reasonable time scale and at an acceptable cost. This involves identifying management’s evaluation criteria used in developing the plan and matching this against the auditors on knowledge of the business and Information Systems requirements. One of the more critical areas is the assignment of responsibility for control during the process of recovery coupled with the authority to declare an emergency and invoke the plan. Where multiple versions of recovery sites are used, the plan should include procedures to switch from one site to the next as recovery progresses. In most organizations, plans are time dependent with events and actions required within a 12-hour period, a 24-hour period, and a 3day period in the short term. These actions may themselves be calendar dependent because priorities at the start of a financial month may differ from those at the end of the financial month. The effectiveness of the implementation can be measured by examining management’s records of the testing of the plan to ensure its operability and to ensure that the testing has been carried out for a variety of categories of disaster ranging from minimal disruption to full-scale unavailability in as close to a realistic setting as possible. If possible, the auditor should participate in such a test to observe the general effectiveness of testing and how accurately it simulates a genuine disaster. Disaster recovery planning is a dynamic undertaking because the business, the Information Systems, the corporate procedures, and the staff are all changing simultaneously and the plan must be updated with this in mind. As such, management must take great pains to ensure that the plan reflects the current business and Information Technology status and the testing is amended to take this into consideration. The auditor will typically check management’s control ch30_4768 1/8/07 348 3:23 PM Page 348 BUSINESS CONTINUITY AND DISASTER RECOVERY mechanisms to ensure that such changes are fully reflected in both the plan itself and the testing of the plan. Overall, the auditor must also be satisfied that the plan itself will be kept up-to-date and appropriate. This means that the auditor must: ■ ■ ■ ■ Ensure responsibility for plan maintenance Ensure management is kept informed Ensure the master copy of the plan is secure Ensure distributed copies are kept up-to-date and secure Although the plan is intended as a last resort in the event of a system catastrophe occurring, it should not be seen as the only control over business continuity. Preventative controls to minimize the likelihood of system catastrophe occurring should be a priority with management. ch31_4768 1/8/07 3:24 PM Page 349 CHAPTER 31 Insurance he ultimate control in any event of something untoward happening is the displacement control involving transfer of the risk to a third party through insurance. In many cases this control can cover a variety of threats such as data corruption, viral attack, system crashes, and even strike action. For most organizations, risk management is classed as relative and risks are managed depending on the risk appetite or willingness to accept risk of the parties involved. This is in contrast to the typical IT approach to risk where control is commonly viewed as an absolute. That is either full control or no control and risk is seen as something to be avoided at almost any cost. With the realization that absolute control is neither possible nor even desirable because it is generally within the areas of risk that an organization makes its profits, risk avoidance has given way to risk management where risks are divided into those that are appropriate to control, those that cannot be avoided and must be accepted, and those that remain unacceptable and can be transferred to a third party, normally via an insurance policy. In order for the insurance to be effective, however, the right type of coverage must be obtained. Most insurance policies do not cover maintenance costs or normal wear and tear, but insurance can be sought for losses caused by electrical or mechanical breakdown, fraud and dishonesty, consequential losses, or damage caused through civil unrest. Some insurance policies cover only the hardware and thus if a computer gets stolen or destroyed in a fire the insured can claim for the damages up to the amount detailed in the policy either on a replacement basis or on a depreciated value basis. Unfortunately, the cost of hardware replacement may be the lowest of the costs faced in an emergency situation. T 349 ch31_4768 1/8/07 350 3:24 PM Page 350 BUSINESS CONTINUITY AND DISASTER RECOVERY In the case of laptops and desktop computers, the opportunist thief looks on the computer as ready money, easily removed and sometimes difficult to trace. This is a common problem in business environments, buildings with public access, and increasingly, while mobile computers are in transit. In addition to the risk of theft, users who travel with a laptop to business meetings stand a substantial risk of accidental damage in transit. As a result of this increase in portability key features for insurance over mobile computers include “all risks” covered worldwide with no excess on the policy and no exclusions. Where coverage is required for fraud or consequential lost this must be specifically stated in the policy and an additional premium will normally be charged. For mainframe computers too, insurance is a critical component of the overall control structure. It is tempting to believe that the traditional controls such as firewalls and antivirus software can prevent the logical threats from hackers and viruses, but no such protection is 100% foolproof and a long stop displacement control is critical in the event of problems. Subject to certain safeguards, organizations such as Lloyd’s of London will offer insurance coverage running into hundreds of millions of dollars in the event of catastrophic breaches of security or availability. Despite all of management’s attempts to ensure computer security, businesses are increasingly reporting deliberate and successful attacks including denial of service attacks, outside penetration of secured systems, data network sabotage, and insider financial fraud. While computer insurance is not cheap, the cost to the organization of such a successful attack without adequate insurance coverage could threaten the ongoing viability of the company. Some non-specialized insurance policies pay computer losses under standard commercial loss-of-business or act-of-vandalism clauses, but to address specific risks policies must be written to specifically cover those risks and can attract premiums that may range from $100,000 to $5 million based upon an assessment of risk probability, damage expectation, and the amount of excess negotiated on the policy. One specialized area for E-insurance is the transfer of the risks associated with unauthorized or malicious access to an organization’s information assets. Around the world, privacy legislation is being enacted with severe penalties for organizations whose confidentiality ch31_4768 1/8/07 Insurance 3:24 PM Page 351 351 is breached either on their own computer or while it is in transit. The possibilities of civil or criminal action taken against companies involving fines, penalties, and consequential liabilities as a result of breach of privacy has brought such insurance to the forefront of management’s attention. Insurance can be obtained from reputable underwriters that includes those impacts caused by fraudulent and malicious acts committed by employees or third parties against an insured’s computer systems, the computer programs themselves, or the electronic information and records as well as computer virus attacks that hinder or close down the operations of the insured. Direct or indirect financial losses as a result of fraudulent input into computer systems can be covered, as can losses resulting from accidental alteration or destruction to electronic information and records. Other insurance can cover such risks as: ■ ■ ■ ■ ■ ■ ■ Business interruption and extra expense incurred in the event of a computer virus causing malicious destruction of the contents of a computer system Computer systems liability such as failure to prevent authorized access, denial of service, damage to a third party’s computer system, theft of information, and breach of duty in provision of outsourcing services Loss of intellectual property should trade secrets be copied or recorded Extortion as a result of threats to divulge or utilize information held on the computer systems or even threats to introduce a computer virus or malware into the system Third-party liability such as libel, slander, invasion of privacy, infringement of copyright, plagiarism, and false advertising Expenses for legal fees in defense of a claim Expenses incurred to re-establish corporate reputation and market share in the event of a loss or claim In some market sectors such as banking, specific insurance policies such as Banker’s Blanket Bond exist to cover professional liability, directors’ and officers’ liability, electronic funds transfer, errors and omissions from trust departments as well as consultants’ errors and omissions. ch31_4768 1/8/07 352 3:24 PM Page 352 BUSINESS CONTINUITY AND DISASTER RECOVERY In addition to the premium, organizations are normally obliged to pay upfront to have their IT environment assessed. In deciding the premium, insurance companies normally rely upon actuarial data that may take many years to collect. In the fast moving world of information processing, such data does not exist for new products and may well be obsolete for old products. The first stage is therefore the evaluation of potential risks based upon known exposures and the existing security and control environment. This would normally take into consideration management’s controls as well as the extent of IT auditing carried out both internally and externally and the turnover rate in management itself and is normally carried out using an independent external assessor for potential customers. For many businesses this is preceded by a process of self evaluation in order to bring the security practices up to a standard acceptable for insurance purposes. In some cases it has been found that the evaluation process itself is of sufficient value that, even should the organization decide not to purchase coverage, the gains in confidence regarding the areas considered for potential insurance are sufficient to justify the cost of the evaluation. Today’s corporate governance increasingly requires individuals and organizations to demonstrate that they are exercising appropriate financial oversight by protecting the information resources as part of their fiduciary duty. Where the placing of insurance is the final outcome, lower insurance premiums can normally be negotiated based on the increased security and concomitantly lower risk. In order to be eligible for appropriate insurance coverage a business must be able to demonstrate the serious intent to control risks internally with insurance claims being a last resort. In the event of a claim a similar exercise may have to be carried out in order to assess the extent of actual loss and to ensure that the controls specified at the time of risk evaluation will still operating as intended. From an audit perspective, the IS Auditor must understand the organization’s existing insurance policies. Close scrutiny should be made of inclusions and exclusions to ensure that the coverage is as management intends. Such scrutiny has, in the past, revealed that logical damage to information may not be covered under traditional asset insurance because, without physical damage, information may not be recognized as an asset of the organization. Because of their spread through the Internet, there is an increasing trend toward insur- ch31_4768 1/8/07 3:24 PM Insurance Page 353 353 ance companies expressly excluding or severely limiting the coverage offered for losses caused by computer viruses, Trojan horses, and other malware. Technologies that are known to be of specific vulnerability, such as wireless networking, are commonly excluded from some types of insurance and specific protocols may be required when the organization connects to the outside world. As with any insurance product care must be taken to ensure that the vendor possesses the appropriate infrastructure to back up the policies sold. These policies tend to involve low-frequency/high-value claims and again care must be taken to ensure that the companies offering the insurance products have sufficient underwriting talent and industry credibility to substantiate the coverage they offer. SELF-INSURANCE The organization may choose to retain the risk on the basis that it is more cost effective to absorb internally any losses incurred as a result of problems of an IT nature. This is a valid decision as long as it is a conscious decision and not arrived at by default. Based on the organization’s assessment of its own risk avoidance controls it may decide that the cost of offsetting the risk to a third party outweighs the benefits to be accrued. For some, the cost of insurance may be prohibitive and beyond their financial capability and therefore they choose to mitigate the risk using the appropriate managerial and technical controls. An organization who takes this approach must be confident of not only the adequacy but the effectiveness of such controls in mitigating risk. In reality, the selection of insurance coverage normally involves the retention of some specific elements of risk and the transfer to a third party of those risks that could threaten the existence of the organization or which are simply more cost-effective to transfer. One alternative to insurance in this area is the use of outsourcing of specific IT functions to a third party in order to transfer the risks associated with those functions. ch31_4768 1/8/07 3:24 PM Page 354 ch32_4768 1/8/07 3:25 PM Page 355 PART VII Advanced IS Auditing ch32_4768 1/8/07 3:25 PM Page 356 ch32_4768 1/8/07 3:25 PM Page 357 CHAPTER 32 Auditing E-commerce Systems lectronic commerce (e-commerce) includes all commercial activities performed through various electronic sources such as the Internet, Information Technology (IT) networks, ATM machines, electronic funds transfer (EFT), and electronic data interchange (EDI). One of its distinct characteristics is the use of computers to perform the transactions. E E-COMMERCE AND ELECTRONIC DATA INTERCHANGE: WHAT IS IT? E-commerce involves the real-time processing of business transactions with full contractual liability either on a business-to-business (B2B) or business-to-customer (B2C) basis. This normally involves an individual entering data directly into another individual or organization’s computer systems. This is in contrast to electronic data interchange (EDI) where it may be considered as the computer-tocomputer, application-to-application exchange of business data in a structured format. Effectively it replaces business forms such as invoices, purchase orders, checks, and so forth with electronic transmissions. Degrees of implementation may vary from the basic reception of a transmission on a micro computer and printing it, to a complex management of “distribution pipelines” integrating accounting and operational systems and effectively replacing paper audit trails with electronic signals. 357 ch32_4768 1/8/07 3:25 PM Page 358 358 ADVANCED IS AUDITING EDI is not electronic mail, fax, or video text although all of these may have a part in the overall network and to effectively function, EDI requires three primary components: 1. A standard format of a common language spoken between trading partners 2. Translation software performing file conversions from internal application formats to a standard format and back 3. A data communications link providing information transport capabilities EDI is now in use by a wide variety of companies worldwide covering all market sectors including: ■ ■ ■ ■ ■ ■ Manufacturing Shipping Construction Transport Finance Retail OPPORTUNITIES AND THREATS The benefits of successful e-commerce implementation in an organization include: ■ ■ ■ ■ Reduced transaction costs and greater productivity Service availability 24 hours a day, 7 days a week Opportunities for fundamental reform of how organizations and their supply chains communicate and work with business Opportunities for local business to grow and compete in the global marketplace Despite the many benefits of e-commerce, an even greater number of risks poses concern for management. Because e-commerce means global trading, the quantity and range of parties that can attempt to access the systems create a new challenge in protecting critical activities. By streamlining approvals, this may remove control steps that in turn increase risk compared with ch32_4768 1/8/07 3:25 PM Page 359 Auditing E-commerce Systems 359 paper-based trading while, at the same time, the actual paper trail is greatly diminished. Fraud in E-commerce Fraud is a highly publicized risk in an e-commerce environment. Because of its global impact, fraud can be either perpetrated by a staff member within the firewalls or by anonymous parties in a foreign country using the Web as a tool and includes such activities as: ■ ■ ■ ■ ■ ■ ■ ■ Unauthorized movement of money such as payment to fictitious suppliers located in jurisdictions where recovery of money will be difficult Corruption of the electronic ordering or invoicing Duplication of payment Repudiation of a transaction at either end Invalid contracts Suppliers not being paid for goods and services delivered Agencies not receiving services/goods already paid for Denying receipt of goods Loss of Privacy/Confidentiality For e-commerce to be successful, information about an organization or individual needs to be made available to other participants in the trading community. This can put information at risk such as: ■ ■ ■ ■ Services and prices, which are not normally provided to the general public Cost structures—particularly relating to tenders Catalogs of technical details, prices, or discounts offered Individuals’ information such as name, address, contact details, previous purchase, services provided, and activity (such as criminal or medical). This, in turn, may lead to inadvertent breaches of privacy legislation. Public confidence may be adversely impacted if information is accessed without due authorization. ch32_4768 1/8/07 3:25 PM Page 360 360 ADVANCED IS AUDITING The risks themselves may arise as a result of malicious activity from a virus attack or hacking interception of transactions by unauthorized persons. Lack of Authentication Lack of authentication refers to unauthorized persons/parties performing a transaction. Proper authentication is a critical component of an e-commerce transaction because, once the party has been accepted in the system, a legally binding transaction process has begun. The risk will therefore involve creating liability for a party by, for example: ■ ■ ■ Creation of fictitious suppliers (“masquerade”); for example, an agency believes it is dealing with its supplier when in fact it is dealing with a hacker in a foreign jurisdiction Unauthorized ordering or approving of a transaction Corruption of list of agreed suppliers Corruption of Data Corruption of data refers to issues of data integrity. The commonly held view is that risks involve activities that can be performed remotely through Web resources. The reality, however, is that almost all corruptions are conducted within the system. Corruption may be accidental or malicious and could result in: ■ ■ ■ ■ ■ Amending catalogs without authorization (advertising, reporting, approval) Destruction of audit trail Tampering with the ordering process Interrupting the recording of transactions Disrupting online tendering Business Interruption Business interruption is considered a key risk; if companies cannot promptly and adequately resume business after a crisis, there may be ch32_4768 1/8/07 3:25 PM Page 361 Auditing E-commerce Systems 361 legal liabilities because services/goods were not delivered or payments were not made. Risks within this area would include denial of service attacks where high-volume, spurious transactions may stop the systems or slow it down to unacceptable levels. Risk assessment will therefore be a critical tool for the internal auditor to assist in determining audit objectives and building an audit program. Benefits of EDI as reported by Hansen and Hill1 include quick response and access to information, cost efficiency, and the effect of EDI on paperwork. Benefits of EDI, anticipated as being the most important, include improved customer service and improved control of data as well as reduced clerical error and decreased administrative costs. Interestingly respondents did not report that these had been achieved as a major benefit so far. With the increased interdependence comes increased vulnerabilities of computer-using companies. With a large number of partners an upstream and downstream impact can be anticipated should anything go wrong and the domino effect makes trading partners vulnerable. From an auditability point of view the way in which we must approach our audit of these systems changes dramatically because the loss of source documents removes a large part of the auditors’ evidence of: ■ ■ ■ ■ Authorization and execution Completeness Single processing of transactions Capability of batching transactions In addition, the altered transaction audit trail to an electronic form may result in the full trail existing for only a short time. This trail in itself may be vulnerable to alteration and loss. Electronic Payments At present, payment transmission as a form of EDI is one of the major growth areas and utilization of this form of EDI involves a mutual trust in systems between trading partners as well as a comprehensive data security policy, because failure of security in one partner may ch32_4768 1/8/07 3:25 PM Page 362 362 ADVANCED IS AUDITING lead to uncontrolled risks in others. One future trend may well be that participation in an EDI network will require trading partners to demonstrate systems integrity on an ongoing basis. Third-party service providers are also a new source of potential risk including risks such as: ■ ■ ■ ■ Disclosure of confidential information Loss of transactions en-route Loss of the network at the service provider’s site Loss of audit trails when going intra-network Due to the risk of the “domino effect,” failures of applications can have a major impact not only on the host site but on all trading partners. As a result of this, the need for contingency planning becomes paramount. Contractual liability may be limited within the legal agreements; however, outage tolerances must be determined. RISK FACTORS Risk factors may be unique to each organization and must be determined by a risk assessment. This must cover: ■ ■ ■ Inherent risk. The gross risk of a specific threat ignoring risk reduction elements. It becomes an informed, subjective evaluation of maximum risk. Control risk. That portion of inherent risk not covered by a single control element. That is the net exposure after a given control is accounted for. Control structure risk. An informed, subjective evaluation of the maximum potential net exposure after assessing the full control structure. In identifying threats, a threat itself is an event that will result in direct damage unless averted or mitigated by controls. These should be identified by mixed discipline teams consisting of: ■ ■ ■ System users Information System staff Auditors ch32_4768 1/8/07 3:25 PM Page 363 Auditing E-commerce Systems 363 THREAT LIST The initial threat list should be developed by the design team at the system proposal stage and modified constantly during systems design. Typical threats could include (although not be limited to): ■ ■ ■ ■ ■ Manipulation of input by an authorized user Outsider accessing messages in transit and amending them Message adulteration resulting in an overstatement of transaction Loss of transaction Duplication of transaction Indicators are therefore required to detect: ■ ■ ■ ■ Circumstances leading to new threats Elimination of previously identified threats Conditions influencing the severity of previously identified threats (inherent risk) Conditions influencing the control structure risk associated with the threat SECURITY TECHNOLOGY The overall need for security technology and the application thereof will be determined largely by the nature of risks to the system itself. These normally take the form of authenticity of messages and confidentiality. “LAYER” CONCEPT As noted previously, within EDI each message will have a number of header messages to route it across the networks. The most common model used for EDI is probably the ISO/OSI Seven Layer model: 1. Physical. Specifies the mechanical and electrical circuits 2. Data Link. Specification to move through physical links 3. Network. Routing and relaying through the data links ch32_4768 1/8/07 3:25 PM Page 364 364 4. 