Embed Size (px)
Citation preview
1/29/2012
1
• Main Reference : – Hall, James A. 2011. Information Technology
Auditing and Assurance, 3rd Edition, Florida, USA : Auerbach Publications
• Suggested Reference : – Senft, Sandra; Gallegos, Frederick., 2009.
Information Technology Control and Audit. Third edition. Auerbach Publications
– Davis, Chris., 2007. IT Auditing : using control to protect information assets. McGraw-Hill
1/29/2012
2
• Introduction to IT Audit and Control
• Information Technology Environment: Why Are Controls And Audit Important ?
• Legal Environment and Its Impact on Information Technology
• Audit and Review: Its Role in Information Technology
• Audit Process in an Information Technology Environment
• Audit and Review: Its Role in Information Technology
1/29/2012
3
• Organizing the IT Function
– The IT Function must be organized and structured.
– IT Manager must define the role and articulate the value of the IT Function.
– Configuration within a company depends on external and internal organizational factors.
– Sound internal controls are essential to the structural framework.
Designing the IT Function
• Designing the ultimate structure of the IT function is often determined by cultural, political and economic forces inherent in each organization.
• Separate from one another :
– systems development
– computer operations
– computer security
1/29/2012
4
Systems Development
• Staff has access to operating systems, business applications and other key software.
• Systems developers are authorized to create and alter software logic, therefore, they should not be allowed to process information
• They should not maintain custody of corporate data and business applications.
Computer Operations
• Operation staff are responsible for:
– Entering Data (similar to the internal control concept of ‘authorizing transactions’)
– Processing information (similar to the internal control concept of ‘recording transactions’)
– Disseminating Output (similar to the internal control concept of ‘maintaining custody’)
• Must segregate duties.
1/29/2012
5
Computer Security
• Responsible for the safe-keeping of resources
– includes ensuring that business software applications are secure.
– responsible for the safety (‘custody’) of corporate information, communication networks and physical facilities
• Systems analysts and programmers should not have access to the production library.
IT Function Manager
Systems Development
Manager (a)
Computer Operations Manager
(b)
Computer Security Manager
(c)
User Services Manager
Systems Analysis (a)
Computer Programming
(b)
Quality Control
Data Input (a)
Information Output (c)
Continuity of Operations
Database Administration
(c)
Information Processing
(b)
Technical Support
User Training
Help Desk
Application Support
Software Security
Network Security
Physical Security
Information Security
IT Organization Function
1/29/2012
6
IT Auditors Examination
• IT Auditors Examination of the IT Function
– Auditors should ensure that systems developers and computer operators are segregated.
– It is also advisable for the IT function to form a separate security specialization to maintain custody of software applications and corporate data.
Funding the IT Function
• Must be adequately funded to fulfill strategic objectives.
• Business risk of under-funding: – Needs and demands of customers, vendors,
employees and other stakeholders will go unfulfilled.
– can adversely impact the success of the company.
• Audit risk of under-funding: – Heavy workloads can lead to a culture of ‘working
around’ the system of internal controls
1/29/2012
7
Two funding approaches
1. Cost Center Approach
• Submit detailed budget to upper management
• Justify each line item
• Use the IT function scorecard approach
– Operational Performance
– User satisfaction
– adaptability and scalability
– Organizational contribution
Two funding approaches
2. Profit Center Approach
• Submit detailed budget to upper management.
• Charge internal users for services through intra-company billing.
– Positive Outcome: Managers will not be overly demanding of IT services
– Negative Outcome: IT can build excessive expenses into billing rates until the rates exceed costs of outside providers.
1/29/2012
8
Acquiring IT Resources
• IT manager should justify IT Capital projects using a methodological approach.
– Determine the net benefit
• Present value of benefits minus costs
– Use Scorecard approach for non-quantifiable paybacks.
Controlling the IT Function
• The major control categories involved in the IT function are
– Security
– Input
– Processing
– Output
– Databases
– backup and recovery
• Each of these categories is intended to minimize business and audit risk via internal controls.
1/29/2012
9
Security Controls
• Secure the computing infrastructure from internal and external threats.
