Share on Facebook

Share on Twitter

Share on LinkedIn

Share on Email

Share More

1261 times
354 KB

Download Other files in Students category

File Content -

6. Auditing of Information Systems 6.1 Controls and Audit  A Control is a system that prevents, detects or corrects unlawful events. Various controls are adapted as per requirement and accordingly, their audit become necessary. 6.1.1 Need for Audit of Information Systems  Factors influencing an organization toward controls and audit of computers and the impact of the information systems audit function on organizations are as follows –  Organisational Costs of Data Loss –  Data is a critical resource of an organisation for its present and future process and its ability to adapt and survive in a changing environment.  Cost of Incorrect Decision Making –  High level decisions taken by managers require accurate data to make quality decision rules.  Costs of Computer Abuse –  Unauthorised access to computer systems, malwares, unauthorised physical access to computer facilities & unauthorised copies of sensitive data can lead to destruction of assets.  Value of Computer Hardware, Software and Personnel –  These are critical resources of an organisation, which has a credible impact on its infrastructure and business competitiveness.  High Costs of Computer Error –  In computerised environment, a data error during entry/ process would cause great damage.  Maintenance of Privacy –  Today, data collected in a business process contains private information about an individual too but now, there is a fear that privacy has eroded beyond acceptable levels.  Controlled evolution of computer Use –  Use of Technology and reliability of complex computer systems cannot be guaranteed and the consequences of using unreliable systems can be destructive.  Information Systems Auditing –  It is the process of attesting objectives (those of the external auditor) that focus on asset safeguarding and data integrity, and management objectives (those of the internal auditor) that include effectiveness and efficiency both.  This enables organizations to better achieve four major objectives that are as follows: i). Asset Safeguarding Objectives –  The information system assets (hardware, software, data information etc.) must be protected by a system of internal controls from unauthorised access. ii). Data Integrity Objectives –  It is a fundamental attribute of IS Auditing. It is also important from the business perspective of the decision maker, competition and the market environment. iii). System Effectiveness Objectives –  Effectiveness of a system is evaluated by auditing the characteristics and objective of the system to meet business and user requirements. iv). System Efficiency Objectives –  To optimize the use of various information system resources (machine time, peripheral, system software and labour) along with the impact on its computing environment. 6.1.2 Effect of Computers on Audit  To cope up with the new technology usage in an enterprise, the auditor should be competent to provide independent evaluation as to whether the business process activities are recorded and reported according to established standards or criteria.  Two basic functions carried out to examine these changes are: i). Changes to Evidence Collection; and ii). Changes to Evidence Evaluation. 1) Changes to Evidence Collection –  Without an audit trail, the auditor may have extreme difficulty in gathering sufficient and appropriate audit evidence to validate the figures in the client’s accounts.  The performance of evidence collection and understanding the reliability of controls involves issues like- i). Data retention and storage –  A client’s storage capabilities may restrict the amount of historical data that can be retained “on-line” and readily accessible to the auditor.  If the client has insufficient data retention capacities, the auditor may not be able to review a whole reporting period transactions on the computer system. ii). Absence of input documents –  Transaction data may be entered into the computer directly without the presence of supporting documentation e.g. input of telephone orders into a telesales system. iii). Non-availability of audit trail –  The absence of an audit trail will make the auditor’s job very difficult and may call for an audit approach which involves seeking other sources of evidence to provide assurance that the computer input has been correctly processed and output. iv). Lack of availability of printed output –  The results of transaction processing may not produce a hard copy form of output, i.e. a printed record. v). Audit evidence –  Certain transactions may be generated automatically by the computer system. For example, a fixed asset system may automatically calculate depreciation on assets. vi). Legal issues –  The use of EDI and electronic trading over the Internet can create problems with contract, e.g. when is contract made, where is it made, what are terms and the parties to contract. 2) Changes to Evidence Evaluation –  Evaluation of audit trail and evidence is to trace consequences of control’s strength and weakness throughout the system. i). System generated transactions –  Financial systems may have the ability to initiate, approve & record financial transactions. ii). Automated transaction processing systems –  It can cause the auditor problems. Automated transaction generation systems are frequently used in ‘just in time’ inventory and stock control systems : When a stock level falls below a certain number, the system automatically generates a purchase order and sends it to the supplier. iii). Systemic Error –  Computers are designed to carry out processing on a consistent basis. Given the same inputs and programming, they invariably produce the same output.  This consistency can be viewed in both a positive and a negative manner. 6.1.3 Responsibility for Controls  Management is responsible for establishing and maintaining control to achieve the objectives of effective and efficient operations, and reliable information systems.  Management should consistently apply the internal control to meet each of the internal control objectives and to assess internal control effectiveness.  The number of management levels depends on the company size and organisation structure, but generally there are three such levels senior, middle and supervisory.  Senior management is responsible for strategic planning and objectives, thus setting the course in the lines of business that the company will pursue.  Middle management develops the tactical plans, activities and functions that accomplish the strategic objectives.  