5. 6. 7. ADVANCED IS AUDITING Transport. End-to-end data transfer services Session. Specification for orderly data exchange Presentation. Specification of syntax used to represent data Application. Interface to allow interaction to lower layers AUTHENTICATION Two U.S. standards apply. ANSI X 12.58 covers message authentication and encryption while ANSI X 12.42 covers the rules governing exchanges of keys. In 1997 these merged with EDIFACT,2 the global standard in EDI transactions. Message authentication involves the prevention of undetected modification of the message content. This may involve key fields or the whole message. Typically this is effected by use of Message Authentication Code (MAC), which is calculated from the readable text and re-derived at the receiving end to be compared to the transmitted value. It is required of all electronic funds transfers in the United States. In order for MACs to be effective the MAC must be secured in the same way as encryption algorithms are secured, they must be transparent to the user and they must be automatically invoked. ENCRYPTION Encryption has already been extensively covered in previous chapters but, within an EDI environment, special techniques are used to manage the encryption keys governing the four primary functions: ■ ■ ■ ■ Key definition Key generation Key distribution Key initialization EDI keys are most frequently defined using a three-level hierarchy: A Master Key, unique to each network node, is used to protect the other keys and the cryptograms. These Master Keys must be kept confidential within each organization. ch32_4768 1/8/07 3:25 PM Page 365 Auditing E-commerce Systems 365 Key Exchange Keys (KEK) are unique to each link in the network. Their function is to protect data keys during exchange when establishing communication between nodes. The Data Key or Working Key is used for both data encryption and message authentication. Security violations on the EDI network may be in the form of known or suspected violations, typically: ■ ■ ■ MAC failure Compromise of keys Key counters out of step In addition to security over keys, normal node security architectures are expected. These include items such as: ■ ■ ■ ■ ■ ■ ■ ■ Access control Accuracy and completeness controls Validity controls Software change control Auditability Timeliness controls Recoverability Legal Issues The legal issues may depend on the transaction types and whether international transactions are taking place but must address questions such as: ■ ■ ■ ■ ■ ■ ■ Do the transactions form a contract? Is it enforceable? What terms and conditions are implied? Do governmental regulations apply? Is there a general contract between partners? What terms and conditions apply? Is the third-party network supplier covered by contract? Would a claim be enforceable? Which country’s laws will apply? ch32_4768 1/8/07 3:25 PM Page 366 366 ADVANCED IS AUDITING TRADING PARTNER AGREEMENTS At present no mandatory standard is in place internationally and each country has its own recommended model for trading partner agreements. Generally, specialized legal advice should be sought over the wording of the contract. Contracts typically take two parts: EDI terms and general trading terms. EDI terms and conditions include: ■ ■ ■ Which laws will govern What is the definition of a signature When is the contract “received” General trading terms are similar to those terms found on the back of standard business documents such as invoices. Disputes normally are over trading disputes rather than EDI disputes and may include: ■ ■ ■ Quantities delivered Quality of goods Timeliness The acceptance of evidence within the “structures” varies from country to country and should be stated in the trading agreement. The primary factor may be the “reliability” of evidence and may involve “trusted” evidence sources such as full electronic logs and non-erasable optical disks. In order to comply with legal requirements attention should also be given to record retention policies, which should comply with corporate policies as well as legal requirements. RISKS AND CONTROLS WITHIN EDI AND E-COMMERCE Authenticity Once again, organizations doing business electronically are faced with the difficulty of determining that the person or system conducting business is, indeed, the entity they claim to be. Authentication for electronic business may be partially achieved using digital signatures ch32_4768 1/8/07 3:25 PM Page 367 Auditing E-commerce Systems 367 whereby, for every transaction, an authenticating party is enabled to check the signer’s digital certificate in order to determine whether it has expired or is included in a certificate revocation list (CRL). If the certificate is still authentic and valid (confirmed with the public key), then the authenticity of the signer is accepted. NONREPUDIATION Repudiation involves a denial of one or both parties that all or part of, the transaction took place. Use of the digital signature and digital certificate make it extremely difficult for the signer of a transaction to repudiate the transaction or deny the contents of that transaction. With a digital signature in place the sender’s authenticity is confirmed and the hashing ensures that the data has not been corrupted enroute. Timing Where the timing of a transaction is critical, for example, where currency exchange rates apply, a transaction may be automatically time stamped to prove the authenticity of the exchange rates claimed. Data Integrity As with any business transaction it is critical that the receiver have some degree of certainty that the transaction has not been tampered with prior to its receipt. It is common in manual systems to require original documentation rather than accept copies and, in electronic form, digital signatures can include a hash value (mathematical summarization), which is unique to the digitally signed transaction. With this defense mechanism in place a digital signature can be seen as unique to the transaction that has just been signed rather than to the signer. When the transaction has been received the recipient will recalculate the hash value and compare it to determine whether the integrity of the transaction remains intact. ch32_4768 1/8/07 3:25 PM Page 368 368 ADVANCED IS AUDITING Interception of Data Regardless of ensuring the authenticity of the originator and the validity of the data, there may still be an organizational risk if the data is intercepted and examined or even blocked. Data may be intercepted at its origins, prior to its introduction on the system, by simple observation of the data collection process. In today’s high security environment this can even be done by the closed circuit television cameras intended to enhance security. Due to the fact that such transactions are normally transmitted electronically (as opposed to fiber optics) for at least part of their journey, electromagnetic signals will be generated that can, in some instances, be detected using radio receiving equipment or using transducer microphones, which can detect such signals without penetrating the cables. If an unauthorized individual can gain access to the data communication network, packet sniffers, designed to enhance network security by monitoring transmissions, can be used to intercept and copy messages or possibly even introduce their own spurious messages. As such, once again, encryption comes to the fore as the major control mechanism to obviate these risks. Identity Theft One risk that has arisen as a result of e-commerce is that of identity theft whereby a stranger gains access to authentication mechanisms permitting the assumption of an individual’s identity in a provable fashion in order to carry out electronic transactions. Even if the individual whose identity has been “stolen” does not participate in any form of electronic transaction they may be vulnerable to this form of impersonation. Identity theft is discussed in detail in Chapter 36. E-COMMERCE AND AUDITABILITY Auditability implies the capability of substantiation of transactions coupled with the traceability of transactions from origin to final dis- ch32_4768 1/8/07 3:25 PM Page 369 Auditing E-commerce Systems 369 position or, in reverse, from final disposition back to origin. With the speed of e-commerce transactions responding in retrospect to detective controls may prove too late to be of operational use. As such, the pre-verification of controls within systems becomes the option of choice coupled with the ongoing monitoring of transactions in real time through the process of continuous auditing as previously discussed. The sheer volumes involved in commercial e-commerce systems make substantial testing impractical and exception auditing becomes the only economic alternative. Tracing of transactions involves the electronic authentication of signals, the verification of electronic signals, and the maintenance of adequate audit trails. With these in place the tracing of transactions backward to source and forward to effect is possible. Pre-verification of controls implies the testing of controls within the system on-line and in real time using techniques such as test decks, integrated test facilities (ITFs), embedded audit collection modules, and the like. It is up to the auditor to determine the adequacy, functionality, and time of testing but this must include testing user profiles, passwords, and so on. On-line monitoring should be automated as far as possible due to the multiplicity of partners and low manual intervention levels. In addition the lack of paper audit trails and high transaction volumes in many cases preclude any other form of monitoring. COMPLIANCE AUDITING Compliance auditing to generally accepted standards must be agreed upon in advance by trading partners and should be formalized in the trading partner agreement. This may become, in the future, a legal prerequisite for participation in an EDI network and would require to be conducted by a qualified auditor specializing in EDI security. Retention of information for auditability is normally less than that for paper audit trails due to the faster reaction cycle required in which response needs to be virtually instantaneous. Legal statutes may, however, still apply and records may require to be retained for specific periods. Security-related data sets should be retained to match ch32_4768 1/8/07 3:25 PM Page 370 370 ADVANCED IS AUDITING the general data retained including profiles, incident logs, and maintenance logs. E-COMMERCE AUDIT APPROACH As with any other audit, the audit approach in an e-commerce environment involves the standard six basic steps, namely: 1. 2. 3. 4. 5. 6. Preliminary survey Documenting the environment Audit planning Program development Audit fieldwork Audit reporting The overall audit objective is to determine by evaluation and testing that control objectives have been achieved, are being achieved, and will continue to be achieved. The auditor seeks to determine that the appropriate controls exist and perform as expected and that standards and policies are appropriate and are being achieved. This environment will normally involve the auditor in extensive use of computer assisted audit techniques (CAATs) in determining the effectiveness of these controls. The auditor will need a mixture of skills including both mainframe and micro experience as well as network and communication experience, an understanding of access and security controls, and the corporate EDI and e-commerce business cycles. Not all auditors need all skills; however, the use of multidisciplinary teams and outside experts may give the auditor access to the appropriate knowledge, skills, and disciplines. The preliminary survey involves a review of general background of business operations allowing the auditor to develop threat categories and identify controls mitigating those threats. This in turn leads to the development of overall control structures and allows the auditor to observe the operations. All assessments of inherent risk should be agreed with the users, IS, and management. Steps in reviewing the general business objectives include observing the activities of the system and evolution of the system as well as determining any known weaknesses from these evaluations. At this ch32_4768 1/8/07 3:25 PM Page 371 Auditing E-commerce Systems 371 stage legal contracts may also be reviewed together with contingency plans. AUDIT TOOLS AND TECHNIQUES Audit tools available for identifying controls and determining their effectiveness include the standard audit tools of internal control questionnaires, interviews, observation, and document review. At this stage no evaluation of effectiveness would be performed. Perhaps one of the most difficult audit techniques to learn is observation. “Looking with a purpose” is an acquired skill bringing corroboration of understanding and should provide the first evidence of control operation environments. Network documentation derives from the business needs governing items such as: ■ ■ ■ ■ ■ Reliability and performance Costs Security Control structures Responsibility structure An evaluation of network reliability will typically involve the auditor seeking answers to such questions as: ■ ■ ■ ■ ■ ■ Who monitors performance? Who corrects problems? Who examines the network periodically? What problems have occurred? What action was taken? How is the network kept up-to-date? At the same time, the costs of such systems would cause the auditor to seek to determine who accounts for the costs, whether EDI suppliers and vendors accounted for costs appropriately and what controls management relies on to ensure accuracy and completeness of EDI charges. ch32_4768 1/8/07 3:25 PM Page 372 372 ADVANCED IS AUDITING From a legal perspective the auditor will seek evidence that legal contracts exist, have been validated with competent legal authorities, and are valid within appropriate laws and jurisdiction. Network security will be assured by determining what controls exist in order to ensure that the system will be available when required, that both sender and recipient can be authenticated, and that both disclosure and transaction modification can be adequately prevented. AUDITING SECURITY CONTROL STRUCTURES In auditing security control structures, as with any other audit, the major steps involve identification of key control points and those controls relied upon to cover primary control concerns. Once controls have been identified, they can be documented as they are intended to operate, and measurement criteria may be designed to identify and measure their effectiveness. In auditing the EDI and e-commerce structures, auditors must pay particular attention to: ■ ■ ■ ■ ■ ■ ■ Management and organization Accuracy and completeness controls Security Auditability Timeliness Recoverability of the system Electronic funds transfer systems COMPUTER ASSISTED AUDIT TECHNIQUES Implementation of the audit program will in all probability involve use of CAATs in all the varieties previously discussed. Where generalized audit software is required the auditors must be capable of using the organization software as comfortably as they currently use a calculator. To this end, version seven of IDEA (educational version) is included with this book and Appendix F contains a full tutorial on the use of the software. ch32_4768 1/8/07 3:25 PM Page 373 Auditing E-commerce Systems 373 As always, in utilizing CAATs, the auditor should beware of the common pitfalls of obtaining the wrong files or the wrong layouts, of using out-of-date documentation, or prejudging results. ENDNOTES 1. James V. Hansen, and Ned C. Hill, “Control and Audit of Electronic Data Interchange,” MIS Quarterly, December 1989, pp. 403–414. 2. http://www.unece.org/etrades/download/downmain.htm#edifact. ch33_4768 1/8/07 3:26 PM Page 374 CHAPTER 33 Auditing UNIX/Linux he UNIX operating system, although now in widespread use in environments concerned about security, was not really designed with security in mind. This does not mean that UNIX does not provide any security mechanisms; indeed, several very good ones are available. However, most “out of the box’’ installation procedures still install the operating system with little or no security enabled. T HISTORY UNIX was originally designed by technical programmers as an operating system for use by other programmers. The environment in which it was used was one of open cooperation, not one of privacy. Programmers typically collaborated with each other on projects, and hence preferred to share their files with each other without having to climb over security hurdles. By the early 1980s, many universities began to move their UNIX systems out of the research laboratories and into the computer centers, enabling their user population as a whole to use this new and wonderful system. Many businesses and government sites began to install UNIX systems as well, particularly as desktop workstations became more powerful and affordable. In these environments the UNIX operating system was no longer being used where open collaboration was the goal. Universities required their students to use the system for class assignments, yet they did not want the students to be able to copy from each other. Businesses used their UNIX systems for confidential tasks such as bookkeeping and payroll. And national governments used UNIX systems for various unclassified yet sensitive purposes. 374 ch33_4768 1/8/07 3:26 PM Auditing UNIX/LINUX Page 375 375 To complicate matters, new features have been added to UNIX over the years, making security even more difficult to control. Perhaps the most problematic features are those relating to networking: remote login, remote command execution, network file systems, diskless workstations, electronic mail, and the Internet. All of these features have increased the utility and usability of UNIX by untold amounts. However, these same features, along with the widespread connection of UNIX systems to the Internet and other networks, have opened up many new areas of vulnerability to unauthorized abuse of the system. UNIX has been available for PCs for some time, but you had to pay nearly as much for fully configured commercial PC UNIX operating system budgeted for the PC hardware itself. This situation changed, however, when Linus Torvalds of the University of Helsinki, Finland, decided to build a UNIX-like operating system for the PC. Many programmers around the world contributed and collaborated to bring Linux to its current state. Version 1 of Linux was released in 1994. Linux proved to be the exception to the rule that “you get what you pay for” in that the source code was available free of cost to anyone. Since 1994 many developers around the world have collaborated over the Internet to add features and functionality. Incremental versions have continually been downloaded by users and tested in a variety of system configurations. This means the Linux revisions ultimately go through much more rigorous beta-testing than any commercial software. Over the past few years Linux has matured into a full-fledged 32bit operating system with features that rival those of commercial UNIX systems and with graphical user interfaces that enable it to compete directly with Microsoft Windows environments. Microsoft has responded to the UNIX challenge through Windows NT (Windows 2000). The late 1990s saw vendor after vendor abandoning the UNIX server platform in favor of Windows 2000 while concurrently software suppliers who traditionally service the Windows sector have been climbing on the Linux bandwagon. Unlike many freely available software programs, Linux comes with extensive online information on topics such as installing and configuring the operating system for the wide varieties of PCs and peripherals possible. A large number of Linux users use the system at ch33_4768 1/8/07 376 3:26 PM Page 376 ADVANCED IS AUDITING home and increasingly Linux is finding a home in the business market. Today, Linux is first and foremost a server operating system. Many applications are now appearing that allow Linux to be a user’s primary workstation desktop system and projects are underway to enable Linux to run applications software designed for the Windows environment. Linux performs as well (if not better than) other operating systems running on identical hardware. Most of the popular database packages are available in Linux-native versions, including products from Oracle, Informix, Sybase, IBM, and Computer Associates. Personal productivity software such as Corel WordPerfect, StarOffice, and Applixware are all making it possible for Linux to be the primary system for many users. Several software houses have come forward introducing tailored versions of Linux and the suppliers charge for the value-added component of their version. Ultimately control of Linux is based around the control of UNIX because that is the core of the operating environment. For Linux, or any other operating system for that matter, to achieve all-around success as the standard operating system in multiuser computing, there must be a reliable method of preventing unauthorized users from accessing information. UNIX/Linux systems are a favorite target for hackers and crackers, often because they used UNIX in schools and universities and can still apply that knowledge to literally thousands of sites. Internet usage has popularized UNIX features such as anonymous logins, still used by many UNIX sites, and the relatively easy to use FTP (file transfer protocol) to copy files from one remote site to another. These facilities also allow casual users access into some systems. In order for an operating environment to provide an acceptable level of security, the system should be hard for unauthorized persons to break into. That is, the value of the work necessary for unauthorized persons to break in should exceed the value of the protected data. In order to achieve adequate control in a UNIX/Linux environment, it is essential that all users, data, and system components can be uniquely identified. Authentication (confirmation of identity) must be achieved for individual users as they enter the system. Access rights and permissions for users, systems, and processes must be granted on ch33_4768 1/8/07 3:26 PM Page 377 Auditing UNIX/LINUX 377 a need-to-have basis only with proper authorization. Assurance must be provided that all systems operations are correct, reliable, and authentic in order to ensure the integrity of processes and data. It must be possible to trace all significant events including successful events and unsuccessful events. SECURITY AND CONTROL IN A UNIX/LINUX SYSTEM The basic elements of security and control cover are: ■ ■ ■ ■ ■ Identification and authentication Access control System, or file and process integrity Recoverability Flexibility ARCHITECTURE The basic architecture of a UNIX/Linux system follows a strict hierarchy starting with the hardware on which the operating system resides, through the channel (often a UNIX system) which interacts directly with computer hardware and provides the basic functions of input, output, scheduling, memory management, security protection, interrupt error handling, and system accounting. The file system provides a hierarchical structure of directories and files with the capability of file level security. The UNIX shell is the most frequently used utility program controlling the initial interaction with any given user once login has been successful. The shell is a command interpreter that prompts the user for commands and acts as primary user interface. In the Linux environment the shell will typically be a graphical user interface to give a Windows lookalike environment. Tools and utilities are standard programs provided with the operating system. These range in use from common tasks such as printing, copying files, editing text, and developing software through graphics and communications support. Utilities in any form are typically very powerful and may prove a significant security threat to standard operating environments. ch33_4768 1/8/07 3:26 PM 378 Page 378 ADVANCED IS AUDITING At the application level, user programs—either in-house developed, or developed by third parties—may be written in a variety of programming languages to create standard business applications. UNIX SECURITY Access to UNIX is achieved by logging into the system using an account. The user recognizes an account as a name and the system recognizes the account as a number. To UNIX, any account with the user ID (UID) of zero (0) is known as root or superuser and has unrestricted access to all other account passwords and files. Login accounts may be protected by passwords, which are used to authenticate users before granting access to the system. In most, although not all, UNIX installations, passwords are stored encrypted in a password file providing fundamental protection against casual browsers. Initially, this was thought to be a highly secure environment; however, hacker