• A compromise of the infrastructure can result in: – business risk
• network downtime
• database corruption
– audit risk • material misstatements in accounts due to incomplete
or inaccurate data capturing
Security Controls
• Secure the computing infrastructure from internal and external threats.
• A compromise of the infrastructure can result in: – business risk
• network downtime
• database corruption
– audit risk • material misstatements in accounts due to incomplete
or inaccurate data capturing
1/29/2012
10
Physical Security
• Focuses on keeping facilities, computers, communication equipment and other tangible aspects of the computing infrastructure safe from harm.
Physical Security Access Restriction
• Only authorized personnel should be allowed into the facility.
• Visitors should be accompanied by authorized personnel at all times.
• Use at all ingress and egress points --Security guards -- Keys & lock --Card readers -- Biometric devices
• Penetration points should be adequately
secured
1/29/2012
11
Physical Security Monitor Access
• Monitor who is entering, roaming and leaving the facility.
– Security guards
– Video Cameras
– Penetration alarms
• Review access evidence.
– Signage log, paper or electronic
• Formal review procedures in place.
Security Issue Physical Controls Logical Controls
Access Controls
Security Guards
Locks & Keys
Biometric Devices
ID and Passwords
Authorization Matrix
Firewalls & Encryption
Monitor Controls Security Guards
Video Cameras
Penetration Alarms
Access logs
Supervisory Oversight
Penetration alarms
Review Controls Formal Reviews
Signage Logs
Violation Investigations
Formal Reviews
Activity Logs
Violation Investigations
Penetrating Tests
Unauthorized attempts to enter IT
facilities
Attempts to break in through
vulnerable points
As authorized visitor, attempts to
leave authorized personnel and
wander around the facility without
oversight
Unauthorized attempts to enter
servers and networks
Attempts to override access controls
(hacking)
As authorized user, attempts to use
unauthorized applications and view
unauthorized information
Physical Security Monitor Access…
1/29/2012
12
Physical Security Communication & Power Lines
• The IT manager should:
– monitor the primary communication and power lines via cameras and guards
– install secondary (backup) lines in case the primary lines fail.
• Contingency plan must address the possible failure of lines.
Physical Security Off-Site Equipment
• Equipment located in other places needs to be monitored in the same way.
• Effective backup plan must be in place.
1/29/2012
13
Logical Security
• Data and software nature known as ‘logical’ components of the infrastructure:
– Corporate data
– Computer software
• user applications
• network systems
• communication systems
• operating systems
Sam
ple
A
uth
ori
zati
on
M
atri
x
Applications
A/R A/P Information
Customers Vendors Sales Purchasing Receipts Payments
User #3 [ID = XXXXX, Password = YYYYY]
User #2x [ID = XXXXX, Password = YYYYY]
User #1 [ID = XXXXX, Password = YYYYY]
Add Edit Read Delete
Add Edit Read Delete
Add Edit Read Delete
Add Edit Read Delete
Add Edit Read Delete
x
Add Edit Read Delete
1/29/2012
14
Logical Security
• Physical controls
– most corporate data and software are located on computers, servers, storage devices
• Computer controlled access, monitor & review systems
Logical Security Points of Entry
• Computer Terminal
– Supply Authorized ID
– Password
• Internet
– Controls need to control external access Points
– Firewalls
– Track failed attempts to enter system
1/29/2012
15
Logical Security Access and Monitor Systems
• Supervisory Oversight
• Penetration alarms
– Track usage patterns
– Report failed attempts
• Formal review procedure
Information Controls
• Controls need to be in place and working effectively to ensure the integrity and accuracy of vital decision-making information.
• Must Integrate sound backup controls.
1/29/2012
16
Information Controls Input Controls
• The company must have and follow written procedures regarding the proper authorization, approval and input of accounting transactions.
• These are incompatible functions.
– they should be carefully segregated, to the extent possible, and controlled.
Information Controls Input Controls – 3 Scenarios- #1
• A customer purchases goods at a store counter.