Supervisory management oversees and controls the daily activities and functions of tactical plan. 6.2 The IS Audit  The IS Audit of an Information System environment may include one or both of the following:  Assessment of internal controls within the IS environment to assure validity, reliability, and security of information and information systems.  Assessment of the efficiency and effectiveness of the IS environment.  The IS audit process is to evaluate the adequacy of internal controls with regard to both specific computer program and the data processing environment as a whole. 6.2.1 Skill set of IS Auditor  The set of skills that is generally expected to be with an IS auditor include:  Sound knowledge of business operations, practices and compliance requirements;  Should possess the requisite professional technical qualification and certifications;  A good understanding of information Risks and Controls;  Knowledge of IT strategies, policy and procedural controls;  Ability to understand technical and manual controls relating to business continuity; and  Good knowledge of Professional Standards and Best Practices of IT controls and security. 6.2.2 Functions of IS Auditor  IS Auditor often is the assessor of business risk, as it relates to the use of IT, to management.  The auditor can check the technicalities well enough to understand the risk and make a sound assessment and present risk-oriented advice to management.  IS Auditors review risks relating to IT systems and processes; some of them are:  Inadequate information security controls (e.g. missing or out of date antivirus controls, open ports, open systems without password or weak passwords etc.)  Inefficient use of resources, or poor governance (e.g. huge spending on unnecessary IT projects like printing resources, storage devices, high power servers and workstations etc.)  Ineffective IT strategies, policies and practices (including a lack of policy for use of Information and Communication Technology (ICT) resources, Internet usage policies, Security practices etc.)  IT-related frauds (including phishing, hacking etc) 6.2.3 Categories of Information Systems Audits  Information Systems Audits has been categorized into five types: i). Systems and Application –  An audit to verify that systems and applications are appropriate, efficient and adequately controlled to ensure valid, reliable, timely and secure input, processing, and output. ii). Information Processing Facilities –  An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions. iii). Systems Development –  An audit to verify that the systems under development meet the objectives of organization and are developed in accordance with generally accepted standard for system development. iv). Management of IT and Enterprise Architecture –  An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. v). Telecommunications, Intranets, and Extranets –  An audit to verify that controls are in place on the client (end point device), server, and on the network connecting the clients and servers. 6.2.4 Steps in Information System Audit  Different audit organizations go about IS auditing in different ways and individual auditors have their own favourite ways of working.  However, it can be categorized into six stages as follows – i). Scoping and pre-audit survey –  Auditors determine the main areas of focus and any areas that are explicitly out-of-scope, based on the scope-definitions agreed with management.  Information sources at this stage include background reading and web browsing, previous audit reports, pre audit interview, observations and, sometimes, subjective impressions that simply deserve further investigation. ii). Planning and preparation –  During which the scope is broken down into greater levels of detail, usually involving the generation of an audit work plan or risk-control-matrix. iii). Fieldwork –  Gathering evidence by interviewing staff and managers, reviewing documents, and observing processes etc. iv). Analysis –  This step involves desperately sorting out, reviewing and trying to make sense of all that evidence gathered earlier. SWOT or PEST techniques can be used for analysis. v). Reporting –  Reporting to the management is done after analysis of evidence gathered and analyzed. vi). Closure –  Closure involves preparing notes for future audits and follow up with management to complete the actions they promised after previous audits. 6.2.5 Audit Standards and Best Practices  IS auditors need guidance and a yardstick to measure the 3Es’ (Economy, Efficiency and Effectiveness) of a system.  The objective is to determine on how to achieve implementation of the IS auditing standards, use professional judgement in its application and be prepared to justify any conflict.  The auditor needs guidance on how:  Information System should be assessed to plan their audits effectively and efficiently?  To focus their effort on high-risk areas and;  To assess the severity of any errors or weaknesses found during the IS audit process.  Several well-known organizations have given practical and useful information on IS Audit, which are given as follows: i). ISACA (Information Systems Audit and Control Association) –  ISACA is a global leader in information governance, control, security and audit. ISACA developed the following to assist IS auditor while carrying out an IS audit.  IS auditing standards: ISACA issued 16 auditing standards, which defines the mandatory requirements for IS auditing and reporting.  IS auditing guidelines: ISACA issued 39 auditing guidelines, which provide a guideline in applying IS auditing standards.  IS auditing procedures: ISACA issued 11 IS auditing procedures, which provide examples of procedure an IS auditor need to follow while conducting IS audit for complying with IS auditing standards.  COBIT (Control objectives for information and related technology): This is a framework containing good business practices relating to information technology. ii). ISO 27001 –  ISO 27001 is the international best practice and certification standard for an Information Security Management System (ISMS).  An ISMS is a systematic approach to manage Information security in an IS environment It encompasses people and, processes.  ISO 27001 defines how to organise information security in any kind of organization, profit or non-profit, private or state-owned, small or large.  It also enables an organization to get certified, i.e. an independent certification body has confirmed that information security has been implemented in the organisation. Many Indian IT companies have taken this certification, including INFOSYS, TCS, WIPRO. iii). Internal Audit Standards –  IIA (The Institute of Internal Auditors) is an international professional association.  