tools, which are readily available on the Internet, make the breaking of these passwords less problematic. Tools such as “crack” work by comparing encrypted password file entries with dictionary lists that are encrypted using the same algorithms. This type of attack is not unique to UNIX and is also true of other operating systems. Password length, composition, and change restrictions are possible and users can be restricted to specific shells to limit further access. In should be noted at this point that many of these facilities are optional and, although they can be highly effective, in many installations they are not properly used. Once users have logged in they are given an operating environment or shell, which allows them to interact with the system prior to file access. At the times files are created they belong to the “owner” who typically can configure the access control. The types of ownership recognized within UNIX include the direct owner of the file, the group, which is a set of people given common access rights, and world or public, which is granted to all users. Access to files is then based on “permissions” that are granted uniquely for owner, group, or world access. Each individual file may permit read access, write access, or execute access. ch33_4768 1/8/07 3:26 PM Auditing UNIX/LINUX Page 379 379 SERVICES As part of the standard UNIX network package, numerous network services are provided, all of which contain security risks and must be balanced against the business needs. Examples of the most common network services include: ■ ■ ■ ■ ■ ■ ■ ■ ■ File transfer protocol (FTP), which allows transfers of files between systems. Anonymous ftp allows anyone on a network to deposit or retrieve files from another machine on the network. This is commonly used on the Internet as a low-cost method to distribute information but, if not adequately controlled, it represents a major security threat. Trivial file transfer protocol (TFTP) is a server similar to FTP except that there is no security. This program should never be permitted in production environments. Telnet is a service that permits users to log in to remote computers as if they were on a directly connected line. However, user IDs and passwords are transmitted unencrypted and are therefore vulnerable. Few sites continue to use Telnet, however in many sites the facility remains enabled and open to abuse. rlogin provides similar remote user services to Telnet and may also prove a security threat. Trusted Host permits any user to migrate from one system to another without providing a password as long as the user name exists on the second host. Trusted User provides similar services but permits the user to log in to a given account without requiring password entry. Finger is a program permitting identification of the user ID, name, location, and other semi-confidential information for every user connected. Network Information System (NIS) permits multiple computers to share password and other system files over network. If badly configured, this can lead to potential vulnerabilities. Network File System (NFS) allows computers to share files over networks by permitting the user, once logged in, to “mount” file disks and access them as if the files were stored locally. No additional logging-in to the other system is required. ch33_4768 1/8/07 3:26 PM 380 ■ ■ ■ ■ Page 380 ADVANCED IS AUDITING Hypertext Transport Protocol (HTTP) permits users to communicate with other Internet users on the World Wide Web using a set of tools built around HTML. (Hypertext Markup Language). Simple Mail Transport Protocol (SMTP) is used commonly with mail programs that do not provide adequate security by themselves. Network News Transport Protocol (NNTP) is used to facilitate access to newsgroups in much the same way that mail collects mail. UNIX to UNIX Communication Protocol (UUCP) is a communication mechanism used by UNIX machines to exchange files including mail. Although this has been largely replaced by HTTP, the facility is still possible and many cases unprotected due to its perceived lack of use. DAEMONS UNIX uses a variety of special programs to support the Kernel (the central part of the operating system). These programs, called daemons, stay resident within the memory of the machine and operate in conjunction with the Kernel. Given the comprehensive nature of these programs, modification access should be severely restricted to systems administrators. Daemons include init (the initial process after putting), logind (the login daemons in some UNIX systems), cron (submits other jobs based on time request), and sendmail (handles SMTP processes), among others. AUDITING UNIX One of the critical aspects of maintaining computer security is the monitoring of the system. Auditors must ensure that this monitoring is carried out on a regular basis. ■ Daily. On a daily basis, checks must be made for: ● Inappropriate access permissions to sensitive files ● Login failures ● Failed access to sensitive files ● Successful logins from unknown hosts ch33_4768 1/8/07 3:26 PM Page 381 Auditing UNIX/LINUX 381 User activity after hours Unexpectedly mounted file systems ● Unexpected changes in permissions and ownerships ● System reboots and shutdowns ● Changes to the system date and/or clock ● Existence of a valid password file ● Owned by root ● Read permissions for other ● Password field for every account ● Only root having the UID of 0 Monthly. On a monthly basis, checks should be made for: ● System usage totaled by user ● Unusual messages from system daemons ● Account and activity ● Error messages and the system log files Random. From time to time the systems administrator should examine the systems for potential problem areas by checking for: ● Unexpected users logged on ● Unexpected host’s access ● Normal users logged on and unexpected times ● Unexpected system processes running ● Normal system processes not running ● ● ■ ■ SCRUTINY OF LOGS Log files are commonly kept of user access, incidents, file access attempts, and so on. Maintaining these logs is an overhead on the machine and worthless unless they are frequently and regularly scrutinized and the appropriate action taken based on the contents. AUDIT TOOLS IN THE PUBLIC DOMAIN Many tools have been written to examine the security of UNIX systems. While some of these have been written with security administrators in mind, some have been written by hackers and crackers to determine system vulnerabilities. They still may be used by auditors for the same reason, but care should be taken that the programs do ch33_4768 1/8/07 3:26 PM Page 382 382 ADVANCED IS AUDITING not contain unauthorized coding inserted by the hackers. Some of these tools are: ■ ■ ■ ■ ■ ■ ■ COPS. Computer Oracle and Password System is a public domain assessment tool for a single UNIX system. This program identifies suspected problems and recommends fixes. Tiger. Similar to COPS but enhanced and more common than COPS in addressing security issues. Many sites use both. Crack. The crack utility uses a dictionary and rules to make password guesses. In many sites the use of common words as passwords can lead to some 60% of all passwords been broken with one pass of crack. Crack should be used with care because broken passwords are stored in plain text and can therefore be scrutinized by unauthorized users. Npasswd. Npasswd is a public domain password checker that replaces the standard password command and prevents users from selecting easily guessed passwords. Satan. Security Administrators Tool for Analyzing Networks searches for vulnerabilities by recognizing several common network-related security problems and reporting on them. For each type of problem found, Satan offers an explanation of the problem and what the impact could be. It also explains what can be done about problem to fix it. Swatch. Simple Watcher helps monitoring daemons. Tripwire. Tripwire is a file integrity checker that compares a designated set of files against information stored in a previously generated database. Differences are flagged and logged so that critical system files with unauthorized changes can be quickly identified and corrected. UNIX PASSWD FILE The normal location for the UNIX password file is within /etc/passwd; however, on a UNIX system with either NIS or password shadowing, the password data may be stored elsewhere. NIS (Network Information System) is used to permit many machines on a network to share configuration information, including password data. ch33_4768 1/8/07 3:26 PM Page 383 383 Auditing UNIX/LINUX Password shadowing is a feature whereby the encrypted password field of /etc/passwd is replaced with a special token where the actual encrypted password is stored separately and is not readable by normal system users. The exact location of the shadow password file is dependent upon the version of UNIX or Linux implemented. An entry in the UNIX password file consists of seven colondelimited fields consisting of a username: the encrypted UNIX password with optional password aging data: the user number: the group number: GECOS information: the home directory: the shell. Thus, robert:3fh65ghF5f3fg:2302:10:Robert Jones:/home/robert:/bin/bash This would then interpret as: Username UNIX password User number Group Number GECOS Information Home directory Shell Robert 3fh65ghF5f3fg 2302 10 Robert Jones /home/robert /bin/bash AUDITING UNIX PASSWORDS UNIX passwords are encrypted with a one-way function and cannot be decrypted. At the time of log on, UNIX accepts the text entered at the Password: prompt and passes it through the standard UNIX encryption algorithm with the encrypted version being compared to the version stored in the passwd file. In order to audit UNIX passwords, each encrypted password in the UNIX password file is compared to a set of potential encrypted passwords. These potential encrypted passwords may be created by encrypting every password in a list of plain text passwords. This is an example of a dictionary attack. Alternatively, every possible combination of letters, numbers, and special characters may be encrypted systematically and compared to the encrypted passwords. This is an example of a brute force attack. ch33_4768 1/8/07 384 3:26 PM Page 384 ADVANCED IS AUDITING UNIX password auditing software such as that listed previously uses wordlists to implement either a dictionary attack or a brute force attack A sample UNIX audit program is included as Appendix D. ch34_4768 1/8/07 3:28 PM Page 385 CHAPTER 34 Auditing Windows he phenomenal success of Windows from the time of the release of Version 3.0 surprised many people. The success did not surprise the engineers and evangelists at Microsoft, who had praised Windows since the beginning, and it did not surprise users who had preferred the benefits of a graphical interface, multitasking, and connectivity between applications for years. As a result, Windows has steadily become the operating system of choice in the corporate environment. T HISTORY In 1981, IBM introduced to the marketplace the IBM PC based on the Intel 8088 chip. This PC arrived bundled with a 16-bit, singleuser, command-line operating system called PC-DOS 1.0. The operating system was produced by a relatively new company called Microsoft, better known for its BASIC interpreter. The operating system was based around a functionality of the much smaller operating system, CP/M, which had been used on home computers prior to that date. Microsoft also introduced its own proprietary version of the operating system, which was known as MS-DOS. In 1983, Microsoft released the more powerful MS-DOS version 2, which contained a number of more powerful features derived from UNIX. In 1986 MS-DOS 3.0 was produced to coincide with the introduction of the new IBM PC/AT, but DOS continued to be a singleuser, command-line-oriented operating system. In 1990, partially in response to the graphical user interfaces utilized in Apple computers, Microsoft released a graphical shell called Windows 3.0. Windows had originally entered into the marketplace in 1985 in competition with Software Carousel, both of which were 385 ch34_4768 1/8/07 3:28 PM Page 386 386 ADVANCED IS AUDITING intended to facilitate multitasking in a graphical environment and neither of which was particularly successful in the marketplace. With the advent of Windows 3.0, 3.1, and 3.11 (Windows for Workgroups), Windows was fully adopted into the workplace and came to dominate single-user PCs. These versions of Windows were effectively graphical user interfaces overlaid on top of the MS-DOS operating system, which still controlled both a machine and the structuring of the file system. All application programs ran in the same address space and any problems would typically stop the system in its tracks with a General Protection Fault error message. In autumn 1995, Windows 95 was released with the new graphical interface and the latest MS-DOS 7.0 and incorporated many of the features found in many mainframe operating systems including true multiprogramming, process management, and virtual memory management. As it was delivered, however, Windows 95 retained much of the old 16-bit code from the earlier versions and was still subject to the limitations of the MS-DOS file system. The arrival of Windows 98 in June of that year still did not resolve the MS-DOS problems. Once again, the user interface changed to integrate the networking functionality and the desktop more closely and, although it could now handle larger disks, Windows 98 still retained some of the old code, which caused performance problems in multiprogramming. Its memory sharing could still permit programs to interfere with each other resulting in system crashes. To coincide with the millennium, Windows Me was released with more support for entertainment and Internet features; however, the base was still Windows 98. NT AND ITS DERIVATIVES While all this was going on in the home and, largely, in single-user environments, Microsoft developed a brand new 32-bit operating system called Windows New Technology or, as it became popularly known, Windows NT. This operating system was intended primarily for the business market because, by the time it was introduced in 1993, the first indications were appearing that networks microcomputers could prove a significant supplement to mainframe computing in the workplace. The initial version of this operating system was ch34_4768 1/8/07 3:28 PM Auditing Windows Page 387 387 known as Windows NT 3.1 in order to align it numerically with the popular Windows 3.1 16-bit operating system although, even at this early stage, MS-DOS had disappeared with only a command-line interface remaining. In the early 1990s memory was still comparatively expensive and NT utilized much more memory than 3.1 and initially NT languished in the marketplace. In 1996 NT 4.0 was introduced with a similar interface to Windows 95 but with the power, reliability, and security potential of the NT operating environment. With this version of the operating system Microsoft began to dominate the office automation side of computing and even to challenge mainframes with large networks of integrated PCs. NT was seen as a stable operating platform with the opportunities to create a highly secure environment, which had not been achievable under the DOS-based systems. Under DOS, files and directories utilized FAT (File Allocation Table) and could be protected only to the extent that they were either shared or not shared, hidden or not hidden, and read-only or not read-only. NT introduced a new file system, NTFS, which could now offer restrictions by user and by a group of users to modify, read, write, as well as read and execute files and programs. Windows 2000 (originally codenamed NT 5.0) was a true multiprogramming operating system with each individual process running in a private demand-paged protected virtual address space. Processes were able to have multiple threads under the control of the operating system. NTFS was extended to support encrypted files, mounted volumes, linked files, and quotas while many of the facilities of Windows 98, which had been missing in NT 4.0 such as support for Plug-andPlay devices, USB bus, and FireWire, were incorporated together with Kerberos security, system monitoring tools, and active directory. Active Directory is a set of directory services for locating and accessing resources over the network. This includes information regarding accounts, organizational units (OUs), security policies, files, services, and domains. Active directory can be shared across LANs and even WANs. Like the parameters held within the registry, the active directory is protected by access control lists (ACLs), which limit access. Windows XP (Experienced) was the next operating system introduced in late 2001 with the intention of merging the two fundamental Windows product lines. Windows XP included a new interface with the ability to change its appearance and functionality largely ch34_4768 1/8/07 3:28 PM Page 388 388 ADVANCED IS AUDITING based on the Windows NT 5.1 kernel. It did, however, move strongly toward the home market in its support of entertainment and Internet based systems. Windows Server 2003 was offered in April 2003 as an update to Windows Server 2000 with enhanced security and management features. The next client operating system, Windows Vista, was scheduled for release in November 2006 to business customers, with consumer versions following in January 2007 but, at press time, it had just been delayed until 2007. The server version is currently code named Windows Server “Longhorn” and is due for release in 2007. For purposes of this book, security and auditing will be looked at from an NT/2000/XP perspective. AUDITING WINDOWS 2000 Windows 2000 is a network operating system designed for enterprises, servers, and workstations. 2000 and its file system were released in February 2000 as a further development of Windows NT with additional functionality and security elements. Networks running Windows 2000 are designed to share key information and resources throughout an organization. 2000 manages a number of security policy issues. It also makes provision for the concept that each user might need a different environment. It has a comprehensive auditing function that enables the administrator to determine which events will be recorded, and then to audit these events at a later date. Although the subject of securing and auditing a Windows 2000 network is worthy of a manual in its own right and several excellent guides have been written, nevertheless the fundamental approach remains the same as any other operating environment. The first stage of the audit is to identify hardware, software, network, people, and administrative issues within the operating environment. This involves identifying and locating the 2000 hardware and checking to ensure that: ■ ■ All devices are identifiable and incorporated in an inventory. All devices belong to you and are within your control. ch34_4768 1/8/07 3:28 PM Page 389 Auditing Windows ■ ■ 389 There is adequate physical security, particularly over servers and over locations that produce sensitive or valuable output. There are written procedures covering administrative and operational practices, system roles, routine maintenance, and housekeeping functions. The second stage is to determine the uses to which the system is put: ■ ■ ■ ■ What systems are being run? What communications networking takes place? What sensitive data exists and how does management intend that it be protected? What protection mechanisms have been put in place and how is their effectiveness monitored? The third stage is to match the users of functionality within the systems against the requirements of their jobs to ensure: ■ ■ ■ Adequate segregation of duties Enforcement of appropriate levels of confidentiality The maintenance of integrity of systems, data, communications, and the operating environment itself It should always be borne in mind that, while enforcement takes place at a technical level, the control objectives remain business objectives. If these do not adequately support the business, the best that can be hoped for is strict enforcement of sloppy control. PASSWORD PROTECTION As with UNIX, passwords within NT/2000/XP are one-way encrypted although they use a different hashing algorithm. In order to ensure backward compatibility with Microsoft LAN manager software it also stores the passwords redundantly as a DES hash. Because of the poor design of this algorithm, Windows network security can be detrimentally impacted and can be vulnerable to a similar dictionary or brute force attack that UNIX is. ch34_4768 1/8/07 3:28 PM 390 Page 390 ADVANCED IS AUDITING As with UNIX, password audit (cracking) software exists including John the Ripper (http://www.openwall.com/john/) and Cain & Abel (http://www.oxid.it/cain.html). John the Ripper is a fast password cracker, currently available for many flavors of UNIX (11 are officially supported, not counting different architectures), Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak passwords. Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, auditing encrypted passwords using dictionary, brute force, and cryptanalysis attacks, decoding scrambled passwords, revealing password boxes, uncovering cached passwords, and analyzing routing protocols. FILE SHARING Sharing of files and folders can be managed in two ways. In the case of Windows 2000, the folders can be shared with everyone on your network or workgroup, or they can be made private. In Windows XP Professional, permissions for folders can also be set for specific users or groups. To activate this, the default setting, which is simple file sharing must be changed. The access control feature in Windows XP Professional facilitates the setting of a file or folder’s access permissions for a specific user, computer, or group of users. When permissions are set, the type and level of access granted to a user or group for a particular file or folder are defined. For example, read and write permissions can be granted to the entire Finance group for the file payroll.dat. Alternatively, one user can be granted access to read the contents of a file, another user can be permitted to make changes to the file, and all other users can be prevented from accessing the file at all. Only the owner of a file or folder may change permissions on that file or folder or the changer must have permission to make such changes. Similar permissions can be set on printers so that selected users can configure the printer and other users can only print to it. Rather than setting permissions for individual users, the administrator may find it easier to assign permissions to groups, saving the overhead of having to maintain access control at an individual user level. In addition, a group or individual user may be granted full ch34_4768 1/8/07 3:28 PM Page 391 Auditing Windows 391 access to the file or folder, rather than selecting individual types of access permissions. As an added security feature, Windows XP Professional facilitates the protection of private customer and financial information via its Encrypting File System (EFS). If an individual user encrypts a file using the EFS, the specific user will be able to read them when logged on. Any other user with a different logon will not be able to read them. It should be noted that files or folders that are compressed cannot be encrypted in the compressed form and any attempt to do so will result in the file or folder being uncompressed prior to encryption. SECURITY CHECKLIST From an audit perspective, the auditor must determine that: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ NTFS is in use in all partitions Simple file sharing is disabled whenever possible Guest user accounts have been disabled Unnecessary user accounts have been eliminated All user accounts use passwords, particularly the Administrator account and any users with Administrator privileges The Administrator user account has been renamed Passwords are not “remembered” by Windows A minimum number of users have been added to the Administrator group Firewalls are used for network as well as Internet connection Antivirus and anti-spyware software is installed and up-to-date on all workstations Microsoft service packs and hotfixes are kept up-to-date, particularly for security fixes Wireless network connections are fully secured against unauthorized access All backups on tape, CD, DVD, or memory stick are adequately secured An effective password security policy has been implemented by the administrator Last logged in username is not automatically displayed in the login dialog box ch34_4768 1/8/07 3:28 PM 392 ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Page 392 ADVANCED IS AUDITING Where possible (XP Professional) the Security Configuration Manager (SCM) tool is being used to define appropriate security templates Where possible (XP Professional) Encrypting File System (EFS) is enabled Where possible (XP Professional) the temp