– Authorizing the sale
• A cashier records the sale on the cash register
– Approving the sale, balances the register, logs the logs into the register with ID
• An accounting clerk later processes cash register sales in batches.
– Inputs sales transactions into accounting system in batches
1/29/2012
17
Information Controls Input Controls – 3 Scenarios- #2
• Same except cash register automatically records the sale into the accounting system.
Process Controls
• Validating
• Error Handling
• Updating
1/29/2012
18
Database Controls
• Database processing involves simultaneous updating of multiple tables.
• Multiple tables and data items can be instantaneously corrupted when an interruption occurs.
Database Controls Why corruption is so quick
1. Related tables are inexorably linked to one another.
2. Update routines often incorporate one or more of the following processing techniques:
– Multi-tasking -- where the computer executes more than one task [program] at a time
– Multi-processing -- where multiple CPUs simultaneously execute interdependent tasks [programs]
– Multi-threading -- where a computer executes multiple parts of a program [threads] at one time.
1/29/2012
19
Database Controls Roll-back and Recovery
• Databases operate on a transaction principle.
– A logical unit of work is considered a transaction.
– The processing of a transaction takes the database from an initial state to an altered state, to the new initial state.
– Each step must be completed.
– Any failure will result in database corruption.
Database Controls Roll-back and Recovery
• When there is an interruption, the database management system (DBMS) begins to restore.
• There are numerous technical processes depending on the DBMS in use.
1/29/2012
20
Database Controls Roll-back and Recovery – Basic Recovery
• A unique identifier tags each transaction.
• An activity log tracks the transaction as it processes.
• After interruption, the DBMS identifies the transactions in process.
• Roll-back procedure is performed: – Uncompleted transactions placed back into queue
• Recovery takes place.
Database Controls Concurrency Control
• Multiple users attempt to update the same data item simultaneously.
or when
• One user is updating while another user is reading the same data item.
1/29/2012
21
Database Controls Concurrency Control
• A common way to prevent concurrency problems is to lock a database object while it is in use and release the object upon completion.
• The DBMS can determine which operation to perform in what order, as it timestamps each transaction when the processing request is initiated.
Database Controls Concurrency Control – Levels of Granularity
• Course level – database is locked during updates.
– No one can use the database until update is complete.
• Moderate level – Database locks at tuple (record) level.
– No one else could use the record until update is finished.
• Fine level – Database locks at attribute (field) level.
– Only the field being updated would be locked.
1/29/2012
22
Database Controls Concurrency Control – Levels of Granularity
• Tradeoff:
There is an inverse relationship between the granularity level and system performance.
– A lower level of granular locking equates to slower computer performance.
Output controls
• Only properly authorized parties can request certain output –
– computer screens
– printed reports
• Such logical access control is accomplished via the ID-password authorization matrix procedure.
1/29/2012
23
Output controls Computer Screens
• Screens need to be physically secure when output is visible.
• Output should be removed when user leaves the terminal.
• Return to the screen should require a password.
Output controls Printed Reports
• Printer rooms need trail of accountability.
– Locks to prevent unauthorized access.
– Logs to sign in anyone entering.
– Logs to sign for reports.
• End user report requests should be password protected.
• Network printers should be placed where unauthorized persons will not have access.
1/29/2012
24
Output controls Printed Reports
• Must have record retention and destruction policies.
– Mandated by regulatory agency.
– Dictated by company policy.
• Permanent reports must be in secured area.
• Temporary reports must by properly destroyed.
Continuity Controls
• Must develop and follow a sound backup strategy to prevent disruption of business activity due to computer failures and disasters.
• Two key considerations: downtime and cost.
• Shorter downtime requirements equate to higher backup costs.
1/29/2012
25
Continuity Controls Backup Controls – Data Backup
• Slow Company
– Can Survive for days without its computer system.
– Would perform full backup each week.
• Medium Company
– Must be back on computers same day.