This association provides dynamic leadership for the global profession of internal auditing. IIA issued Global Technology Audit Guide (GTAG).  GTAG provides management of organisation about information technology management, control, and security and IS auditors with guidance on various information technology associated risks and recommended practices. iv). Standards on Internal Audit issued by ICAI –  The standards issued by The Institute of Chartered Accountants of India (ICAI) highlight the process to be adopted by internal auditor in specific situation. v). ITIL –  The Information Technology Infrastructure Library (ITIL) is a set of practices for IT Service Management (ITSM) that focuses on aligning IT services with the needs of business. ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage.  ITIL describes procedures, tasks and checklists that are not organization-specific, used by an organization for establishing a minimum level of competency. 6.3 Performing IS Audit  An IS Auditor uses the equivalent concepts of materiality (in financial audits) and significance (in performance audits) to plan both effective and efficient audit procedures.  The underlying principle is that the auditor is not required to spend resources on items, those would not affect the judgment or conduct of a reasonable user of the audit report.  Various steps are given as follows: 1) Basic Plan  Planning is one of the primary and important phases in an Information System Audit, which ensures that the audit is performed in an effective manner.  Hence, for the audit efforts to be successful, a good audit plan is a critical success factor. The objective of audit planning is to optimize the use of audit resources. Adequate planning of the audit work helps to ensure that appropriate attention is devoted to important areas of audit.  Planning also assists in proper assignment of work to assistants and in coordination of the work done by other auditors and experts.  Important points are given as follows:  The extent of planning will vary according to the size of the entity, the complexity of the audit and the auditor’s experience with the entity and knowledge of the business.  Obtaining knowledge of the business is an important part of planning the work. It assists in the identification of events, transactions and practices which may have a material effect on the financial statements.  The auditor may discuss elements of the overall audit plan and certain audit procedures with the entity’s audit committee, the management and staff to improve the effectiveness and efficiency of the audit and to coordinate audit procedures with the entity’s personnel. The overall audit plan and the audit program; however, remains the auditor’s responsibility.  The auditor should develop and document an overall audit plan describing the expected scope and conduct of the audit.  The audit should be guided by an overall audit plan and underlying audit program and methodology. Audit planning is a continuous activity which goes on throughout entire audit cycle. So, an auditor is expected to modify the audit plan as warranted by circumstances.  The documentation of the audit plan is also a critical requirement. All changes to the audit plan should follow a change management procedure. Every change should be recorded with reason for change. 2) Preliminary Review  The preliminary review of audit environment enables the auditor to gain understanding of the business, technology and control environment and also gain clarity on the objectives of the audit and scope of audit.  The following are some of the critical factors, which should be considered by an IS auditor as part of preliminary review. i). Knowledge of the Business – Related aspects are given as follows:  General economic factors and industry conditions affecting the entity’s business,  Nature of Business, its products & services,  General exposure to business,  Its clientele, vendors and most importantly, strategic business partners/associates to whom critical processes have been outsourced,  Level of competence of the Top management and IT Management, and  Finally, Set up and organization of IT department. ii). Understanding the Technology – A good understanding of the technology environment and related control issues could include consideration of the following:  Analysis of business processes and level of automation,  Assessing the extent of dependence of the enterprise on Information Technology,  Understanding technology architecture which could be quite diverse such as a distributed architecture or a centralized architecture or a hybrid architecture,  Studying network diagrams to understand physical and logical network connectivity,  Understanding extended enterprise architecture wherein the organization systems connect seamlessly with other stakeholders such as vendors (SCM), customers (CRM), employees (ERM) and the government,  Knowledge of various technologies and their advantages and limitations is a critical competence requirement for the auditor.  Finally, Studying Information Technology policies, standards, guidelines and procedures. iii). Understanding Internal Control Systems – For gaining understanding of Internal Controls emphasis to be placed on compliance and substantive testing. iv). Legal Considerations and Audit Standards – Related points are given as follows:  The auditor should carefully evaluate the legal as well as statutory implications on his/her audit work.  The Information Systems audit work could be required as part of a statutory requirement in which case he should take into consideration the related stipulations, regulations and guidelines for conduct of his audit.  The statutes or regulatory framework may impose stipulations as regards minimum set of control objectives to be achieved by the subject organization.  The IS Auditor should also consider the Audit Standards applicable to his conduct and performance of audit work. Non-compliance with the mandatory audit standards would result in the violation of the code of professional ethics. v). Risk Assessment and Materiality –  Risk Assessment implies the process of identifying the risk, assessing the risk, and recommending controls to reduce the risk to an acceptable level, considering both the probability and the impact of occurrence.  Risk assessment allows the auditor to determine the scope of the audit and assess the level of audit risk and error risk.  Additionally, risk assessment will aid in planning decisions such as:  The nature, extent, and timing of audit procedures.  The areas or business functions to be audited.  