folder is encrypted to prevent encrypted files potentially being seen unencrypted Where possible (XP Professional) software restriction policies are being used to prevent the running of unwanted programs File shares are not granted to the Everyone group The remote desktop is disabled in Windows XP Professional Appropriate auditing is enabled on all servers and workstations Hidden administrative shares used by the operating system are disabled (preventing the shares on startup is a highly technical control involving the editing of the registry and should not be attempted by inexperienced users) The ability to boot from a floppy, CD-ROM, USB device, or the network is disabled and physically secured systems are used Autorun is disabled on all CD/DVD drives The page file is automatically cleared on system shutdown Many books have been written specifically on the securing and control of Windows NT/2000 and for auditors who seek to specialize in this area, Windows NT/2000 Network Security by E. Eugene Schultz is perhaps the definitive work.1 A sample Windows XP/2000 audit program is included as Appendix E. ENDNOTE 1. E. Eugene Schultz, Windows Nt/2000 Network Security, 2000, Indianapolis: New Riders Publishing, 2000. ch35_4768 1/8/07 3:28 PM Page 393 CHAPTER 35 Foiling the System Hackers acking has been described as the electronic equivalent of breaking and entering. It is the deliberate gaining of unauthorized access to a computer system, usually through the use of communication facilities. Consider how we protect our homes from breaking and entering. We restrict access by keeping doors and windows shut, by locking and bolting doors, especially if the house is empty or at night, and by use of alarm systems. These are all defense stratagems designed to deter or detect intruders. The level of deterrence depends on the degree to which we enforce our defenses (not leaving doors open or unlocked), the quality of those defenses (flimsy door or armor-plated door), and the desirability of entry (how valuable the known contents of the house are to the would-be intruder). Beyond these security deterrents there are those deterrents imposed by society through legislation. Thus if someone breaks into our house they are liable to be prosecuted in the criminal courts and may be sued for damages in the civil courts. Having gained access to our houses the intruder may just browse through the contents of the house, or may steal assets (both tangible and intangible), or may cause malicious damage (either at the time or at a future time by use of a time bomb). This is exactly the same with intruders (hackers) in our computer systems. There has been much written and said on the subject of hacking, much of which has concentrated upon whether or not such activities should be criminalized. There has been a case made that hackers provide a useful service in that they help to identify weaknesses in computer systems and that to criminalize their activities would be to drive them even further underground and into the arms of organized crime. This is the same argument that would legalize petty theft to stop petty thieves from becoming large-scale thieves. There is also an argument H 393 ch35_4768 1/8/07 394 3:28 PM Page 394 ADVANCED IS AUDITING that suggests that hackers are benign and that they are harmless browsers. This position would justify the total abolition of all business and personal privacy leading to an unlimited “Big Brother” scenario. Any company may be a target from anywhere in the world and the world’s most spectacular “hack” has not yet been caught. In order to break into a system from outside the established network, the system must either have dial-up line connections, or be connected to a networking service such as the Internet. There are a number of reasons why a computer might have such a link. Commonly, the computer manufacturer’s technical support staff can dial in and review diagnostic and breakdown records, which the machine automatically accumulates, and may even initiate changes to systems software on the machine. This may be true for both application systems and operating systems. Some applications require input from third parties such as customers or sales representatives, but the access is required relatively infrequently, and therefore a leased (i.e., a permanently rented) telephone line would not be appropriate. Another danger has arisen. Networks are linking together, via gateways, to allow legitimate communication to take place between organizations. However, when a link is made into another network without stringently controlling access via the gateway, anyone with access to the other network now has access to your network. That person can then try to access any resources that are not properly protected on the network. This includes users who, to avoid detection at the corporate firewall, connect a modem directly to their PC and enter the Internet. If they are simultaneously on-line to the network so, potentially, is the whole Internet. With the introduction of e-commerce these threats have multiplied. To access many computer systems a hacker must have a dial-up number or network address. These can be easier to obtain than may at first be thought. Hackers sometimes try bluff, and phone up the computer department on their published voice number and pretend to be a confused user requesting information. In many cases computer departments have a help desk whose job it is to help just such users. It should never be forgotten that many system hackers are internal hackers employed by the company. In addition hackers may be exemployees or their associates. ch35_4768 1/8/07 3:28 PM Page 395 Foiling the System Hackers 395 If entering via dial-up, once the hacker manages to obtain a dialup number, he then must discover the protocol that the machine he is attempting to log onto uses. However, identifying the correct protocol is not usually difficult. Most computer publications will publish information that, with a little research on the part of the hacker, will yield the required information. Even recruitment advertisements can provide a wealth of information on hardware and software environments. Assuming a hacker managed to obtain a sign-on screen display of the target computer on his terminal, he will be asked for a valid userID and password. It is not particularly difficult to obtain a valid userID because commonly this is not thought to be confidential. This can be done by: ■ ■ ■ Trying standard user-IDs that come with the system and will be published in the manufacturer’s literature describing the system. Trial and error. Badly controlled systems may accept an unlimited number of attempts to input the correct user-ID, without generating a warning or shutting down the terminal. User names are commonly used as user-IDs. From some knowledge of the installation. User-IDs are not normally treated as confidential, and are often displayed on printouts, for example. Assuming a hacker manages to get this far, he must then enter a valid password for the system. Hackers often gain access to systems by using standard passwords. Many systems are distributed with certain standard user-IDs and passwords, such as the systems manager’s user-IDs (SYSMAN, ADMIN, or SPECIAL) and the chief operator’s user-IDs (OPS, OPERATIONS, etc.), and a user-ID for the manufacturer’s systems engineer. When the system is supplied to the installation it often has these standard user-IDs set up with an initial password, often the same as the user-ID or PASSWORD. These userIDs may have more power than any other user of the system and are therefore the hacker’s first choice. All this information is commonly supplied with the supplier’s documentation provided with every system, and also sold independently by the supplier. ch35_4768 1/8/07 3:28 PM Page 396 396 ADVANCED IS AUDITING The auditor should review the standard user-IDs supplied, and ensure that they have been deleted if possible or, at minimum, the passwords have been changed from their original settings. If a user-ID is known but not the password, the easiest way to discover the password may simply be to ask the user. Used in the context of checking the system, a question such as “We’re checking for commonly used passwords, what’s yours?” will frequently yield results and no questions asked. Users should be trained to treat their passwords as highly confidential. If a hacker wishes to break in without assistance, the next procedure would be to try likely passwords such as common names. Months of the year, pop stars’ names, or even the name of the pin-up girl of the month in a well-known calendar may be used. Many hacking programs will perform such a brute force attack in the background, trying thousands of common words in rapid succession, leaving the hacker free to pursue other interests. This is only one of a variety of types of hacker tools commonly available on the Internet. They include war-dialers, password-guessers, sniffers, key loggers, flooders, spoofers, and a variety of other nefarious styles of unauthorized software. These tools make it easy for unsophisticated hackers to exploit known security weaknesses. Common causes include: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Use of “standard” passwords Non-changed passwords No password required Poor security awareness No corporate policy No user education Poor personnel policies Poor operating environment Redundant security files Poor change control Lack of security enforcement In short, hackers gain entry by poor internal controls, commonly as a result of no risk analysis being done. ch36_4768 1/8/07 3:29 PM Page 397 CHAPTER 36 Investigating Information Technology Fraud n recent years, an enormous amount of publicity has been given to the threat of computer crime, which has led to a greater awareness at the executive level of the vulnerability faced within their information technology (IT) functions. The growth of organized fraud in the computer world in conjunction with the comparatively new threat of organized terrorism or politically motivated penetration of computer systems makes this awareness essential. Advances in computer science have come at a staggering pace and computer crime has remained in step with them. Unfortunately, computer crimes happen in real time and the crime is completed in microseconds. Only a tiny percentage of such crimes were found in time to perform any form of meaningful investigation unless care had been taken beforehand to create an appropriate detective environment. Where investigation is commenced, few will actually go to court and for all those prosecuted even fewer will be convicted. In many of these cases it is the fear of failure of prosecution and of exposing the corporation to ridicule that reduces the likelihood of prosecution. The failure of successful convictions is frequently due to a lack of proper care or methodical approach by the investigator. Frequently the evidence obtained is improper, inconclusive, and not legally gathered or maintained. In addition, business moving onto the Internet has created the greatest opportunity for widespread and methodical fraud the world has ever known. The most common computer crimes are those that merely involve the computer as a tool to implement the crime. In addition, the computer may be the victim of the attack resulting in the theft of information, disclosure of confidential data, vandalism, sabotage, or viruses. I 397 ch36_4768 1/8/07 398 3:29 PM Page 398 ADVANCED IS AUDITING Given that activities within a computer environment consist of three main elements—input, processing, and output—it is no surprise that IT fraud can be classified in the same manner. Input frauds normally take the form of amended or forged transactions but entered into the computer so that the normal system processes can continue and valuable assets, normally cash, may be obtained. This type of fraud does not require any specific expertise within IT and is a common form of user-level data entry fraud. Throughput frauds typically involve modifications to live programs in order to enter unauthorized code for improper purposes. Viruses, trapdoors, and Trojan horses are all examples of such coding. Output frauds commonly occur when correct and valid outputs are intercepted and amended prior to use. This may take the form of altered payments or breach of confidentiality. Once more, with the advent of the Internet, computer hacking has become a widely known source of risk to computer systems. Fortunately, hacking for fraudulent purposes is not yet widespread. Many investigators have a fundamental fear that computers are being used to investigate computer-related crime and are happy to leave such investigations to specialist auditors or outside consultants. This fear has built up over the years as a result of the air of secrecy surrounding IT and the technical jargon associated with it. Once the technical jargon has been gotten out of the way, understanding the risks and controls within computer systems and a means of investigating an IT fraud become clear. IT fraud frequently comes to light because of the impact upon the organization, however, the most common manner in which computer crime is uncovered is tipped off by another person who may or may not be an employee. When an IT fraud is suspected, the first objective of the IT auditor or security personnel is to confirm whether an incident actually occurred. If there appears to be a case for believing such an occurrence happened, all subsequent steps must be specifically designed to promote the accumulation of accurate information and establish control for retrieval/handling of evidence. This can cause complications because of the need to protect the privacy rights of both the suspected perpetrator as well as the defrauded organization. There is little point in recovering stolen assets by destroying corporate confidentiality. ch36_4768 1/8/07 3:29 PM Page 399 Investigating Information Technology Fraud 399 The investigation must minimize business disruption. Gathering of forensically acceptable evidence will commonly involve isolating the information source to prevent contamination. In the case of Information Systems such isolation, if extended over a period of time, could result in considerably more damage to the organization than the original fraud. Once gathered, the evidence must be such that would allow for legal recrimination. This means that the evidence must be capable of standing up to public scrutiny and challenge. Mandia and Prosise1 define an incident response methodology as incorporating: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Pre-incident preparation Detection of incidents Initial response Response strategy formulation Duplication (forensic backups) Investigation Security measure implementation Network monitoring Recovery Reporting Follow-up PRE-INCIDENT PREPARATION The objectives of pre-incident preparation are to ensure that, should an incident occur, the organization is in a position to identify what exactly happened and to what systems. From this it may be determined what information was compromised, what files were created/modified, and who may have caused the incident. It is also useful to prepare, in advance, who should be notified and what steps will be required to return to normal. Major steps in the process would include identifying the vital assets in advance and conducting a risk analysis to determine what would be the most likely nature of exposure faced. Individual hosts could then be prepared to detect incidents by producing cryptographic checksums of critical files and enabling secure logging. ch36_4768 1/8/07 400 3:29 PM Page 400 ADVANCED IS AUDITING Preventative measures would include hardening the hosts’ defenses in a variety of ways. Back-ups of critical data stored securely can help protect against the threat of non-availability leading to fraud. And directive controls would include comprehensive user education about host-based security. Networks should be prepared by installing firewalls and Intrusion Detection Systems (ISD) as well as by the use of access control lists on routers. Companies can create a topography conducive to monitoring, encrypt network traffic, and require authentication beyond the password level. At the user end, preparations would include determining an appropriate corporate response stance. This could be to ignore the incident, to defend against further attacks, to prosecute, or to simply perform surveillance and gather data of the incident for future use. The appropriate response may, in fact, vary based on the circumstances of the incident. If, for example, a hacker is detected, it may be more beneficial to the organization to allow the hacker to believe the system penetration is successful and let him in. This would allow time to gather forensically acceptable evidence for his future prosecution as well as facilitate tracing the hacker to his lair. Obviously such a policy would require a very high level of confidence that the activities of the hacker could be traced and limited. From the audit and investigation perspective, preparation could include the building of a forensic response toolkit. Such a toolkit would normally consist of a hardware/software combination to promote the demonstrably non-corrupting nature of the investigation. It would typically consist of hardware in the shape of a high-end processor with a large memory capacity and a large capacity empty drive. A DVD-RW drive, a high capacity tape drive, and cables galore for connecting everything to anything would be needed for the interchange of information. An uninterruptible power supply is needed to prove no corruption took place during the investigation phase because of power outages. DVD/Rs and labels together with external hard disks and a high capacity memory stick will also prove essential. In addition, the standard tools for forensic examination including folders and labels for evidence, a digital camera so that evidence may be captured directly into the system, lockable evidence storage containers, a printer and paper, and finally burn bags to securely dispose of evidence when approval is given by legal counsel would all be required. ch36_4768 1/8/07 3:29 PM Page 401 Investigating Information Technology Fraud 401 On the software side, response software would include two to three native operating systems (e.g., Windows 2000/LINUX), forensic duplication tools (e.g., EnCase or Expert Witness), all the drivers for all your hardware on all platforms, a file viewer (e.g., Quickview plus or Handy Vue) capable of handling a variety of file structures and formats as well as disk-write blocking routines. With this toolkit, the auditor should be able to conduct forensically acceptable examinations. An Incident Response Team should be established to respond to all security incidents and conduct a complete investigation free from bias. The team must confirm or dispel an incident quickly and assess the damage and scope. A 24/7 hotline should be established to allow the team early notification so that they can control and contain the incident. The team’s job is to collect and document all evidence while maintaining a chain of custody, to protect privacy rights and to provide expert testimony. DETECTION OF INCIDENTS Incidents may be detected via Intrusion Detection Systems (IDS), firewalls, suspicious account activity, malfunctioning services, or even defaced web sites. In all cases it is essential that the discoverer note the critical details such as: ■ ■ ■ ■ ■ ■ Current date and time Who/what is reporting Nature of the incident When the incident occurred Hardware and software affected Contacts for involved personnel INITIAL RESPONSE The initial response should be directed toward determining what probably happened and determining what is the best response strategy. At all times the investigator must be mindful of the legalities and must ensure that all searches are carried out within the letter of the law. This will typically involve an examination of network topologies, verifying policies, and investigating the incident by conducting ch36_4768 1/8/07 402 3:29 PM Page 402 ADVANCED IS AUDITING personnel interviews, systems administrator interviews, management interviews, and interviews of end-users. Only then should hands-on actions be taken. All actions to be taken must follow the fundamental rules and everything the investigator does must be documented with every care taken to ensure that the evidence itself is not compromised during the investigation. Acquiring the evidence will first involve securing the physical area. Before anything is disturbed photographic evidence should be gathered of the system, the monitor, and all cable interfaces. Photographs should also be taken of the surrounding area and all papers and disks should be inventoried and collected. The system should be shut down by unplugging directly from the power supply. Under no circumstances should the keyboard be touched or the power switch used to power down machine. Shutting down the machine in a normal manner may activate software traps to encrypt or delete sensitive data. At a minimum it will alter the data held in virtual memory. Before the computer itself is moved, it should be sealed and all cables and connectors clearly labeled. Once the computer is in the physical location in which it is to be examined, the case may be opened and, once again, photographs should be taken of the inside before anything is touched. All hard drives should be isolated by disconnecting the power leads prior to starting the system. The system can then be started so that the date and time may be collected from the setup menu. This will be used in later examination to compare to date and time stamps and other evidence. It is at this stage that it is recommended the BIOS be changed to ensure that the system boots from a floppy drive only. The machine may then be switched off once more. An unused hard drive will be connected to the system to be the target drive for the forensic backup. This drive should become drive 0 with the original drive classed as drive 1. This prevents the system attempting to boot from the original drive. A bootable diskette containing the forensic copying software should be placed in the diskette drive and the system restarted. The forensic copy of the hard disk may then be made. All drives should then be removed from the system and placed into antistatic bags and sealed. The sealed disks should be dated and signed and placed in a secure environment. ch36_4768 1/8/07 3:29 PM Page 403 Investigating Information Technology Fraud 403 FORENSIC BACKUPS By preference, forensic examinations should never be performed on the original media. An exact clone of the media should be made and the original evidence must then be stored securely. Care must be taken to ensure that the cloned media is in fact a complete copy of the original evidence. Most back-up software available on the market today does not copy information in a manner that would be acceptable for further investigation. In the normal course of events, data that has been deleted still remains on the magnetic media until overwritten. This data can be a rich source of forensic evidence. Most copying, cloning, and backup software will copy only current files from the media. To be acceptable, the copy must be made on a bit-by-bit, sector-by-sector basis. Only in this manner can the investigator assert that the working copy was a true reflection of the original evidence. In addition, encryption technology should be used so that the investigator in court may avow that the working copy could not be adulterated in an undetectable manner or even read by an individual without personal supervision of the investigator. When the copy is made, the media used for copying to should be forensically sterile. By preference the target media should be brand new and unused or, alternatively, scrubbed clean to internationally acceptable standards prior to use. The investigator must understand that the examination must be carried out in a manner that ensures that the evidence remains unmodified. Even looking at a file on computer modifies the file attributes of the file. Where such data modifications are not preventable, the maintenance of an investigation log detailing all accesses becomes critical. As with any forensic examination, the chain of custody must be maintained at all times. Common mistakes at this stage include the failure to maintain proper documentation throughout the investigation process. Failure to notify decision makers within the organization may jeopardize the legality of any evidence gathered. If digital evidence is not properly controlled and secured its forensic acceptability may also be challenged. Failure to report the incident in a timely manner may lead to problems with authorities where such reporting is a matter of law. Such failure may confuse the issue and allow the perpetrators of the wrongdoing sufficient time to defeat the ends of the investigation. ch36_4768 1/8/07 