– Would perform weekly full backups
– Daily incremental backups
Continuity Controls Backup Controls – Data Backup
• Fast Company
– Must be back on computers within hours
– Needs daily full backup
– Hourly incremental backups
• Lightening Company
– Must be back on computers within minutes
– Needs real-time backup
– Simultaneouse updating on remote computer
1/29/2012
26
Continuity Controls Storage location & hardware redundancy
Physical Vaulting
• One backup on-site, one off-site
– On site copy is readily accessible if no disaster
– Off-site copy retrievable if disaster
• Strategy involves more time and money
Continuity Controls Storage location & hardware redundancy
Electronic Vaulting
• Send backup data over a communications network (such as the Internet) to an off-site storage medium.
• Send to home of employee.
• Send to another company location.
• Purchase outside service.
• Costs and accessibility are considerations.
1/29/2012
27
Continuity Controls Storage location & hardware redundancy
• Hardware Backup usually needed for component failures: – Power supplies
– Anything with moving parts
• There are 3 common configurations for redundant storage devices: – Redundant Array of Independent Disks (RAID)
– Network Attached Storage (NAS)
– Server Area Network (SAN)
Continuity Controls Redundant Array of Independent Disks (RAID)
• Disk mirroring – Data is simultaneously written to the primary disk
and one or more redundant disks
• Disk striping – An array of at least three, but usually five, disks is
established
– scheme of parity checks is utilized
– if one disk drive in the array fails, the remaining drives can reconstruct the data on the failed drive and continue processing
1/29/2012
28
Duplicate Recording On single mirrored disk
RAID Mirroring and Striping
Disk Mirroring (RAID)
Duplicate Recording On an array of disks
RAID Mirroring and Striping Disk Striping (RAID)
1/29/2012
29
Continuity Controls Network Attached Storage (NAS)
• Integrates one or more storage devices, (NAS appliances,) into the local area network (LAN) .
• Comprised of one or more disk drives and an internal controller.
• Employs RAID technology to ensure hardware redundancy.
• Can be shared by multiple users on the network.
• Appliances are relatively affordable and scalable
User #1 User #2
Printer
Scanner Network Attached Storage (NAS)
1/29/2012
30
Continuity Controls Server Area Network (SAN)
• Expands NAS to wide area networks (WAN). • SAN is a dedicated network. • SAN can be linked to multiple LANs. • Multiple SANs can be simultaneously utilized. • SAN can be expensive and technically
complicated • Capable of handling very high volumes • SAN is a great solution for large companies. • SAN is designed to be very fault tolerant.
Disk Storage
Input-Output Controller
Disk Storage
Disk Storage
Disk Storage
Wide Area Network
1/29/2012
31
Disaster Recovery Controls
• The first step is to plan for various disaster scenarios:
– a) a single server is damaged
– b) an entire company site is demolished
– c) multiple company locations are simultaneously stuck with disaster
– d) the entire company is destroyed?
Disaster Recovery Controls
• IT managers and auditors should plan for what, who, when, where, how, which and why.
– determine what just happened
– specify who to contact, in what order, and what they are expected to do
– when to enact the remainder of the contingency plan
1/29/2012
32
Disaster Recovery Controls
• where to transfer the lost computer processing load – Plan to shift to one or more alternate company
locations
– Establish contractual relationships with peer companies in the same industry • Affordable, but needs may not be a priority.
• Compatibility problems with operation systems
– Establish contractual relationships with third-party providers of alternate computing sites.
Disaster Recovery Controls
• Three Levels: 1. Cold Site: Includes building & basic infrastructure
• bring own computing equipment • establish the necessary infrastructure
– telephone service - Internet connections – specialized computer cooling systems (if needed) – unique power requirements
2. Warm Site: provides basic computer needs • Not the computers
3. Hot Site: Ready to Go! • Complete with computers • Operating system
1/29/2012
33
Disaster Recovery Controls
• How is the company going to get the computer hardware, people, software and data to the alternate site?
• Which applications are mission critical?
• Why one application or set of applications is more time sensitive than another ?
Disaster Recovery Controls
• All affected parties need to be involved in planning phase.
• The disaster recovery plan is a living document.
• It must be reviewed and updated on a recurrent basis.
• Everyone involved should be initially trained and required to attend periodic refresher sessions.
• Portions of the recovery plan should be tested on an unannounced basis.