The amount of time and resources to be allocated to an audit  The steps followed for a risk-based approach to make an audit plan are given as follows: i). Inventory the information systems in use in the organization and categorize them. ii). Determine which of the systems impact critical functions or assets, such as money, materials, customers, decision making, and how close to real time they operate. iii). Assess what risks affect these systems and the severity of the impact on the business. iv). Based on the above assessment, decide the audit priority, resource, schedule and frequency.  At this stage, the auditor needs to:  Assess the expected inherent, control and detection risk and identify significant audit areas.  Set materiality levels for audit purposes.  Assess the possibility of potential vulnerabilities, including experience of past periods or fraud.  Risks are categorized as follows: i). Inherent Risk –  Inherent risk is the susceptibility of information resources or resources controlled by the information system to material theft, destruction, disclosure, unauthorized modification, or other impairment, assuming that there are no related internal controls.  Inherent risk is the measure of auditor's assessment that there may or may not be material vulnerabilities or gaps in the audit subject exposing it to high risk before considering the effectiveness of internal controls.  If the auditor concludes that there is a high likelihood of risk exposure, ignoring internal controls, the auditor would conclude that the inherent risk is high.  Internal controls are ignored in setting inherent risk because they are considered separately in the audit risk model as control risk. ii). Control Risk –  Control risk is the risk that could occur in an audit area, and which could be material, individually or in combination with other errors, will not be prevented or detected and corrected on a timely basis by the internal control system.  Control risk is a measure of the auditor's assessment of the likelihood that risk exceeding a tolerable level and will not be prevented or detected by the client's internal control system.  This assessment includes an assessment of whether a client's internal controls are effective for preventing or detecting gaps and the auditor's intention to make that assessment at a level below the maximum (100 percent) as a part of the audit plan. iii). Detection Risk –  Detection risk is the risk that the IT auditor’s substantive procedures will not detect an error which could be material, individually or in combination with other errors.  For example, the detection risk associated with identifying breaches of security in an application system is ordinarily high because logs for the whole period of the audit are not available at the time of the audit.  The detection risk associated with lack of identification of disaster recovery plans is ordinarily low since existence is easily verified. 6.4 IS Audit and Audit Evidence  According to SA-230, Audit Documentation refers to the record of audit procedures performed, relevant audit evidence obtained, and conclusions the auditor reached. The objects of an auditor’s working papers are to record and demonstrate the audit work from one year to another.  Evidences are also necessary for the following purposes:  Means of controlling current audit work;  Evidence of audit work performed;  Schedules supporting or additional item in the accounts; and  Information about the business being audited, including the recent history. 6.5.1 Inherent Limitations of Audit  To be able to prepare proper report, auditor needs documented evidences. The problem of documents not available in physical form.  Following is list of actions that auditor needs to take to address the problems:  Use of special audit techniques, referred to as Computer Assisted Audit Techniques, for documenting evidences.  Audit timing can be so planned that auditor is able to validate transactions as they occur in system.  Auditor shall form his/her opinion based on above processes.  As per (SA 200) “Overall Objectives of An Independent Auditor and Conduct of An Audit in Accordance With Standards of Auditing”, any opinion formed by the auditor is subject to inherent limitations of an audit, which include:  The nature of financial reporting;  The nature of audit procedures;  The need for the audit to be conducted within a reasonable period of time and cost.  The matter of difficulty, time, or cost involved is not in itself a valid basis for the auditor to omit an audit procedure for which there is no alternative or to be satisfied with audit evidence that is less than persuasive.  Fraud, particularly fraud involving senior management or collusion.  The existence and completeness of related party relationships and transactions.  The occurrence of non-compliance with laws and regulations.  Future events or conditions that may cause an entity to cease to continue as a going concern. 6.4.2 Provisions relating to Digital Evidences  As per Indian Evidence Act, 1872, “Evidence” means and includes: i). All statements, which the Court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry; such statements are called oral evidence; ii). All documents produced for the inspection of the Court, such documents are called documentary evidence.  Documentary Evidence also includes ‘Electronic Records’. The Information Technology Act, 2000 provides the legal recognition of electronic records and electronic signature. 6.4.3 Concurrent or Continuous Audit  Real-time recordings need real-time auditing to provide continuous assurance about the quality of the data that is continuous auditing.  Continuous auditing enables auditors to significantly reduce and perhaps to eliminate the time between occurrence of the client's events and the auditor's assurance services thereon.  Continuous auditing enables auditors to shift their focus from the traditional "transaction" audit to the "system and operations" audit.  Continuous auditing techniques use two bases for collecting audit evidence.  One is use of embedded module in the system to collect, process and print audit evidence and  the other is special audit records used to store the audit evidence collected.  Advantages of Continuous Auditing – Continuous auditing has a number of potential benefits including:  Reducing the cost of the basic audit assignment by enabling auditors to test a larger sample (up to 100 percent) of client's transactions and examine data faster and more efficiently than the manual testing required when auditing around the computer;  Reducing the amount of time and costs auditors traditionally spend on manual examination of transactions;  Increasing the quality of audits by allowing auditors to focus more on understanding a client's business and industry and its internal control structure; and  Specifying transaction selection criteria to choose transactions and perform both tests of controls and substantive tests throughout the year on an ongoing basis.  