3:29 PM Page 404 404 ADVANCED IS AUDITING One of the most common mistakes involves simply underestimating the scope of the incident. If too narrow a focus is taken, some evidence may be omitted or even destroyed during the course of the investigation. At the technical level, altering date and time stamps on evidence systems before recording them can inadvertently destroy the forensic nature of the evidence. Failure to record the commands used, or the use of untrustworthy commands and tools can also raise questions about the validity of any evidence gathered. Even the very act of installing the tools, if done incorrectly, can overwrite significant evidence and cast doubt on the remaining evidence. INVESTIGATION Once a working copy of the data is available, the investigator must decide what evidence is to be sought. Depending on the nature of the investigation, files accessed, e-mail sent and received, Internet sites visited, programs executed, and graphic files accessed may all be of interest to the investigator. In its simplest form, an investigator seeking evidence of the presence on the computer of illicit or illegal files or software may simply have to do a search for a specific file name or file type. Even this may be complicated if the files concerned have been deleted and the investigator may have to resurrect such deleted files prior to examination. Where fraud has occurred, the files accessed, date and time of access, network paths taken, and software executed may be critical. Most modern operating systems have the capacity to record such accesses. Log files and registry entries can contain such information as user names, passwords, recently accessed files, and network connections used. Unfortunately, having the capacity does not necessarily mean that such records are created and retained. Once again the investigator will have to search for such files, possibly now deleted, before they can be interrogated. NETWORK MONITORING In the course of the investigation of an ongoing fraud, the investigator may have to monitor traffic flowing over the communication net- ch36_4768 1/8/07 3:29 PM Page 405 Investigating Information Technology Fraud 405 work. This will typically involve using packet sniffers to monitor traffic flow. Such activity is purely detective and is designed to confirm or dispel suspicions. The accumulated evidence may be used to verify the scope and extent of the system compromise by identifying compromised systems, user accounts, and passwords. It may be possible to identify source addresses on the network as well as to intercept stolen files, pornography, or downloaded hacker tools. At its best, such monitoring can identify the parties involved, determine the timelines of an event, and possibly even assess the skill level or numbers of individuals involved in the illicit activity. In a covert investigation into the activities on a specific machine, monitoring software may be placed upon the machine to record all email sent and received, keystrokes, images on screen, mouse clicks on the screen, and Internet and intranet sites visited. Such software would run in stealth mode and gather the information for subsequent retrieval. The software can be used to automatically send the information gathered to the investigator’s machine. In all cases, care should be taken to ensure that the evidence gathered is restored in an acceptably secure manner both on the target’s machine and while in transit to the investigator. The investigator should be aware that many antivirus and spyware detectors can detect such monitoring and care should be taken to ensure the specific software cannot be detected on the target’s computer. IDENTITY THEFT One common form of fraud that is associated with network monitoring is identity theft. Probably the most common form of this is a simple unauthorized use of a credit card account without the owner’s knowledge or permission. Such a fraud would normally come to light as soon as the owner checks the next statement. With the advent of e-commerce via the Internet, this crime has escalated and the source of the information on customers’ credit cards can result in significant reputational damage to an organization that has been penetrated. One of the more common uses of such information is to obtain access to pornographic sites resulting in large charges for the individual and significant embarrassment when the identity of the recipient becomes known. Identity theft at a corporate level can permit a thief to order ch36_4768 1/8/07 3:29 PM 406 Page 406 ADVANCED IS AUDITING goods and services charged to the company that can also facilitate the conducting of industrial espionage, resulting in a loss of competitive or marketing advantage or sabotage including breaches of criminal law in the company name. It should be noted that network surveillance is not the only method of identity theft. Phishing has recently become a significant threat whereby computer users are simply asked for their information in a plausible manner and it is provided willingly to unknown inquirers. Also, dumpster diving can be a major source of confidential information leading to identity theft including the targeting of wastepaper from home, where shredders are seldom used, and confidential information included on bills, bank statements, and letters including signatures are carelessly thrown away. Over and above the use of credit card information, identity theft achieved by obtaining confidential information on individuals via computer systems can enable the criminal to impersonate the individual in a variety of manners including accessing and downloading confidential information, opening bank accounts, entering into legally binding contracts, falsification of e-mails, destruction of credit worthiness, and access to online banking facilities. Increasingly, mobile devices such as PDAs are utilized for storing passwords, access codes, and a variety of confidential information. Because of their portable nature such devices are easy to steal but, in addition, many of them are used to connect wirelessly to communication networks with little or no security implemented. Encryption and even password protection are used rarely. Overall, the major control to prevent identity theft is awareness on the part of each individual that there are criminals out there who will exploit any weakness or exposure left by an individual or organization and that common sense must prevail to prevent such exploitation. ENDNOTE 1. Kevin Mandia and Chris Prosise: Incident Response—Investigating Computer Crime, Berkeley, California: Osborne/McGrawHill, 2001, pp. 16–17. ch37_A_4768 1/8/07 3:32 PM Page 407 APPENDIX A Ethics and Standards for the IS Auditor* ISACA CODE OF PROFESSIONAL ETHICS The Information Systems Audit and Control Association®, Inc. (ISACA) sets forth this Code of Professional Ethics, including standards, Guidelines, and Procedures, to guide the professional and personal conduct of members of the Association and/or its certification holders. Members and ISACA Certification holders shall: ■ ■ ■ ■ ■ ■ ■ Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems. Perform their duties with due diligence and professional care, in accordance with professional standards and best practices. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence. Inform appropriate parties of the results of work performed; revealing all significant facts known to them. Support the professional education of stakeholders in enhancing their understanding of information systems security and control. 407 ch37_A_4768 1/8/07 3:32 PM Page 408 408 APPENDIX A Failure to comply with the Code of Professional Ethics can result in an investigation into a member’s or certification holder’s conduct and, ultimately, in disciplinary measures. RELATIONSHIP OF STANDARDS TO GUIDELINES AND PROCEDURES IS Auditing Standards are mandatory requirements for certification holders’ reports on the audit and its findings. IS Auditing Guidelines and Procedures are detailed guidance on how to follow those standards. The IS Auditing Guidelines are guidance an IS Auditor will normally follow with the understanding that there may be situations where the auditor will not follow that guidance. In this case, it will be the IS Auditor’s responsibility to justify the way in which the work is done. The procedure examples show the steps performed by an IS Auditor and are more informative than IS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be followed. Codification Standards are numbered consecutively as they are issued, beginning with S1. Guidelines are numbered consecutively as they are issued, beginning with G1. Procedures are numbered consecutively as they are issued, beginning with P1. Use It is suggested that during the annual audit program, as well as individual reviews throughout the year, the IS Auditor should review the standards to ensure compliance with them. The IS Auditor may refer ch37_A_4768 1/8/07 3:32 PM Page 409 Ethics and Standards for the IS Auditor 409 to the ISACA standards in the report, stating that the review was conducted in compliance with the laws of the country, applicable audit regulations, and ISACA standards. Electronic Copies All ISACA standards, guidelines, and procedures are posted on the ISACA web site at www.isaca.org/standards. Glossary A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary. ENDNOTE *© 2005 Information Systems Audit and Control Association (ISACA). All rights reserved. Reprinted by permission. ch38_B_4768 1/8/07 3:33 PM Page 410 APPENDIX B Audit Program for Application Systems Auditing he business system is an integral element of the business function. Therefore the application and functional risks and the related controls must be considered together. The approach selected to review business systems must address all relevant risks, management and general controls, and manual controls that are part of the business function under review. There is a definite trend toward the migration of controls from the application to the general environment. For example, the database management system features may be used to restrict access to critical functions across applications. An audit of general IS control functions provides information on the reliability of the control structure, which could significantly impact the level of testing required during application system audits. Auditors need to have a full understanding of the technology platform that supports the application: database management systems, networks, security provisions, hardware, software, and operating systems. To determine the effectiveness of access controls, the auditor should understand the capabilities and characteristics of the software; the manner in which the software is implemented from a technical point of view; the interrelationship of the application with other applications; systems software in use and conditions that allow overrides of controls; and the administrative controls related to the use of the access control software. Application controls are dependent on the general controls in the IS environment. The general controls environment must be reviewed to ensure that controls resident in an application system cannot be circumvented by non-application system components. General IS T 410 ch38_B_4768 1/8/07 3:33 PM Page 411 411 Audit Program for Application Systems Auditing controls include, but are not limited to, data and program security, program change control, system development controls, and computer operations controls. Of major importance is the segregation of duties in terms of functional responsibilities as well as access to application system processing capabilities. General Audit Programs for Application Systems QUESTIONS Input Controls: Determine that appropriate input controls are used to ensure accuracy and completeness of data. Evaluate the effectiveness of various input controls in fulfilling their objectives. Audit Procedures: Check digit verification ensures accuracy of the data entered. The check digit is created as the result of a calculation routine. • Review the source code to ensure that the defined edits are included and are coded properly to achieve the desired result. • Review test results performed by the auditor as the system is being developed or modified. • Input test transactions with invalid numbers into an audit copy of the production software used to perform the check digit verification. The testing should be done in the test environment separate from the production environment. • Review error reports produced by the application to verify that errors are being detected. YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 412 412 QUESTIONS Reasonableness and data validity edits ensure that the data is reasonable for the purpose intended. Some examples of edits include alpha-numeric check, range of values check, etc. • Review the source code to ensure that the defined edits are included and are coded properly to achieve the desired result. • Review test results performed by the auditor as the system is being developed or modified. • Create test transactions to test edits of control significance. • Review edit reports from the production processing system to verify that input errors are being detected. Hash total verification verifies accuracy for non-amount or non-numeric data. • Independent testing of a copy of the production software using copies of production data files as input to the test. The test should include steps to ensure that added, deleted, and/or modified records are properly detected by the verification routines. • Simulation of a hash total routine using independent audit software. Copies of production data files should be used as the test input. • Manually re-foot hash totals from printouts of input data files produced by utilities program. Batch balancing verifies input to preestablished control total and item counts. Note: Many applications provide manual override capabilities that allow for bypassing batch balancing errors. It is necessary to review control over the use of this capability. APPENDIX B YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 413 413 Audit Program for Application Systems Auditing QUESTIONS • Independent testing of a copy of the production software using copies of production data files as input to the test. The test should include steps to ensure that added, deleted, and/or modified records are properly detected by the verification routines. • Simulation of the routine using independent audit software. Copies of production data files should be used as the test input. • Manually re-foot totals from printouts of input data files. The printout can be obtained through standard utilities. • Observe balancing procedures. Observe data entry operation to determine if screen masking is used to prevent confidential data from being displayed on a terminal screen during the inputting process. Review a sample of the transactions on the log to determine that a record is kept showing the individuals who input the data. Input verification can be performed by having a second individual reviewing the data entered. Proper implementation of this control in conjunction with access controls can provide for the necessary separation of duties between the input and verification process. • Review access control rules for access to the input and verification transactions to ensure proper separation of duties. • Review control over the capability to override or bypass verification. Determine how the capability is installed and what authorization is required to use it. YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 414 414 QUESTIONS Call-back and dial-back to a predefined phone number. Verify the accuracy of the source attempting to initiate a transaction. • Initiate test transactions from an unauthorized location in the test environment. • Observe the call-back/dial-back procedures. • Analyze application software and hardware. • Review call-back/dial-back records. Input source verification provides assurance that data is only being modified by, or disclosed to, authorized individuals at known locations during approved time frames. Many applications provide this type of control by defining users, terminals, and printers in a security table that is embedded in the application software or data and is maintained by the application owner. • Review on-line copy of the security table for propriety. Observe the operation to determine if the data encryption method is used to prevent unauthorized disclosure and modification of data. A transaction log provides an audit trail for transactions processed. It may be a stand-alone log or it may be included as part of an overall system log. The log should be accurate and complete. • Use audit software developed specifically to read the log to get a report listing the totals and details of all transactions processed for the day. The totals can be matched to accounting entries. Differences between the records indicate potential problems. APPENDIX B YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 415 415 Audit Program for Application Systems Auditing QUESTIONS Run-to-run reconciliation ensures that the established control is maintained each time the data file is used for processing. • Use an independent software test. • Review outputs. • If the override capability is provided, additional review must be performed to ensure that the use of this capability is properly restricted and recorded on an audit trail. Reject re-entry data verification ensures correction and re-entry of rejected transactions. When items are rejected, a record or log of these items should be created so that correction and processing can be monitored. Records of outstanding rejected data and suspense items are reviewed regularly and followed up so that timely corrective action is taken and transactions are recorded in the correct period. • Observe reject re-entry operation. • Use an independent software test. • Review aging report of outstanding rejected items. Is there a complete and current set of documented procedures? • Interview employees. • Observe compliance with procedures. • Review documentation. • Review the procedures for updating documentation. A review of software modification controls could be performed as part of a business area audit if it is directed at reviewing user involvement in the software modification process. The review could be used to assess user involvement in: YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 416 416 QUESTIONS • Authorization and approval of software modification requests. • Providing user acceptance testing of software modifications. • Establishment of communications between the users and developers. Provisions for the backup and recovery of application data protect against unnecessary delays in providing required services. • Review audit work performed by auditors conducting the system development review to determine the extent of reliance that can be placed on the work. • Execute an independent test of backup and recovery of the application data. • Determine the extent of backup and recovery testing that was performed through a review of or participation in the implementation testing performed. If sufficient testing was performed to satisfy current audit objectives and assurances can be made that backup and recovery process has not changed since it was tested, reliance can be placed on the implementation testing rather than conducting another test. Business System Processing Controls: Determine that appropriate processing controls are used to ensure accuracy, completeness, and timeliness of data processed. Evaluate the effectiveness of various processing controls in fulfilling their objectives. Some of the commonly used audit techniques include: • Use simulated transactions to test processing logic, computations, and con- APPENDIX B YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 417 417 Audit Program for Application Systems Auditing QUESTIONS trol programs in the application. If test transactions are prepared in accordance with user procedures, test data analysis can help the auditor to evaluate these procedures. It can also be used to evaluate individual programs or an entire system. It can direct the auditor to areas where erroneous processing has occurred especially when used in conjunction with data retrieval and program analysis techniques. Test data can be prepared by creating inputs, copying existing master records onto a test master file, or selecting live transactions. • Use specialized audit software to analyze the flow of data through the processing logic of the application software and document the logic paths, control conditions, and processing sequences. These techniques analyze the systems command language of job control statements and the programming languages for the application. • Software mapping analysis can be used to review for non-executable codes in software. It documents all the codes in a given application and identifies the use of key data elements. • The snapshot audit technique is an automated tool used to trace a specific transaction through software and to document logic paths, control conditions, and processing sequences. This technique can verify program logic flow and help the auditor understand the various processing steps within the application software. Snapshot analysis employs a special code in the transaction record that triggers the printing of the record or data in question to a report format for further analysis. Specific instructions must be written YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 418 418 QUESTIONS into the application program to generate snapshot reports. • The purpose of tracing is to document and analyze the logic paths in complex software. The objective of the tracing audit technique is to verify compliance with specifications, policies, and procedures by documenting how the application software processes transactions. By analyzing the transaction’s path through the application, tracing can show instructions that have been executed and the sequence in which they have been executed. Tracing can also be used to verify omissions. Once the auditor understands the instructions that have been executed, analysis can be performed to determine whether the processing steps conform to organizational procedures, policies, and processing rules. Transaction tracing may be used to review transaction types and user identification numbers. • Integrated test facility (ITF) permits the internal auditor to examine an application in its normal operating environment. It involves entering and processing selected test transaction input into a live production system simultaneously with live data, tracing the flow of transactions through the various functions in the system, and comparing the actual results of the test transactions with predetermined or pre-calculated results. ITF can be used to test controls and processing of larger automated applications when it is not practical to process test data separately. Test data analysis/ITF may be used for transaction activity simulation; testing edit and validation criteria; testing of database updates and creation of computer-generated transactions; and testing of system output. APPENDIX B YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 419 419 Audit Program for Application Systems Auditing QUESTIONS • Embedded audit data collection is similar to continuous control monitoring and uses one or more especially programmed software subroutines embedded in the application software to screen and select input and computer-generated transactions. Distinct from other audit techniques, the method uses in-line code, whereby the application software collects the audit data while it processes data for production purposes. Activity monitoring, sampling, and exception reporting are all controlled by the subroutine parameters. The design and implementation of an embedded audit data collection application is normally performed as an integral part of the system development process. As continuous monitoring techniques are refined through use they alert management and auditors to actual or potential problems promptly. • Transaction retrieval and analysis are the primary automated tools designed to capture transactions for manual or automated verification analysis. They monitor activity and select transactions using error-based, parameterbased, or sample-based criteria. They are used in compliance testing to monitor transaction processing and to select data for verification. • The code comparison audit technique can be useful in evaluating software maintenance procedures, program library procedures, and program change controls. The auditor compares two versions of application software to identify any changes that have occurred since the earlier version was made and then analyzes the documentation that was prepared to authorized and execute the changes. The technique is used primarily to disclose YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 420 420 