Some of the advantages of continuous audit techniques are given as under: i). Timely, Comprehensive and Detailed Auditing –  Evidence would be available more timely and in a comprehensive manner. The entire processing can be evaluated and analyzed rather than examining the inputs & outputs only. ii). Surprise test capability –  As evidences are collected from the system itself by using continuous audit techniques, auditors can gather evidence without the systems staff and application system users being aware that evidence is being collected. This brings in the surprise test advantages. iii). Information to system staff on meeting of objectives –  Continuous audit techniques provides information to systems staff regarding the test vehicle to be used in evaluating whether an application system meets the objectives of asset safeguarding, data integrity, effectiveness, and efficiency. iv). Training for new users –  Using the ITFs, new users can submit data to the application system, and obtain feedback on any mistakes they make via the system’s error reports.  The following are some of the disadvantages of the use of the continuous audit system:  Auditors should be able to obtain resources required from the organization to support development, implementation, operation, and maintenance of continuous audit techniques.  Continuous audit techniques are more likely to be used if auditors are involved in the development work associated with a new application system.  Auditors need the knowledge and experience of working with computer systems to be able to use continuous audit techniques effectively and efficiently.  Continuous auditing techniques are more likely to be used where the audit trail is less visible and the costs of errors and irregularities are high.  Continuous audit techniques are unlikely to be effective unless they are implemented in an application system that is relatively stable.  Types of Audit Tools: i). Snapshots –  Tracing a transaction is a computerized system can be performed with the help of snapshots or extended records.  The snapshot software is built into the system at those points where material processing occurs which takes images of the flow of any transaction as it moves through the application.  These images can be utilized to assess the authenticity, accuracy, and completeness of the processing carried out on the transaction.  The main areas to dwell upon while involving such a system are to locate the snapshot points based on materiality of transactions when the snapshot will be captured and the reporting system design and implementation to present data in a meaningful way. ii). Integrated Test Facility (ITF) –  The ITF technique involves the creation of a dummy entity in the application system files and the processing of audit test data against the entity as a means of verifying processing authenticity, accuracy, and completeness. This test data would be included with the normal production data used as input to the application system.  In such cases the auditor has to decide what would be the method to be used to enter test data and the methodology for removal of the effects of the ITF transactions.  Methods of Entering Test Data –  The transactions to be tested have to be tagged. The application system has to be programmed to recognize the tagged transactions and have them invoke two updates, one to the application system master file record and one to the ITF dummy entity.  Tagging live transactions as ITF transactions has the advantages of ease of use and testing with transactions representative of normal system processing. However, use of live data could mean that the limiting conditions within the system are not tested.  The auditors may also use test data that is specially prepared. Test transactions would be entered along with the production input into the application system. In this approach the test data is likely to achieve more complete coverage of the execution paths in application system to be tested. However, preparation of test data could be time consuming & costly.  Methods of Removing the Effects of ITF Transactions –  The presence of ITF transactions within an application system affects the output results obtained. The effects of these transactions have to be removed.  The application system may be programmed to recognize ITF transactions and to ignore them in terms of any processing that might affect users.  Another method would be the removal of effects of ITF transactions by submitting additional inputs that reverse the effects of the ITF transactions.  Another less used approach is to submit trivial entries so that the effects of the ITF transactions on the output are minimal. The effect of transactions are not really removed. iii). System Control Audit Review File (SCARF) –  The SCARF technique involves embedding audit software modules within a host application system to provide continuous monitoring of system’s transactions. The information collected is written onto a special audit file - the SCARF master files. Auditors examine the information contained on this file to see if some aspect of the application system needs follow-up.  In many ways, the SCARF technique is like the snapshot technique along with other data collection capabilities.  Auditors might use SCARF to collect the following types of information:  Application System Errors –  SCARF audit routines provide an independent check on the quality of system processing, whether there are any design and programming errors as well as errors that could creep into the system when it is modified and maintained.  Policy and Procedural Variances –  SCARF audit routines can be used to check when variations from these policies, procedures and standards have occurred.  System Exception –  SCARF can be used to monitor different types of application system exceptions. For example, salespersons might be given some leeway in prices they charge to customers.  Statistical Sample –  SCARF provides a convenient way of collecting all the sample information together on one file and use analytical review tools thereon.  Snapshots and Extended Records –  Snapshots & extended record can be written into SCARF file and printed when required.  Profiling Data –  Auditor can use embedded audit routines to collect data to build profile of system user. Deviations from these profiles indicate that there may be some errors or irregularities.  Performance Measurement –  Auditors can use embedded routines to collect data that is useful for measuring or improving the performance of an application system. iv). Continuous and Intermittent Simulation (CIS) –  This is a variation of the SCARF continuous audit technique. This technique can be used to trap exceptions whenever the application system uses a database management system.  During application system processing, CIS executes in the following way:  The database management system reads an application system transaction. It is passed to CIS. CIS then determines whether it wants to examine the transaction further. If yes, the next steps are performed or otherwise it waits to receive further data from the database management system.  CIS replicates or simulates the application system processing.  Every update to the database that arises from processing the selected transaction will be checked by CIS to determine whether discrepancies exist between the results it produces and those the application system produces.  Exceptions identified by CIS are written to a exception log file.  The advantage of CIS is that it does not require modifications to the application system and yet provides an online auditing capability. v). Audit Hooks –  There are audit routines that flag suspicious transactions. When audit hooks are employed, auditors can be informed of questionable transactions as soon as they occur. This approach of real-time notification displays a message on the auditor’s terminal.  For example, internal auditors at Insurance Company determined that their policyholder system was vulnerable to fraud every time a policyholder changed his or her name or address and then subsequently withdrew funds from the policy. They devised a system of audit hooks to tag records with a name or address change. The internal audit department will investigate these tagged records for detecting fraud. 6.4.4 Audit Trail  Audit trails are logs that can be designed to record activity at the system, application, and user level. When properly implemented, audit trails provide an important detective control to help accomplish security policy objectives.  Audit trail controls attempt to ensure that a chronological record of all events that have occurred in a system is maintained. This record is needed to answer queries, fulfill statutory requirements, detect the consequences of error and allow system monitoring and tuning.  Audit Trail Objectives – Audit trails can be used to support security objectives in three ways: i). Detecting Unauthorized Access –  The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls.  A real-time audit trail can also be used to report on changes in system performance that may indicate infestation by a virus or worm.  After-the-fact detection logs can be stored electronically and reviewed periodically or as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed. ii). Reconstructing Events –  Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors.  Knowledge of the conditions that existed at the time of a system failure can be used to assign responsibility and to avoid similar situations in the future.  Audit trail analysis also plays an important role in accounting control. iii). Personal Accountability –  Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can be used to influence behavior.  Individuals are likely to violate an organization’s security policy if they know that their actions are not recorded in an audit log.  Implementing an Audit Trail –  The information contained in audit logs is useful to accountants in measuring the potential damage and financial loss associated with application error, abuse of authority or unauthorized access by outside intruders.  Logs also provide valuable evidence or assessing both the adequacies of controls in place and the need for additional controls. Audit logs can generate data in overwhelming detail. 6.5 Audit and Evaluation Techniques for Physical and Environmental Controls  We shall concentrate majorly on the controls of Physical, Logical, and environmental Controls. Auditing of these controls is discussed as follows: 6.5.1 Role of IS Auditor in Physical Access Controls  Auditing physical access requires the auditor to review the physical access risk and controls to form an opinion on the effectiveness of the physical access controls.  This involves the following: i). Risk Assessment –  The auditor must satisfy him/herself that the risk assessment procedure adequately covers periodic and timely assessment of all assets, physical access threats, vulnerabilities of safeguards and exposures there from. ii). Controls Assessment –  The auditor based on the risk profile evaluates whether the physical access controls are in place and adequate to protect the IS assets against the risks. iii). Review of Documents –  It requires examination of relevant documentation such as the security policy and procedures, premises plans, building plans, inventory list and cabling diagrams. 6.5.2 Audit of Environmental Controls Related aspects are given as follows:  Role of Auditor in Environmental Controls –  Audit of environmental controls should form a critical part of every IS audit plan.  The IS auditor should satisfy not only the effectiveness of various technical controls but also the overall controls safeguarding the business against environmental risks.  Some of the critical audit considerations that an IS auditor should take into account while conducting his/her audit is given below: i). Audit Planning and Assessment – As part of risk assessment:  The risk profile should include different kinds of environmental risks that the organization is exposed to. These should comprise both natural and man-made threats. The profile should be periodically reviewed to ensure updation with newer risks that may arise.  The controls assessment must ascertain that controls safeguard the organization against all acceptable risks including probable ones are in place.  The security policy of the organization should be reviewed to assess policies and procedures that safeguard the organization against environmental risks.  Building plans and wiring plans need to be reviewed to determine the appropriateness of location of IPF, review of surroundings, power and cable wiring etc.  The IS auditor should interview relevant personnel to satisfy himself about employees’ awareness of environmental threats and controls.  