QUESTIONS unauthorized program changes. Either source or object code can be used for comparison. Comparison software can be purchased or developed. The software compares the application code and identifies inconsistencies between the two versions. Audit Procedures: Programmed cut-off controls prevent improper cut-off and reduce the risk of transactions being recorded in the wrong period; for example, an embedded calendar table can be used to compare with transaction dates or provide exception reporting of cut-off discrepancies. • Review source codes. • Review outputs. • Cycle processing controls compare pre-established control totals of critical input fields to output totals accumulated by the system. • Review source codes. • Review outputs. Session controls are performed by the application software and designed to emulate a batch procedure. Totals of critical fields by type of transaction are automatically accumulated during a data entry session and held for subsequent comparison with updated balances. • Review source codes. • Review outputs. File footings are software routines embedded into the application software that verify the dollar values and record counts or any other control fields of an application data file. It provides a primary control against inaccurate/incomplete data and a secondary control over APPENDIX B YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 421 421 Audit Program for Application Systems Auditing QUESTIONS unauthorized modification of application data. File footing is a detective control rather than a preventative control. • Develop audit software that performs the same computation. Independent confirmation letter is a control to ensure data accuracy. • Use software developed and maintained by audit to run confirmation letters and send to independent parties for verification. Piece count verification of valuables (i.e., securities) ensures the accuracy of computerized data. • Use audit controlled software to produce count sheets. The assets are verified against the computer records. Automated activity log records all activity within an application system. • Review application software source code. • Review the logs against a list of transactions processed. • Use audit software to verify the accuracy and completeness of the automated application log. Calculation simulation is a control when performed by a user. • Review source codes. • Use audit software to re-compute. • Manually re-compute. On-site and off-site back-up of application data and software. • Define all the data and software that comprise the application. • Verify that copies of this data are created for backup storage for both onsite and off-site. YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 422 422 QUESTIONS • Evaluate the ability to meet the processing requirements of the application with the backup data created. • Verify that required copies of backup data and software are kept at each required location for the proper period of time. Restart and recovery procedures are the steps to reinitiate an application after a failure. For most database applications the restart and recovery is controlled by the database software. Most testing of the procedures is done as part of the installation test. The loss of transactions before processing is completed can be especially serious when data are entered in an interactive mode and in systems that use immediate update processing. • If the restart and recovery procedures were tested during the installation of the application, review the testing performed. • If the application is a database application and the restart and recovery is provided through the database software, they may have been tested as part of the database restart and recovery procedure testing. Review the test results to determine if they satisfy the application test objectives. • If there have been recent occasions to use restart/recovery procedures, review the results and determine the adequacy of the procedures employed. • Conduct independent tests in the test environment. • Determine if shadow file processing is used. This technique involves creating duplicate transaction records that are stored on a different device, or in some cases, at another location for recovery purposes. APPENDIX B YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 423 423 Audit Program for Application Systems Auditing QUESTIONS File level encryption protects data from unauthorized disclosure and modification. It scrambles the data stored on an application file using a pre-determined key. • Execute software utility that will dump a few records of the encrypted file and verify that the printed data is encrypted. • Review the management of encryption keys and encryption terminal definitions. File integrity routines independently verify that only acceptable data is maintained on a computer resident file. Edit criteria can be used as specifications for scanning the file to ensure that program edits have not been circumvented. • Use audit software or other programs that have built-in functions that perform frequency distributions on specified fields. Very high or very low occurrence can indicate potential problems and trigger follow-up. Having current and complete processing documentation helps ensure that operations are conducted in the correct and authorized manner. • Interview employees. • Observe compliance with procedures. • Review documentation. • Review the procedures for updating documentation. Transaction sequence verification ensures that all transactions entered have been processed. • Review output from the production system. • Review source codes. YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 424 424 QUESTIONS • Test transaction sequence verification software. Run-to-run reconciliation ensures that the established control is maintained each time the data file is used for processing. • Use an independent software test. • Review outputs. • If the override capability is provided, determine that the use of this capability is properly restricted and recorded. Controls over system-generated data are incorporated into systems that automatically generate transactions or perform calculations that are not subjected to human review. These controls validate the integrity and reasonableness of automatically generated transactions and reduce the risk of erroneous transactions (e.g., reports of such transactions or data may be produced for post processing authorization, review, and reconciliation). Additional control over system-generated data occurs when there is a system-tosystem interface that includes an automated comparison or reconciliation between the two discrete systems. • Review exception report. • Review source codes. Duplicate transaction testing ensures that the transaction has only been processed once. • Review output from the production system. • Review source code used for verifying processing sequence. • Test transaction sequence verification software. APPENDIX B YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 425 425 Audit Program for Application Systems Auditing QUESTIONS • Review program source code used to identify and reject suspected duplicate transactions. • Conduct an independent test of the application software using copies of the production data and software in a test environment. • Review application edit reports that might highlight possible duplicate transactions. Programmed balancing controls are incorporated into the application software to ensure the accuracy and completeness of file update and report processing. The opening balance is checked against the closing balance from the previous cycle. The opening balance plus transaction processed equals the current closing balance. This control reduces the risks of processing with the wrong file, with incomplete or missing transactions, and loss of file integrity. • Reconstruct account balances. • Review source codes. Override of computer edits involves intervention by the application owner by allowing the user the capability to bypass what under normal conditions would be an error that would prevent processing of the transaction to proceed. • Review the use of override to determine that it is restricted to an authorized user and that an audit trail of its use is properly recorded. Review the access/resource rules that control who can use the override capability. Software modification controls are normally reviewed as part of a system development project or as attention to the application development function. A review of software modification controls YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 426 426 QUESTIONS could be performed as part of a business audit if it is directed at reviewing user involvement in the software modification process. The review could be used to assess user involvement in: • Authorization and approval of software modification requests. • Acceptance testing of software modifications. • Establishment of communications between the user and developers that assures user awareness and involvement in the software modification process. File label checking verifies that the files being used are correct. • Observe procedures. • Review source code. • Perform independent testing. Error reports highlight rejected transactions or errors. • Use test deck containing erroneous transactions • Review outputs. Before/after change imaging. When application update programs change databases or application tables, a report of the before and after image of the changed data may be produced. Management can use this report to validate the integrity of the key application tables and databases. • Observe the operation. • Verify changes made to the tables and databases to the report generated by the update program. Data transmission controls cause a proof calculation using a predefined algorithm to be performed on the information APPENDIX B YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 427 427 Audit Program for Application Systems Auditing QUESTIONS included in the transmission. The result of the proof total may be recorded on a header or trailer message segment prior to transmission. The same calculation is then performed when the message is received and the results are compared with information recorded on the header or trailer. If differences are identified, the sender is requested to retransmit the information. • Observe the operation. • Test the application in a test environment. Business System Output Controls: Determine that appropriate output controls are used to ensure accuracy, completeness, timeliness, and proper distribution of data processed. Evaluate the effectiveness of various processing controls in fulfilling their objectives. Review security software access control definitions, logon IDs and associated privileges, authentication methods, access and resource rules, source and shift group definitions, and logical transactional groups for appropriateness. Observe the operation and interview staff to determine that terminals are restricted to authorized personnel by these means: • Terminals are located in supervised and secured areas. • Physical identifiers such as cards or keys are required for terminal operation. Cards and keys are given to authorized personnel only. • Terminals are restricted for authorized functions. YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 428 428 QUESTIONS Online acknowledgment for automated output received. • Review source code for the specific application programs used to provide online acknowledgment. • Observe the operation to verify that online acknowledgment is being used and is working as it was intended. • Test the application in a test environment. Edit to ensure all hard copy output is produced. • Review hard copy output from production process. • Observe distribution of output. Controlled distribution of hard copy output. • Observe manual distribution process. • Review application job control language (JCL) to identify destinations for all outputs that are distributed automatically. Input to output reconciliation controls. • Obtain prior day’s ending balance and add and subtract the current day’s activity to arrive at ending balance. Agree ending balance to output. • Perform input/output analysis by tracing transactions from initiation to the output phase. The approach relies heavily on the analysis of data and information rather than controls. Sensitive computer forms are controlled while in storage and in use. Forms are pre-numbered and usage is accounted for in numerical sequence. • Verify that the current cycle’s beginning number is one higher than the last cycle’s ending number. APPENDIX B YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 429 429 Audit Program for Application Systems Auditing QUESTIONS • Re-compute the number of forms on hand. • Piece count the number of forms on hand. • Observe the operation. The output should contain descriptive headings for dates, numbered pages, and data classifications. • Review output. If an application maintains sensitive data, screen masking controls should be employed. • Review output. • Observe operation. User review of computer outputs. • Observe the reconciliation procedures performed by the users. • Use audit software to re-create the computer-generated transactions that would serve as a basis for verification during the audit. Sensitive data destruction procedures provide for secure disposal of all sensitive outputs. • Walk through the department. • Observe the destruction process. Application Access Controls: Information integrity may be impaired through the transaction processing functions of the application or through direct access to the application’s data files or database. Control over the accurate updating of master file or database records is important. Anyone with direct access to master file modification functions (e.g., database utilities) may be able to circumvent established procedures for YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 430 430 QUESTIONS the initiation, approval, and recording of transactions or access to data and may possibly gain indirect access to assets. Information integrity is dependent on the overall data access control environment, controls internal to the application system, and access to the data. Access security over applications systems can be incorporated into the application or provided by access control software; a database management system or other software may provide some security functions. In addition to application software, there are three common types of systems software used to control access: teleprocessing monitors, access control software, and database management systems (DBMS) software. Evaluate the effectiveness of access control to the application and its data. Audit Procedures: Effective control over access to computer functions and related data is dependent on the use of the application’s security features and/or access control software. A database management system or other software also may provide some security functions. Access controls are designed to enforce the segregation of duties. Review security packages access control definitions, logon IDs and associated privileges, authentication methods, access and resource rules, source and shift group definitions, and logical transactional groups for appropriateness. Observe the operation, interview staff, to determine that terminals are restricted to authorized personnel by these means: • Terminals are located in supervised and secured areas. APPENDIX B YES NO N/A COMMENTS ch38_B_4768 1/8/07 3:33 PM Page 431 431 Audit Program for Application Systems Auditing QUESTIONS • Physical identifiers such as cards or keys are required for terminal operation. Cards and keys are controlled by authorized personnel only. • Terminals are restricted to authorized functions. Review approval forms to determine that access to data, terminals, and application have been approved by data/application owners. Review violation reports to determine that exceptions have been resolved promptly. YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 432 APPENDIX C Logical Access Control Audit Program QUESTIONS The widespread use of communications networks has shown that physical controls provide limited value in protecting the data stored on and processed by the computer. Logical controls restrict access to specific systems to authorized individuals and to the functions each individual can perform on the system. Logical security controls enable the organization to: • Identify individual users of IS data and resources. • Restrict access to specific data or resources. • Produce audit trails of system and user activity. Audit Procedures: Each type of software has an access path. Access paths are those areas or points where access may be gained to the system. When accessing the computer system, a user may pass through one of multiple software levels before obtaining access to the data resources (e.g., data, program libraries, etc.). a) Review all possible access paths to the data resources to determine that the security features in each piece of software are utilized to minimize the vulnerabilities. Pay specific attention to 432 YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 433 433 Logical Access Control Audit Program QUESTIONS “backdoor” methods of accessing data by operators and programmers. b) Interview management and review documentation to determine if integrated access control software is used to streamline security administration and improve security effectiveness. c) Control points are those areas on the software’s access path that may be used to control and protect data resources. An access path schematic identifies the users of the system; the type of device from which they access the system; the software used to access the system; the resources they may access; the system on which these resources reside; and the modes of operation and telecommunications paths. The goal of the access path schematic is to assist in the identification of all the control points that could be used to protect the data stored on the system. Review control points for the application to assess their propriety. d) Identification is the process of distinguishing one user from all others. Authentication is the process of determining whether individuals are who they say they are. Passwords are used to control access to the computer environment. While passwords are widely used for authentication, they are not conclusive identifiers of specific individuals because they may be guessed, copied, overheard, recorded, and played back. If authentication is achieved by use of passwords, review the procedures, observe the operations, and interview user staff to ensure that: • Passwords are controlled by the owner. YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 434 434 QUESTIONS • Passwords are changed periodically; the more sensitive the data or the function, the more frequent the changes. • Password is not displayed when it is entered. • Minimum character length is set for the passwords. • Use of names, words, or old passwords are prohibited. • Users of data and resources are uniquely identified. It is not advisable to use group IDs or passwords. • If authentication is achieved by possession of identification devices such as ID cards, access cards, keys, etc., review the devices and observe the operations to evaluate the effectiveness of this method. • Authentication of individuals by physical or behavioral characteristics is also known as a biometric technology. This is an automated method of verifying or recognizing the identity of a person based on physiological or behavioral characteristics. Biometric devices include fingerprints, retina patterns, hand geometry, speech patterns, and keystroke dynamics. If this authentication method is used, review the devices and observe the operations to evaluate the effectiveness of this means. • Access control software allows the identification and authentication of users, the control of access to information resources, and the recording of security-related events and data. Access control software is important in enforcing the change control process through the APPENDIX C YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 435 435 Logical Access Control Audit Program QUESTIONS segregation of development, testing, and production environments. Many types of software contain features that are designed or may be used to provide security. It is preferable to use access control software to secure the total environment or to complement the features provided by specific software. Access control software provides comprehensive and coordinated security. a) When security software is initially installed, the protected resources, authorized user identifiers, and passwords must be identified or defined to that software. Security profiles may include user or resource passwords used to control access to specific program functions of data files. Review the security tables to determine that they are encrypted. b) Each user can be assigned a scope of access, and each resource, a degree of protection. Resources that should be protected from unauthorized access include: • Application systems program libraries. • System software program libraries. • Data files and databases. • Job execution language statement libraries. • Selected processing functions (modules) of applications programs. • Sensitive utilities that can bypass normal security controls. • Data dictionary files and programs. • Review the access rules for all the resources that should be protected to evaluate their propriety. YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 436 436 QUESTIONS c) Review responses to security violations for propriety. Responses could include termination of processing, forced shutdown of terminals, issuance of warning or error messages, and writing of audit trail records. • The desired audit trail for security violation is selected during implementation. Evaluate the effectiveness of audit trails, such data may include user ID, resource accessed, date, time, terminal location, and specific data modified during the access Review access control software to determine that the following controls are in place: 1. Access to the system is restricted to authorized individuals. 2. Access to the processing functions of application software is controlled in a manner that permits authorized users to gain access only for purposes of performing their assigned duties and precludes unauthorized persons from gaining access. 3. Access rules or profiles are established in a way that restricts departmental employees from performing incompatible functions or functions beyond their responsibility, and also enforces proper separation of duties. 4. Procedures are enforced so that application programmers are prohibited from making unauthorized program changes. 5. User/application programmers are limited to the specific types of data access (e.g., read, update) required to perform their functional responsibilities. 6. Security profiles or tables are protected from unauthorized access and APPENDIX C YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 437 437 Logical Access Control Audit Program QUESTIONS 7. 8. 9. 