Administrative procedures such as preventive maintenance plans and their implementation, incident reporting and handling procedures, inspection and testing plan and procedures need to be reviewed. ii). Audit of Environmental Controls – Audit of environmental controls requires the IS auditor to conduct physical inspections and observe practices. The Auditor should verify:  The IPF (Infrastructure Planning and Facilities) and the construction with regard to the type of materials used for construction;  The presence of water and smoke detectors, power supply arrangements to such devices, and testing logs;  The location of fire extinguisher, firefighting equipment and refilling date of extinguishers;  Emergency procedures, evacuation plans and marking of fire exists. There should be half- yearly Fire drill to test the preparedness;  Documents for compliance with legal and regulatory requirements with regards to fire safety equipment, external inspection certificate and shortcomings pointed out by other inspectors/auditors;  Power sources and conduct tests to assure the quality of power, effectiveness of the power conditioning equipment, and generators.  Environmental control equipment such as air-conditioning, dehumidifier, heater, ionizers;  Compliant & maintenance log to assess if MTBF and MTTR are within acceptable level and  Identify undesired activities such as smoking, consumption of eatables etc. iii). Documentation –  As part of the audit procedures, the IS auditor should also document all findings.  The working papers could include audit assessments, audit plans, audit procedures, questionnaires, interview sheets, inspection charts etc. 6.6 Application Controls and their Audit Trails An overview of the Application Controls and their categories are as follows – S.No Controls Scope 1 Boundary Controls Establishes interface between the user of the system and the system itself. The system must ensure that it has an authentic user. Users allowed using resources in restricted ways. 2 Input Controls Responsible for bringing both the data and instructions in to the information system. Input Controls are validation and error detection of data input into the system. 3 Communication Controls Responsible for controls over physical components, communication line errors, flows, and links, topological controls, channel access controls, controls over subversive attack, internetworking controls, communication architecture controls, audit trail controls, and existence controls. 4 Processing Controls Responsible for computing, sorting, classifying and summarizing data. It maintains the chronology of events from the time data is received from input or communication systems to the time data is stored into the database or output as results. 5 Output Controls To provide functions that determine data content available to users, data format, timeliness of data and how data is prepared and routed to users. 6 Database Controls Responsible to provide functions to define, create, modify, delete and read data in an information system. It maintains procedural data-set of rules to perform operations on the data to help a manager to take decisions. 6.6.1 Audit Trail Controls  Two types of audit trails that should exist in each subsystem. i). An Accounting Audit Trail to maintain a record of events within the subsystem; and ii). An Operations Audit Trail to maintain a record of the resource consumption associated with each event in the subsystem. 6.6.2 Boundary Controls  This maintains the chronology of events that occur when a user attempts to gain access to and employ systems resources.  Identity of the would-be user of the system;  Authentication information supplied;  Resources requested;  Action privileges requested;  Terminal Identifier;  Start and Finish Time;  Number of Sign-on attempts;  Resources provided/denied; and Accounting Audit Trail  Action privileges allowed/denied. Operations Audit Trail  Resource usage from log-on to log-out time.  Log of Resource consumption. 6.6.3 Input Controls  This maintains the chronology of events from the time data and instructions are captured and entered into an application system until the time they are deemed valid and passed onto other subsystems within the application system.  Accounting Audit Trail  The identity of the person(organization) who was the source of the data;  The identity of the person(organization) who entered the data into the system;  The time and date when the data was captured;  The identifier of the physical device used to enter the data into the system;  The account or record to be updated by the transaction;  The standing data to be updated by the transaction;  The details of the transaction; and  The number of the physical or logical batch to which the transaction belongs.  Operations Audit Trail  Time to key in a source document or an instrument at a terminal;  Number of read errors made by an optical scanning device;  Number of keying errors identified during verification;  Frequency with which an instruction in a command language is used; and  Time taken to invoke an instruction using a light pen versus a mouse. 6.6.4 Communication Controls  This maintains a chronology of the events from the time a sender dispatches a message to the time a receiver obtains the message.  Accounting Audit Trail  Unique identifier of the source/sink node;  Unique identifier of each node in the network that traverses the message; Unique identifier of the person or process authorizing dispatch of the message; Time and date at which the message was dispatched;  Time and date at which the message was received by the sink node;  Time and date at which node in the network was traversed by the message; and  Message sequence number; and the image of the message received at each node traversed in the network.  Operations Audit Trail  Number of messages that have traversed each link and each node;  Queue lengths at each node; Number of errors occurring on each link or at each node; Number of retransmissions that have occurred across each link; Log of errors to identify locations and patterns of errors;  Log of system restarts; and  Message transit times between nodes and at nodes. 6.6.5 Processing Controls  The audit trail maintains the chronology of events from the time data is received from the input or communication subsystem to the time data is dispatched to the database, communication, or output subsystems.  Accounting Audit Trail  To trace and replicate the processing performed on a data item.  Triggered transactions to monitor input data entry, intermediate results and output data values.  Operations Audit Trail  A comprehensive log on hardware consumption – CPU time used, secondary storage space used, and communication facilities used.  A comprehensive log on software consumption – compilers used, subroutine libraries used, file management facilities used, and communication software used. 6.6.5 Database Controls  The audit trail maintains the chronology of events that occur either to the database definition or the database itself.  Accounting Audit Trail  To attach a unique time stamp to all transactions,  To attach beforeimages and afterimages of the data item on which a transaction is applied to the audit trail; and  Any modifications or corrections to audit trail transactions accommodating the changes that occur within an application system.  Operations Audit Trail  To maintain a chronology of resource consumption events that affects the database definition or the database. 6.6.6 Output Controls  The audit trail maintains the chronology of events that occur from the time the content of the output is determined until the time users complete their disposal of output because it no longer should be retained.  Accounting Audit Trail  What output was presented to users;  Who received the output;  When the output was received; and  What actions were taken with the output?  Operations Audit Trail  To maintain the record of resources consumed – graphs, images, report pages, printing time and display rate to produce the various outputs. 6.7 Audit of Application Security Controls  The objective of audit of application security control is to establish whether application security control are operating effectively to protect confidentiality, integrity & availability of information. 6.7.1 Approach to Application Security Audit  Application security audit is being looked from the usage perspective. A layered approach is used based on the functions and approach of each layer.  Layered approach is based on the activities being undertaken at various levels of management. The approach is in line with management structure which follows top‐down approach.  For this, auditors need to have a clear understanding of the following:  Business process for which the application has been designed;  The source of data input to and output from the application;  The various interfaces of the application under audit with other applications;  The various methods that may be used to login to application, other than normal used id and passwords that are being used, including the design used for such controls;  The roles, descriptions, user profiles and groups that can be created in an application; and  The policy of the organization for user access and supporting standards. 6.7.2 Understanding the Layers and Related Audit Issues In this section, various aspects relating to each aforementioned layer have been discussed. 1) Operational Layer –  The Operational Layer is the basic layer, where user access decision are generally put in place.  The operational layer audit issues include: i). User Accounts and Access Rights –  This includes defining unique user account and providing them access rights appropriate to their roles and responsibilities.  Auditor needs to always ensure the use of unique user IDs, and these need to be traceable to individual for whom created. In case, guest IDs are used then test of same should also be there. Vendor accounts and third-party accounts should be reviewed. ii). Password Controls –  In general, password strength, password minimum length, password age, password non- repetition and automated lockout after three attempts should be set as a minimum.  Auditor needs to check whether there are application where password control are weak. iii). Segregation of Duties –  Segregation of duties is a basic internal control that prevents or detects errors and irregularities by assigning to separate individual responsibility for initiating and recording transactions and custody of assets to separate individuals.  Example to illustrate:  Record keeper of asset must not be asset keeper.  Cashier who creates a cash voucher, must not have right to authorize payments.  Maker must not be checker.  Auditor needs to check that there is no violation of above principle. Any violation may have serious repercussions. 2) Tactical Layer –  Tactical Layer is the management layer, which includes supporting functions such as security administration, IT risk management and patch management.  At the tactical layer, security administration is put in place and includes:  Timely updates to user profiles, like creating/deleting and changing of user accounts. Auditor needs to check that any change to user rights is a formal process including approval from manager of the employee.  IT Risk Management –  This function is another important function performed, it includes following activities:  Assessing risk over key application controls;  Conducting a regular security awareness programme on application user;  Enabling application users to perform a self-assessment/complete compliance checklist questionnaire to gauge the users’ understanding about application security;  Reviewing application patches before deployment and regularly monitoring critical application logs;  Monitoring peripheral security in terms of updating antivirus software;  An auditor should understand risk associated with each application and obtain a report on periodic risk assessment on the application or self-assessment reports on application.  Interface Security –  This relates to application interfaced with another application in an organization. An auditor needs to understand that data flow to and from the application.  Audit Logging and Monitoring –  Regular monitoring the audit logs is required. The same is not possible for all transactions, so must be done on an exception reporting basis. 3) Strategic Layer –  Strategic layer is the layer used by the Top Management.  It includes the overall information security governance, security awareness, supporting information security policies & standard, and overarching an application security perspective.  At this layer, the top management takes action, in form of drawing up security policy, security training, security guideline and reporting.  A comprehensive information security programme fully supported by top management and communicated well to organization is of vital importance to succeed in information security.  The security policy should be supported and supplemented by detailed standards and guidelines.  One of the key responsibilities of the IT risk management function is to promote ongoing security awareness to the organization’s users.  Auditor needs to check whether all these aforementioned guidelines have been properly framed and are they capable of achieving the business objectives sought from the application under audit.

Trending Downloads

caclubindia books caclubindia books caclubindia books Book

Popular Files