10. modification. Access to these profiles or tables is restricted to certain access paths. Security tables or profiles are encrypted to restrict unauthorized use. Security profile override capabilities are restricted. Security data and resource access audit trails, including audit trails of the use of the access control software, are protected from unauthorized modification. Modifications or changes to the access control software itself are restricted to the appropriate personnel, and those changes are made according to authorized procedures. Certain types of communications software can restrict access to the telecommunication network and to specific applications located on the network. • Controls limiting access to a network and to sensitive resources are specified in the communications software through an authorized exit routine or table. Access to this exit or table is restricted to the appropriate individuals. • Access to sensitive data and resources in the network is controlled by: • Verifying terminal identifications. • Verifying logons to applications. • Controlling connections between telecommunications systems and terminals. • Restricting an application’s use of network facilities. • Protecting sensitive data during transmission. YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 438 438 QUESTIONS • Automatically disconnecting at the end of a session. • Devices and applications sharing similar security requirements are placed in an isolated network with restricted operational and user access. • Network software is configured, through the use of optional journals, to provide extensive network activity logs. • Tables used to define network options, resources, and operator profiles are protected from unauthorized access and modification. • Operator commands that can shut down network components can be executed only by authorized users. • Dial-in access to the system is closely monitored and protected. • In-house access to communications software is protected, and control over changes to the software are in place. • Precautions are taken to ensure that data are not accessed or modified by an unauthorized user during transmission or while in temporary storage. • Access to telecommunications hardware or facilities that can monitor transmissions is restricted. • Precautions are taken to ensure that data are not accessed or modified by an unauthorized user during transmission or while in temporary storage. Application systems consist of data and programs specifically written to APPENDIX C YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 439 439 Logical Access Control Audit Program QUESTIONS perform a business function. Library management software can be used to store, maintain, and protect source program libraries, job execution language libraries, and in some instances, data files and object program libraries. Library management software packages differ in the type of program libraries they can protect, the levels of security they can provide, and the audit trails they can produce. The libraries must be supported by adequate change control and documentation procedures in order to provide a well-controlled change environment. • The software system may not be effective unless supported by detailed procedures, including formal authorization to transfer programs; verification by user or IS management that all changes are authorized and applied correctly; restricting performance of the change control procedures to a specific change control function; source programs copied to production libraries and recompiled; control over emergency changes; emergency access granted for the purpose of resolving the problems should be immediately revoked after the problem is fixed; and all actions taken during the emergency should be automatically logged. • Library management system maintains an audit trail of all activity against the libraries. One important control function performed by the library management software is the maintenance of a program change log. Information provided includes the program name, version number, specific changes made, maintenance data, and programmer ID. YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 440 440 QUESTIONS • The library management software has a facility that compares two source code program versions and reports any differences. • Access to programs or other items stored by the library management software is limited to certain access paths. • Access to passwords or authorization codes is restricted to authorized individuals and passwords are changed on a routine basis. • Access to library management software is protected, and controls over changes to the software are in place. • Precautions are taken to ensure that the library access definition tables are not modified by an unauthorized user. • Additional procedures are in place to ensure that the correct versions of production programs reside in object program libraries when these libraries are not protected by the library management software. Database management system software (DBMS) is used to control, organize, and manipulate data, provide multiple ways to access data in a database, and manage integrated data that cross operational, functional, and organizational boundaries within an organization. Data dictionary (DD) software provides a method for documenting elements of a database and may also provide a method of securing data in a database management system. DD software interfaces closely with the DBMS. The ability to add or update the DD should be controlled to APPENDIX C YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 441 441 Logical Access Control Audit Program QUESTIONS ensure the integrity of the documentation. All updates to the DD should produce an audit trail so that an automated record of all changes and a means of recovery from disruptions can be maintained. Determine that: • Access to data files is restricted at the logical data view, field, or field value level. Field level security pertains to the sensitive nature of the fields (salary). Field value level security pertains to the contents of a field. • Access to the DD is controlled by using security profiles and passwords within the DD software. The DD may use the DBMS to store the information in a database format. Therefore, the database must be secured using the various access control facilities build into the DBMS software. • Because the storage medium for the DD contents is a database, the same audit trail features that are in place for application databases should also exist for the DD. • Inquiry and update capabilities from application program functions, interfacing DBMS or DD facilities, and DBMS utilities are limited to appropriate personnel. Security functions implemented in the DBMS and DD may only be effective when access to the database is made through the DBMS or DD. • Access to DBMS software is protected and controls over changes to the software are in place. YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 442 442 QUESTIONS • Procedures for maintaining security profiles in the DD and security tables in the DBMS are adequate to prevent unauthorized access to sensitive information. There are two main types of utility software. The first type is used in the system development process to improve productivity, such as program development aids and on-line editors. The second type is used to assist in the management of the operation of the computer system, such as performance monitors, job schedulers, and disk management systems. Utility software may have privileged access capabilities at all times, some of the time, or never. Privileged access allows programs or users to perform functions that may bypass normal security. Determine that: • Access to specific utility files or functions is restricted. Different utilities provide various types of protection. Some utilities establish authorization levels for each protected file or function and check each user’s authorization level before allowing access. Other utilities use passwords to prevent unauthorized access. • Utility software generates an audit trail of use and activity. Some utilities provide detailed audit trails of activity against protected datasets, libraries, and other resources. These audit trails provide information such as user ID, date and time of access, resource accessed, and the type of access. These audit trails also serve as a record of events, including security violations and unauthorized accesses. APPENDIX C YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 443 443 Logical Access Control Audit Program QUESTIONS • Precautions are taken to ensure that library manipulation utilities, such as delete and copy, are protected from unauthorized use. • Precautions are taken to ensure that only authorized personnel have access to applications running under the control of the utility. • Precautions are taken to ensure that only authorized users have access to utilities that can update production libraries and library members. Certain utilities should not be maintained in the production environment. • Audit trails produced by utilities are carefully reviewed to identify possible security violations. Operating systems are a series of programs that manage computer resources and serve as an interface between application software and system hardware. These programs manage and control the execution of application programs and provide the services these programs require. Such services may include job scheduling, disk and tape management, job accounting, program compiling, testing, and debugging. Determine that: • The use of exits is controlled. Operating system software may be customized by the use of exits to alter its processing. Exits allow insertion of programs of code to perform additional functions. • System programmers’ activities are closely monitored. YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 444 444 QUESTIONS • System programmers select, install, and maintain systems software. They are highly skilled and have extraordinary access to the most sensitive elements of the computer system. • Operating systems use passwords and user IDs to prevent unauthorized users from gaining access to operating system functions and utilities. Many times these passwords and IDs are defined in a system table or dataset that is activated when the system is generated. • Passwords and user IDs are kept confidential. Unauthorized users who can gain access to the system can make unauthorized modifications to systems resources. • Access to operating system software is restricted and controls over changes to the software are in place. • Systems and data security administrators are carefully selected and monitored. They have the authority to modify system functions, including systems generation procedures and user profiles. • Access to operating system utilities is restricted. Operating systems provide many utilities that can be used to make unauthorized modifications to systems services and resources. • Systems generations and reinitializations are monitored because unauthorized generation can result in invalid systems processing. • The use of all optional systems software products, such as on-line editors and TP monitors, is restricted to appropriate authorized individuals. APPENDIX C YES NO N/A COMMENTS ch39_C_4768 1/8/07 3:34 PM Page 445 445 Logical Access Control Audit Program QUESTIONS • Audit trails are reviewed on a regular basis to determine if any unauthorized access attempts or modifications were made. YES NO N/A COMMENTS ch40_D_4768 1/8/07 3:35 PM Page 446 APPENDIX D Audit Program for Auditing UNIX/Linux Environments QUESTIONS Preliminary Steps: • Obtain a description/overview of the UNIX system configuration. • Obtain a listing of the various systems supported by the UNIX environment. • Obtain a map of the physical network to include: file servers, bridges, routers, gateways, concentrators/hubs, and modems. • Obtain design specifications for the system(s) security. • Obtain an overview of password management logic. • Obtain a job description of the system administrator. Procedures: • Review design specifications for system security. • Determine if access is controlled through UNIX password administration facilities or through application(s) user access tables or a combination or both. 446 YES NO N/A COMMENTS ch40_D_4768 1/8/07 3:35 PM Page 447 447 Audit Program for Auditing UNIX/LINUX Environments QUESTIONS • Check if documentation procedures exist or are planned for security administration. • Review procedures for password administration. • Review existing security guidelines • Users • Groups • Functions Physical Security: • Check the adequacy of physical security for each of the network components, especially file servers. • Are unused network connectors disabled or physically secured? • Is physical access to network components such as cables, routers, taps, repeaters, and terminators adequately restricted? • Are proper procedures in place for the administration of configuration changes to the network’s physical structure? Systems Administration: • Has a system administrator been designated for the UNIX/Linux environment? • Is the system administrator supported by a backup person? • Does the system administrator have a separate account for normal uses that does not require root access? • Are adequate procedures used for administering: YES NO N/A COMMENTS ch40_D_4768 1/8/07 3:35 PM Page 448 448 QUESTIONS • Managing user logins • Managing menu selections • File backup and restoration for systems and individual user’s files • Monitoring of system activity • System shutdown • Has appropriate administrative responsibility also been assigned to the following activities? • Hardware and software installation and maintenance • Administration of the password file • Maintenance of user’s login scripts • Assignment of group, owner, and public rights to directories and files • Using the UNIX set command, identify and evaluate system variables for appropriateness • Is access to the root ID and password appropriately restricted? Account Security: • Are account IDs and permissions properly authorized? • Do procedures exist for the assignment and maintenance of account passwords? • Are obvious password choices prevented by the system? • Determine by examining the system password file: • If there are active users without a password. • If there are users with no password expiration. APPENDIX D YES NO N/A COMMENTS ch40_D_4768 1/8/07 3:35 PM Page 449 449 Audit Program for Auditing UNIX/LINUX Environments QUESTIONS • If there are users defined as root (UID of zero)? • If there are users with the same user ID (UIC)? • With the exception of root, are all default system logins disabled? Individual users may be grouped into group IDs, for the purpose of accessing specific files, directories, or devices. • Identify if those groups can assume (i.e., SU) the capabilities of the root account, and if so, should they be able to do so. • Determine who monitors profiles for currency. • Examine files that indicate system assigned user controls. Are indicated entries in line with current assignments? There is seldom a good reason for logging in as root. • Determine if the root ID has been changed to accommodate only a SU command so that the root ID could not login or remote login or teleprocess. • Examine the file containing the system-wide profile for all users. Check: • Are users whose session is inactive logged off after a reasonable period of time? • Are all users listed in the group genuine users and is the group ID unique and correctly formed? Note that the individual user’s profile overrides these parameters. YES NO N/A COMMENTS ch40_D_4768 1/8/07 3:35 PM Page 450 450 QUESTIONS File Level Security: • Is access to system files properly restricted? • Are sensitive or critical data files correctly identified and protected against unauthorized access? • Ensure the root path does not contain the current directory. Under normal circumstances in all users, PATH should not include the current directory. If it is essential, it must be placed last on the path. • Individual users’ home directories must not be readable by world or group. Check that these are properly restricted. • Review critical/sensitive files that have set user ID (SUID) or set group ID (SGID) to ensure the settings are proper. Device Security: • Evaluate devices to ensure they are not world-writable with the exception of the [/dev/tty*] devices. • Review the settings for /dev/mem and /dev/kmem to ensure they are not readable to ordinary users. Backup and Recovery: • Is there a documented backup and recovery plan? • Have systems been classified as to their criticality? • Is there appropriate off-site storage of backup and recovery files? APPENDIX D YES NO N/A COMMENTS ch40_D_4768 1/8/07 3:35 PM Page 451 451 Audit Program for Auditing UNIX/LINUX Environments QUESTIONS • Have recovery plans been tested periodically? • Do they work? UNIX Networks–Terminal Security: A root ID can only login to a secure terminal. The console should be the only terminal to which the root ID (if it is used) can login directly. • Review the terminal definition table to ensure that only the console is labeled as secure. • Review the /etc/inittab file to verify what terminals and modems are attached to the server. • Review logoff and timeout procedures for terminals. Are they appropriate? UNIX Networks–Trusted Hosts: The /etc/hosts.equiv file lists trusted hosts. Remote users who log in with rlogin or issue commands with rsh are granted access with no password requirement if they are coming from a system listed in this file and have an account on the local system with the same login name. Only local hosts should be known to this file. • Review the systems file used to identify remote users or systems that are permitted to login (rlogin) or remotely execute [rsh] commands without being prompted for a password. User entries in the .rhost file permit remote users of a same name to remotely login without being challenged by the systems’ restrictions (on remote logins). YES NO N/A COMMENTS ch40_D_4768 1/8/07 3:35 PM Page 452 452 QUESTIONS • Review the user home directories for a [.rhost] file to ensure its use is properly restricted. • Ensure the version of SENDMAIL program does not support the wiz, debug, and kill commands; all should return error messages, which should take the form of “500 Command Unrecognized.” UNIX Networks-UUCP Security: • Are UUCP and default passwords changed at installation? Passwords associated with the UUCP subsystem must be aged on a manual basis. • Are these passwords changed periodically? • Review the adequacy of protection given to UUCP communication files and programs for adequacy. UNIX Networks–FTP: A server that allows anonymous FTP allows anyone to connect to the server using the login “.anonymous,” and transfer files from a restricted directory. This login allows users who do not have an account on the machine to have restricted access in order to transfer files from a specific directory. If FTP is being utilized: • Is the home directory owned by ftp protected from update by all users? The directory ftp/bin should be owned by the super user and write protected from everyone. This directory will contain the ls program. APPENDIX D YES NO N/A COMMENTS ch40_D_4768 1/8/07 3:35 PM Page 453 453 Audit Program for Auditing UNIX/LINUX Environments QUESTIONS The ftp/etc directory should be owned by the super user and write protected from everyone. This directory contains the password and group files. The password fields should be changed to asterisks (*). A directory ftp/pub, owned by ftp and worldwritable, will be available for users to place files that are to be accessible via anonymous ftp. Note that by making this directory world-writable people who are not known are allowed to place files on the system. YES NO N/A COMMENTS ch41_E_4768 1/8/07 3:36 PM Page 454 APPENDIX E Audit Program for Auditing Windows XP/2000 Environments QUESTIONS Layout and Connectivity of the Network In order to form a proper audit opinion on the standard of network management, it is essential to document the types and location of all network components. • Locate all the PCs, peripherals, and other network components in use by the network, and establish: • The completeness and accuracy of the hardware inventory • The completeness and accuracy of the software inventory • The physical location of each PC, printer, cable box, bridge, or router • For each machine in the network, establish and document its purpose in the network, identifying: • Servers • Primary domain controllers • Backup domain controllers • Workstations • Determine which servers and workstations are used for: • Development and testing • End-user production purposes • Both Examine the network topology and cabling plan. 454 YES NO N/A COMMENTS ch41_E_4768 1/8/07 3:36 PM Page 455 455 Audit Program for Auditing Windows XP/2000 Environments QUESTIONS • Is one available? • Is it up-to-date? • Does it clearly identify: • Cabling routes • Types of cable in use (twisted pair, ethernet, token ring, etc.) Determine the nature of the network protocols used in the network, for example: NetBEUI TCP/IP IPX Other • Are cabling runs, terminators, cable jointing boxes and other points of access to the network secure against: • Interference? • Accidental or malicious damage? • Are the network components examined regularly to detect signs of gradual deterioration, wear and tear, etc.? System Administration: Because of the design of the Windows security and management system, a very high degree of responsibility rests with the system administrator, who has total control of the operating system and all its resources. • Obtain a detailed job description for the system administrator. • Does it clearly describe his/her responsibilities and duties? • If the organization has scaled up from (say) a single network to multiple domains, is the job description still appropriate? • Has the administrator defined a set of procedures for setting up new users? YES NO N/A COMMENTS ch41_E_4768 1/8/07 3:36 PM Page 456 456 QUESTIONS • Is it in accordance with the organization’s IT security policy (if one exists)? • Have the security principles been communicated to all users before they are set up as users of the system? • Has the administrator restricted users to the smallest possible amount of privilege they need to carry out their duties? • Have users been organized into sensible and well-structured groups for control and management purposes? • Identify the persons who are required to have administration privileges on the network. Are they in control of: • A single server • A single domain • Multiple domains • For each machine or domain controller, establish the following: • That a limited number of users have been designated as having administrator privileges • That the administrator account has been renamed • That the administrators use an alternative account name with lower privileges for day-to-day activities • Ensure that the Guest account is properly controlled, and cannot be used with a blank password. • On sensitive systems, ensure that there is no access for groups such as Everyone and Guest. • Determine if, where a Windows workgroup or domain is being used as a gateway to another system (e.g., a Novell Netware network), permission has been obtained for the connection to be set up and maintained. APPENDIX E YES NO N/A COMMENTS ch41_E_4768 1/8/07 3:36 PM Page 457 457 Audit Program for Auditing Windows XP/2000 Environments QUESTIONS Network Capacity Planning: Does the network meet the needs of the users and has it sufficient capacity for expansion in the future? • Examine the network capacity plan, if available. Does it cover: • Disk storage usage and future requirements? Printing volumes and speeds? • Processor utilization on workstations and servers load balancing between servers • The capacity of the network transmission media • Is there evidence of regular management review of the above areas? • Is the network management and control mechanism appropriate and adequate for: • A network of workstations sharing resources • A domain-based network with a single domain controller • A domain-based network with multiple backup domain controllers • A network of domains, each with its own controller • A network of domains with trust relationships • Ensure that the administrator keeps the network capacity under review • Seek evidence that the Performance Monitoring tools are being utilized to collect information about loadings on processor, disk, and network. • Will the Performance Monitor provide an administrative alert whenever the monitored parameters go outside their predefined acceptable limits? YES NO N/A COMMENTS ch41_E_4768 1/8/07 3:36 PM Page 458 458 QUESTIONS Password and Logon Controls: An adequate standard of password and logon controls is the first line of defense against unauthorized use of Windows facilities. • Does the initial logon message box ask users to press Ctrl-Alt-Delete to log on to the system? • Is there a legal notice displayed to users as they log in to the system? • Are all users required to log on with their own unique user ID and password? • Examine the Account Policy menu system in User Manager to determine if appropriate choices have been made for the configurable password restrictions. • Examine the Account Policy as regards user lockout in the event of users failing to provide a valid logon. • Does the system allow unlimited attempts (not desirable)? • Lock out after a certain number of bad attempts and is the number reasonable? • Is the lockout duration set to a time period, or • Is the lockout permanent unless the account is restored by the system administrator? • Has the system been set to ensure that users must log on before being allowed to change their passwords? • For users accessing the network via the Remote Access Service (RAS), is the Account Policy set to forcibly disconnect their session in the event of permitted logon hours expiring? • Examine the User Rights and for each user, establish who can: APPENDIX E YES NO N/A COMMENTS ch41_E_4768 1/8/07 3:36 PM Page 459 459 Audit Program for Auditing Windows XP/2000 Environments QUESTIONS • Use sensitive system functions • Take ownership of other users’ resources • Use administrative programs and functions • Check the contents of the system login script to ensure that its contents are appropriate. Group Management: • List the built-in groups available on the workstation or server to determine: • Which users are assigned to each group? • Are the appropriate users assigned to each group, according to their responsibilities and duties? • Has the appropriate set of user rights been assigned to group members? • Examine any global groups that may have been created. Establish: • The names of the users who comprise the groups • If the users are from multiple domains, does the composition of the group reflect the overall range of responsibilities applicable to the people comprising it? • Identify users who belong to more than one group. • Is the additional privilege granted by membership of other groups consistent with: • The user’s duties? • The organization’s security policy? YES NO N/A COMMENTS ch41_E_4768 1/8/07 3:36 PM Page 460 460 QUESTIONS Maintaining the Security of File Systems: The directory structure is the key to effective file system management. • Establish the numbers and types of partition on each machine’s hard disk. • Establish the type of file system that has been set up on each disk. • For each file system found, establish whether it is a FAT file system, an HPFS file system, or an NTFS file system. • Ensure that, where possible, all partitions holding significant quantities of application and system data are of the NTFS type. • Check the permissions over sensitive applications or system directories containing important configuration and system files. • Check which groups have the ability to modify or otherwise manipulate the contents of these directories. • Examine the arrangements for sharing of directories among workstations, clusters, or from servers. • Are shared directories appropriate to the data sharing needs? • Is there a policy of minimum necessary access applied in directory shares? • Are share names properly documented and commented in their dialog boxes? • Have access-level passwords been set up for share names? Auditing and Event Logging: • Look for evidence that auditing for specific sensitive system objects has been set: APPENDIX E YES NO N/A COMMENTS ch41_E_4768 1/8/07 3:36 PM Page 461 461 Audit Program for Auditing Windows XP/2000 Environments QUESTIONS • Detection of unauthorized access to files and directories. • Detection of authorized changes to critical system files or directories. Examine the arrangements for the audit of use of the Remote Access System (RAS). • Check for detection of an appropriate set of the following events: • User connection • User disconnection • Inactivity timeout for user • User failed to authenticate • User failed to provide login authentication in time • Disconnection due to network error during login attempt • Check the settings of the Event Log Settings for size and recording options: • Has the log file size been set to an appropriate capacity to hold a typical period’s activity? • Can the oldest log entries be overwritten at any time if the log files become full, or is a time period set (e.g., seven days)? • Check that the administrator conducts a security check efficiently and frequently. Backup and Housekeeping: • Determine the adequacy of the arrangements for: • Taking security copies of main data files • Copying and securing the registry files YES NO N/A COMMENTS ch41_E_4768 1/8/07 3:36 PM Page 462 462 QUESTIONS • Keeping copies of critical configuration files (including system and personal logon profiles) • Ensuring that the configuration details of servers and domain controllers are secured • Ensuring that emergency startup diskettes are kept upto-date for all servers and controllers. APPENDIX E YES NO N/A COMMENTS ch42_IND_4768 1/8/07 3:37 PM Page 463 Index Abuse, 36, 86, 182, 222, 285, 301, 302, 329, 341, 375, 379 Acceptance testing, 235, 244 Accident, 12, 81–83, 198, 285, 290, 312, 330, 350, 351, 360 Accountability, 64, 69, 174, 183, 195 Accounting association, 49 controls, 112 data, 87, 99 entries, 87 principles, 71 records, 299 standards, 84 unacceptable, 77, 232 Access constraints, 255 controls, 52, 63, 87, 181, 198, 279, 300, 305, 314, 320, 325 control feature, 390 control lists, 282, 387, 400 control logs, 199 control software, 310 database, 211 effectiveness, 410 inadequate, 77, 83 logical, 53, 83, 310 physical, 332–334 procedures, 245 role-based, 283 software, 410 standards, 283 unauthorized, 21 Accuracy auditing, 175 and completeness, 9, 11, 21, 22, 58, 65, 77, 99, 173, 177, 207, 263, 272, 281, 258, 272, 281 ethics, 182 sample, 119, 270 Administration centralized, 20 coordination, 21 data, 210 database, 13, 21 emergency, 316 release and versions, 289 security, 211, 297, 317 systems, 211 ACF2, 314, 316 Air conditioning, 330, 334 Analytical approach, 160 evidence, 40, 109 review, 275 steps, 91 ANSI, 374 Application, 85 audits, 97, appendix b audit tools, 107 authority levels, 99 controls, 21, 57, 65, 66, 73, 105, 191, 264–275 failures, 362 functional capability, 314 integrity, 312 463 ch42_IND_4768 1/8/07 3:37 PM Page 464 464 Application (cont.) interface, 360 of knowledge, 151 portfolio, 279 programs, 8 recovery, 340, 345 reviews, 100, 102 software, 12, 64, 80, 130, 251 software security, 86, 298 systems, 8, 13, 64, 210, 216, 246 Approval audit, 92, 101 audit program, 111 board, 153 by legal counsel, 400 certification, 328 design, 235 project, 234 run schedules, 286 supervisory, 111 technical review, 233 Assets, 12, 31 access to, 81, 211, 350 at risk, 290, 322, 324, 341 classification, 52 control over, 230 examination of, 94 insurance, 352 inventory of, 222 liquidity of, 84 loss of, 77 register, 170, 267, 280 safeguarding, 50, 60, 192 security of, 51, 297–309 under control, 85, 87 Audit application tools, 107 charter, 24, 30, 31 committee, 31, 32, 38, 70, 74, 76, 144, 186 compliance, 104, 369 evidence, 39, 40, 109, 111, 112, 116, 131, 275 management, 98 operational, 106, 123, 199, 222, 292 planning, 77, 88, 93 225 Index procedures, 93, 104, 111, 114, 115, 130, 175, 176, 225, 274 program, 40, 78, 91–94, 105, 109–111, 128, 274, 275, 312, 315, 361, 372 report, 77, 92, 95, 96, 110, 131, 134–143, 250, 283, 305, 370 scope, 111 software, 107, 119, 128, 129–133, 225, 271, 273, 283, 313, 366 standards, 29, 31 steps, 86 techniques, 39, 89, 102, 103, 115, 128, 129, 133, 163, 224, 371 testing, 84, 94, 95, 116, 117 tools, 107, 128, 131, 225, 270, 282, 313, 371, 381 trail, 20, 54, 61, 64, 68, 89, 233, 234 270, 273, 283, 167, 360, 361, 362, 369 Authorization, 51, 54, 65, 86, 198, 271, 314, 360, 377 change, 223, 234, 246, 301 checks, 19 levels, 213 payments, 117 procedures, 301 requests, 197 transactions, 41, 61, 213 user, 63, 199, 247 work, 313 Backup, 186, 289, 330 adequate, 12, 62 appropriate, 211 copies, 155, 290 forensic, 399, 402, 403 lost, 187 media, 285 not taken, 198 production of, 284 recovery, 155, 212, 285 reconciliation, 86 retention, 346 security, 391 skills, 215 ch42_IND_4768 1/8/07 3:37 PM Page 465 Index taking, 209 theft of, 331 Batch processing, 9, 10, 67, 68, 311, 344, 361 Binary, 4, 5, 227, 229 Bits, 5, 10 Budget, 110, 139, 149, 150, 154, 157, 162, 232, 243, 250, 261 Business exposure, 35, 78 interruption, 66, 77, 232, 351, 360 objectives, 26, 29, 48, 50, 51, 84, 89, 90, 104, 158, 175, 188, 192, 200, 243, 262, 275, 290, 346, 370, 389 process reengineering, 167, 227 risk, 27, 29, 35, 38 unclear objectives, 230, 247 Cadbury, 70, 188 Capacity planning, 162, 289, 291 Carbon dioxide, 334 Card, 332 credit, 178, 405, 406 identity, 332 laser, 319 locks, 332 punched, 6, 7, 9 smart, 311, 319 Catastrophe, 232, 248 Certification authority, 178, 328 Chain of custody, 401, 403 Change control, 196–199, 227, 245, 320, 365, 396 Chart bar, 126, 127 organization, 93, 287 PERT, 126, 154 Gantt, 126, 154 Check authorization, 19 background, 214 edt, 86 format, 23 lists, 142, 185, 391 points, 19, 20, 321 redundancy, 306 465 security, 317, 321 sums, 399 uniqueness, 23 CISA, 47, 49 CISM, 49 COBIT, 32, 48, 57, 74, 147, 155, 185, 188, 189, 191, 192, 193, 200, 202, 279, 282 COBOL, 131, 228 CoCo, 8, 57, 188, 194, 195 Code access, 315, 406 authentication, 306, 364 combined, 70, 74 cromme, 70 interpretive, 229 object, 155, 229 of conduct, 182, 183, 215 of ethics, 49, 70, appendix a the fact is, 222 source, 133, 155, 198, 229 source review, 272 steganography, 308 symbolic, 228 unauthorized, 398 Collusion, 79, 81, 193 Committee audit, 31, 38, 70, 74, 76, 144, 186 Cadbury, 70 change control, 197, 199 compliance, 70 ISACA, 47 nomination, 70 non-executive, 76 of sponsoring organizations, 42, 50, 57, 186 remuneration, 70 standards, 163 steering, 174 technical, 201 Communications, 5, 10, 210 audit, 136 auditing, 108 data, 102 poor, 232, 239 recovery, 345 ch42_IND_4768 1/8/07 3:37 PM Page 466 466 Communications (cont.) security 301, 302, 305, 306, 321, 326, 340 simplex/duplex, 10 skills, 101 synchronous/asynchronous, 10 technical infrastructure, 279 Compatibility, 345, 389 Compiler, 229 Compliance, audits, 97, 104, 369 committees, 70 controls 192, 237, 286 testing, 35, 77, 109, 112, 116 with policies, plans, 60, 67, 99 with ISO, 202 with legislative changes, 219 with section 404, 74, 186 with security policies, 322 with the law, 37, 50, 177, 192, 194, 199 with the standards, 29, 32, 46, 49 Computer crime, 7, 397, 398, 406 Concurrency control, 11, 211 Confidence level, 115, 119 Contingency plan, 54, 99, 161, 290, 291, 336, 342, 362, 371 Continuous audit, 237, 282, 283, 288, 369 Control access, 87, 211, 300, 305, 320, 332, 334, 410 activity, 76 application, 57, 65, 66, 73, 105, 191, 264, 410 compensating, 62, 65 corrective, 61, 182, 330, 341 detective, 61, 142, 182, 325, 369 general, 73, 410 preventative, 61, 210, 212, 213, 300, 326, 339, 348 strategies, 26, 27, 36 Conversion, 69, 130, 209, 229, 231, 242, 244, 248, 256, 259, 263, 358 COSO, 32, 36, 49, 50, 57, 71, 73, 74, 186, 188, 192, 193, 194 Costing, 292 Index CPM, 126 CPU, 4, 316 Damage, 80–83, 179, 285, 299, 312, 330, 334, 335, 349, 350, 352, 360, 393 Data dictionary/ directory systems, 18 Data structures, 13, 14, 211, 212, 216 hierarchical, 14, 15, 377 relational model, 14, 16, 23, 166 Database, 3, 12–23, 156, 166, 173, 175, 179, 211, 234, 279, 382 access, 282 administrator, 18, 211 auditing, 20 creation, 241 documentation, 20 intrusion detection, 329 management system, 410 operational controls, 21 packages, 376 recovery, 18 server, 325 top secret, 317 DBMS, 3 auditing, 20 checkpoints, 19 defined, 13 packages, 18 DD/DS, 13, 18, 21, 222 Default, 256, 282, 312, 316, 317, 319, 324, 353, 390 DES, 303 Destruction, 133, 186, 281, 297, 330, 360, 406 accidental, 82, 351 assets, 77 confidential scrap, 156 data, 285 deliberate, 342 malicious, 351 media, 333 message, 303 total, 334 Detective controls, 61, 142, 182, 325, 369 ch42_IND_4768 1/8/07 3:37 PM Page 467 Index Deviation, 147, 202, 288 from the mean, 118, 119 standard, 118, 119 Diagnostic, 394 Digital agents, 282 certificates, 321, 327, 328, 367 evidence, 403 signals, 6 signatures, 181, 321, 327, 328, 366 to analogue, 210 watermarks, 307 Disaster, 19, 53, 86, 285, 290, 299, 340–352 recovery, 12, 61, 155, 289, 298, 337, 339 Distribution functionality, 326 key, 364 list, 139, 142 normal, 114 output, 68, 155, 156, 180, 186, 209, 270, 285 pipelines, 357 statistical, 118, 121, 122 systems, 289 Documentation, 18, 20, 21, 40, 91, 107, 233–235, 244, 374, 301, 367, 371, 395, 403 adequate, 69, 288 change, 197 poor, 231 procedures, 203 review, 144, 163 standards, 111 systems, 111, 153, 235 Dump, 273, 288 Duties division of, 62, 82, 213 segregation of, 51, 60, 62, 63, 68, 77, 82, 86, 156, 164, 211, 212, 270, 285–287, 301, 313, 325 End-user systems, 65 Encryption, 11, 142, 180, 302, 326, 364 467 Enterprise risk management (ERM), 36 Environmental, 69 controls, 335 security, 52, 53, 330, 336 Edit check, 86 Efficiency and effectiveness, 27, 28, 46, 59, 199 access controls, 410 audit, 116, 346 business, 242 COBIT control, 21, 34, 35, 39, 62, 72, 73, 89, 90, 94, 104, 134, 141, 176, 189, 193, 195, 225, 237, 271, 282, 336, 341, 353 370, 372 corporate governance, 186 degrees of, 150 development process, 150 directors, 70 intervention, 220 IS, 98, 99, 103, 170 mitigation, 84 monitoring, 51 operations, 60, 96, 194, 200, 287 project, 155, 244 password management, 87 RACF, 316 risk management, 44, 76, 78 systems, 170, 267 testing, 263, 347 Electronic funds transfer, 166, 351, 357, 364, 372 E-commerce, 37, 165, 179, 236, 328, 357–373, 394, 405 E-mail, 142, 307, 404, 406 Error human, 77, 86, 285 logs, 68, 270 messages, 381, 386 rates, 117, 120, 224 Espionage, 406 Ethics business, 69, 181 code of, 24, 30, 43, 44, 46, 47, 49, Appendix a impact of, 182 ch42_IND_4768 1/8/07 3:37 PM Page 468 468 Exception report, 61, 68, 132, 270 Excessive, 313, 318 costs, 77, 170, 232 Exposure, 33, 79, 104, 310, 352, 399, 406 business, 35, 78 computer, 80 drafts, 46 financial, 84 net, 362 operational, 285 risk, 62, 75, 79, 80, 83, 300, 341 systems development, 232 Feasibility, 152, 153, 157, 197, 234, 242, 259–263 Fidelity insurance, 214 Findings, 94, 95, 139–141 audit, 39, 140, 143 development of, 93, 94 reporting, 102, 134, 144 reviewing, 135 significance of, 87 Fire, 86, 187, 285, 301 Firewall, 211, 282, 307, 312, 321, 322, 324, 326, 327, 329, 350, 359, 391, 394, 400 Flood, 86, 285, 330, 340 Flowchart, 107, 225 Follow-up, 20, 41, 77, 96, 104, 111, 134, 135, 143, 144, 160, 195, 233, 399 FORTRAN, 228 Fraud, 212, 229, 232, 298, 326, 349 audits, 91, 104, 137 cyber, 177 detection, 33, 41 e-commerce, 359 embezzlement, 77 financial, 70, 350 investigating, 397–406 IS, 82 management, 81 reporting, 183 user, 81 Index Gantt Charts, 126, 154 Generalized audit software (GAS), 107, 128, 129, 133, 225, 271, 273, 283, 313, 372 Generator data, 107, 225, 271 program, 131 standby, 335, 345 Governance corporate, 28, 57, 69–74, 174, 215, 339, 352 general, 24, 44, 239, 290 IS/IT, 36, 69, 145, 177, 184–192 Groups, 282 audit, 100–106 characteristics extremists, 178 of characters, 10, 303 permissions membership, 314 user, 315, 390 work, 386 Hacker, 12, 83, 350, 360, 376, 378, 381, 382, 393, 394, 395, 396, 400, 405 Hacking, 342, 360, 393, 396, 398, HALON, 334 Header, 9, 363 History, 214, 220, 374, 385 Hot site, 340 Housekeeping, 155, 186, 187, 209, 284, 389 Human, 136, 333–336, 341 controls, 62, 66 decision, 61 discretion, 62, 66 element, 12, 281 error, 77, 86, 285 intervention, 61 judgment, 193 resources, 12, 147, 154, 158, 164, 190, 195, 217, 223, 227 Humidity, 335 ch42_IND_4768 1/8/07 3:37 PM Page 469 469 Index Identification, 18, 98, 171, 237, 274, 281, 300, 326 control points, 372 data sources, 244 dependencies, 78, 148 problem, 256 risk, 38, 50, 76, 332, 341 sender, 304, 306 systems and vendors, 252 user, 301, 319, 323, 332, 377, 379 Identity theft, 178, 368, 405, 406 IIA, 24, 37 code of ethics 43 development and practice aids, 46 standards, 43, 44, 116 website, 47 Impact analysis, 159, 290 Independence, 160 audit, 33, 41, 249 data, 13, 122 organization, 103 Inquiry, 11, 68, 109, 128, 131, 270 Inspection, 161, 284 Insurance, 95, 130, 298, 349–353 coverage, 38, 299 fidelity, 214 self, 299 Instruction, 4, 6, 111, 193, 227, 228 operating, 288 run, 8 Intrusion detection, 279, 321, 325, 329, 400, 401 Integrated test facility (ITF), 132, 273, 369 Integrity, 77, 181 auditing, 346 competence and, 63 data, 22, 58, 132, 299, 360, 367, 377 encryption, 302, 306 ethics, 44, 45, 50, 181, 183, 195 of information, 67, 199, 207, 269, 300, 322 of messages, 142 of programs, 68, 270 of source documents, 209 of systems, 208, 312, 362, 389 of transactions, 367 reliability, 59 recovery, 316 security, 297 Intelligence, 164, 229 Interpreter, 229, 377, 385 Internet, 11, 83, 166, 177, 178, 180, 211, 236, 240, 303, 327, 328, 342, 352, 375, 376, 379, 394, 396, 397, 398, 404 Interview, 26, 39, 40, 90, 94, 107, 109, 111, 120, 163, 371, 402 IPF, 155, 208, 209 ITIL, 32, 188, 193, 194, 279, 281, 288 ISACA, 24 code of ethics, 30, 43, 47, 49, Appendix a standards, 29, 30, 43, 47 website, 48 ISO, 32, 51, 53, 153, 154, 163, 188, 193, 196, 201, 202, 221, 222, 279 ISO/OSI, 363 Jargon, 4–9 Job control, 8, 288 Job description, 93, 287 Journal, 19, 20 Key activities, 25, 26, 90 encryption, 364 management, 289, 321 performance areas, 27, 90 performance indicators, 27, 90, 159, 185, 199 public, 303–306, 328, 367 King, 57, 70, 182, 187, 188, KPAs, 27, 90 KPIs, 27, 90, 159, 185, 199 Labels, 68, 270, 400 Language job control, 8, 288 ch42_IND_4768 1/8/07 3:37 PM Page 470 470 Language (cont.) programming, 8, 128, 131, 216, 228, 229, 378 LANs, 5, 11, 55, 340, 387 Laptop, 55, 331, 350 Laser cards, 390 disks, 5 Layout, file, 130, 153, 242 record, 243 report, 92 wrong, 274 Leader, 91, 167, 168, 209 Leadership, 33, 75, 150, 175, 184 Level authority, 31 control, 21, 58, 94, 141 Liability, 351, 357, 360, 362 Liaison, 85, 101, 243, 289 Libel, 178, 351 Librarian data, 209 packages, 314 tape, 285 Limitations, 129, 153, 193, 386 Linear programming, 125 Local area networks, 5, 11, 55, 340, 387 Log files, 312, 325, 381, 404 Logic, 243, 272–274 Logical access, 53, 83, 86, 97, 179, 305, 326, 328 data structures, 211 design, 251 security, 65, 99, 108, 297, 301, 310, 313, 336 threats, 86, 350 views, 13, 18 Loss assets, 60 confidentiality, 59, 81, 83, 322 data, 331 Magnetic media, 7, 285, 333, 403 Maintenance cost of, 246, 257 Index systems, 246, 257, 320 Malware, 300, 312, 322, 325, 351, 353 Management abdication, 232 control, 24, 53, 57, 96, 185, 199, 233 defined, 25 database, 3, 8, 12, 13, 166, 211, 410 executive, 28, 38, 75, 81, 134, 174, 175, 184, 189, 200, 299 of information, 24, 36, 98, 147, 224 of risk, 36, 76 override, 79, 193 process, 25, 28, 48, 79, 164 review and approval, 233 structures, 25 Mandatory audit activities, 85 changes, 245 controls, 52, 66, 71, 193 standards, 43, 44, 46, 47, 53, 366, 408 Market, 37, 57, 58, 152, 161, 167, 168, 171, 236, 239, 240, 271, 351, 358, 386 Marketing, 58, 170, 172, 217, 220, 240, 267 Master file, 87 Materiality, 33, 40, 85 Micro auditing, 132 computer, 5, 367 computer-based software, 65, 128, 132, 236 film/fiche, 7, 333 soft, 375, 385–391 wave, 6, 10, 311 Motivation, 160, 167 Multidrop, 11 Multiplex, 6, 210 Needs business, 20, 26, 262, 274, 280, 371, 379 customer, 27, 155 establishing, 25, 26 organizational, 25, 30, 58, 185, 188, 189, 191, 251 ch42_IND_4768 1/8/07 3:37 PM Page 471 Index user, 7, 65, 157, 197, 209, 221, 230, 311 Network analysts, 8 monitoring, 399, 404, 405 performance, 12 types, 11 NIST, 53–56 Non-executive, 70, 74, 76 Non-parametric, 119, 122 Objectives audit, 29, 88, 93, 116, 135, 271, 361 control, 3, 9, 10, 32, 48, 59–69, 73, 77, 81, 84, 89–94, 104, 111, 143, 175, 188–194, 199, 268, 269, 282, 297, 322, 370 performance, 25, 27, 134 sdlc control, 233 Observation, 39, 94, 95, 109, 124, 163, 286, 332, 368, 371 Omissions, 135, 177, 351 On-line, 9, 10, 67, 68, 128, 131, 270, 314, 324, 344, 360, 369, 375, 406 Operating Systems, 7, 12, 64, 155, 264, 310–312, 401, 410 auditing, 97 patches, 322, 324 release levels, 293 security, 324 system software, 80, 210, 279 Operators, 8, 209, 229, 283–288, 310, 320 Organization chart, 93, 287 Output controls, 155, 264, 270 distribution, 68, 155, 270 Outsourcing, 31, 95, 147, 148, 160, 161, 173, 236, 238, 239, 258, 351, 353 Overhead, 37, 291, 292, 381, 390 Override controls, 410 management, 79, 82, 193 Parallel running, 244 simulation, 133, 273 471 Parameters, 8, 97, 130, 266, 288, 311 312, 387 Password, 61, 87, 213, 284, 305, 312, 314, 318, 319, 324, 326, 327, 369, 378–384 Patch, 246, 255, 257, 281, 322, 324 Payroll, 64, 130, 161, 266, 268, 374, 390 Performance objectives, 25–27, 90 Peripheral Defenses, 321, 332, 333 Peripheral devices, 4, 208, 285, 345, 375 Personnel controls, 53, 286 practices, 214, 287 procedures, 77, 81, 82 security, 52, 86, 298 Phishing, 178, 406 Physical access, 97, 179, 305, 313, 328, 331, 332, 334 Physical damage, 330, 352 Physical security, 65, 86, 285, 298, 301, 314, 330, 332, 336, 389 Planning audit, 29, 76, 77, 88–97, 98, 103, 107, 111, 225, 370 capacity, 162, 289, 291 contingency, 54, 99, 161, 362 continuity, 52, 162, 290, 291 conversion, 235 disaster recovery, 339–348 enterprise resource (ERP), 219 information systems, 207–217 implementation, 243 project, 148–154, 233, 243, 261 recovery, 12 sampling, 116 strategic, 37, 101, 108, 164–176, 280 tools, 126 Policy corporate, 396 framework, 181 insurance, 349–351 manual, 93 quality, 202 security, 52, 53, 211, 308, 361, 388, 391 ch42_IND_4768 1/8/07 3:37 PM Page 472 472 Post-implementation, 69, 233, 242, 245, 256, 270 Precision, 119 Preliminary survey, 93, 94, 110, 139, 370 Privacy, 21, 49, 177, 179, 182, 188, 218, 297, 319, 326, 394, 417 breach of, 351 legislation, 18, 179, 350, 359 loss of, 359 rights, 398, 401 Procedures access control, 245 administration, 316, 317 audit, 48, 93, 104, 111–115, 130, 175, 176, 225, 274 audit evidence, 40, 109 authorization, 301 backup, 345 change control, 199, 227 control, 40, 65, 67, 79, 81, 87, 92, 103, 198, 237, 264, 345 monitoring, 51, 193 operating, 62, 271 personnel, 77, 81, 82, 287 recovery, 19, 197, 212, 288 review, 52 validation, 19 Project control, 149, 150, 227, 261 management, 73, 111, 125, 147, 149– 151, 194, 227, 233, 249, 261, 262 Protocol, 11, 211, 283, 291, 324, 353, 376, 379, 380, 390, 395 Quality assurance, 43, 110, 147, 245 audit, 108 function, 69, 270 procedures, 87 responsibility, 211, 254 reviews, 32 standards, 202 strategies, 262 system, 197 Quantitative attributes, 84 methods, 122 Index tools, 154 Questionnaires, 107, 371 RACF, 314–316 Reasonableness, 68, 110, 122, 270, 292 Recognition, 6, 18, 43, 183, 319 Recommendations, audit, 38, 143 Reconciliation, 67, 86, 213, 269, 301 Redundancy, 12, 306, 345 Reengineering, 106, 107, 158, 166, 167, 168, 207, 227, 240 Reliability, 173, 194, 199, 281, 291, 366, 371, 410 Report audit, 92–96, 110, 134–144, 250, 283 exception, 61, 68, 132, 270 production, 10, 93, 95 Reruns, 287 Restricted Access, 68, 270 Retention customer, 160 for auditability, 369 record, 298, 366 risk, 353 staff, 214, 215, 239 Revenues, 80, 167, 224, 343 Review management, 233 post-implementation, 69, 233, 242, 245, 270 security, 282 systems, 99, 202, 257 Risk, 7 assessment, 26, 37, 51, 76, 83, 88, 192, 207, 249, 322, 341, 361, 362 factors, 75, 84, 86, 362 management, 27, 29, 32, 36 Role audit, 22, 28, 259, 261, 263 audit charter, 24 audit committee, 32 Rotation of staff, 103 RPG, 131 Safeguarding of assets, 50, 60, 192 Sampling, 273 attribute, 120 ch42_IND_4768 1/8/07 3:37 PM Page 473 Index error, 113 judgmental, 113 monetary unit, 117 risk, 114, 116, 129 statistical, 109, 111, 112 variable, 117, 120 Sarbanes Oxley (SOX), 73, 74, 186, 187, 188, 192, 237, 282, 463 Scanning, 67, 138, 269, 319, 332 SCARF, 133, 283 Schedule review, 233 Scope audit, 22, 43, 88–93, 111 and objectives, 138, 139, 150, 243 of computer security, 298 of work, 99 project, 150, 154 Scorecard, Balanced, 147, 157, 159–163, 174, 200, 221 Security logical, 65, 99, 297, 301, 310, 336 physical, 65, 86, 285, 298, 301, 314, 330, 332, 336, 389 policy, 52, 53, 211, 308, 361, 388, 391 review, 282 Segregation of duties, 51, 60, 62, 63, 77, 82, 86, 156, 211, 212, 285, 286, 287, 301, 313, 325, 389 Simulation Monte Carlo, 127 parallel, 133, 273 Skills required, 129, 260 Software application, 190, 216, 251, 280, 288, 312 audit, 107, 130, 132, 225 customized audit, 128, 130 generalized audit, 119, 129, 133, 271, 273, 283, 313, 372 specialized audit, 225, 271, 313 systems, 64, 80, 100, 102, 253, 271, 340, 346, 394, 410 Source-code review, 133, 272 Spyware, 52, 391, 405 Staff hiring policies, 233 Statistics, 123, 286, 327 473 Steganography, 307, 308 Substantial testing, 77, 109, 115 Supervision, 64, 71, 77, 105, 198, 209, 288, 403 Surveillance, 400, 406 Suspense accounts, 87 Systems analysis, 102, 161, 207, 219, 215, 230, 248, 260 Supply chain, 239, 240, 358 Technical controls, 53, 353 Tests audit, 91, 94, 110, 130, 271 user acceptance, 244 Timeliness, 21, 173, 175, 264, 303, 365, 366, 372 Top Secret, 314, 317 Transaction authenticity, 11 authorization, 41, 61, 63, 82, 213, 301 control concerns, 299 control objectives, 67, 269 controls, 286 data analysis, 237 e-commerce, 357–371 effect of, 19 input, 9 fraudulent, 398 interception, 178 internet, 328 lost, 19 processing systems, 169, 218, 266 recovery 19–20 risks, 84–87 sampling, 112–114 test techniques, 128, 132, 237, 273, 283 Transmission, 10, 11, 211, 357, 361, 368 Uncertainty, 33, 75, 114, 115, 127, 149, 164, 168 Under control, 62, 85 Uninterruptible power, 335, 345, 400 UNIX, 374–384 User authentication, 63, 301, 302, 314, 318, 319322 ch42_IND_4768 1/8/07 3:37 PM Page 474 474 Utility programs, 19, 107, 225, 271, 314, 377 Validity, 113, 263, 268, 365, 368, 404 Value-added, 11, 167, 175, 220, 376 Value chain, 220, 221 Values, 50, 85, 117–124, 169, 183, 184, 195, 306 VANs, 11 Variable, 122, 123 cost, 292 dependent, 124 independent, 124 sampling, 117, 120 Index system, 266 Verifying, 151, 401 Virus, 52, 237, 300, 325, 351, 353, 360, 398 Vital records retention, 298 Web based, 239, 321 site, 300, 401, 419 tools, 359, 380 Windows, auditing, 385–392 Wireless, 322, 353, 391, 406 Working papers, 107, 225
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes XMP Toolkit : 3.1-702 Modify Date : 2007:08:09 02:25:19+04:00 Create Date : 2007:08:07 20:54:11+04:00 Metadata Date : 2007:08:09 02:25:19+04:00 Creator Tool : QuarkXPress(tm) 6.5 Format : application/pdf Title : Document ID : uuid:f2473511-cc78-4770-a5bb-634608049a68 Instance ID : uuid:89364250-08e3-4214-a411-8312d9fb14e5 Producer : Acrobat Distiller 7.0.5 for Macintosh Has XFA : No Page Count : 511 Page Layout : SinglePage Creator : QuarkXPress(tm) 6.5EXIF Metadata provided by EXIF.tools