Lesson 1 – Overview of IT Audit and Internal Control (A Foundation) and Auditing IT Planning and Organization Part I Overview: This part examines the foundation of Information Technology (IT) Audit and control. This foundation has evolved through the recognition of the need for strong IT controls by professional organizations, business, and government. For the novice IT auditor, it provides a prospective of how far the evolution of IT controls guidance and techniques has come. This section examines the emerging issues in IT auditing today and in the future. It focuses on legal environment, its impact on information reviews, and the important roles of IT auditors will play in examination of issues from IT contracts to compliance with internet laws. Other major areas for IT auditors are the issues of security and privacy of IT. Lastly, we provide an outlook for the information systems (IS) audit profession, a view of the future. Learning Objective: After studying this lesson, the student should: • Understand the relationship between information technology and accounting. • The information standard in today’s global business environment. • The computer-based system transactions and laws that govern with issues of computer crime, security and privacy of internet. • The privacy on the Information Superhighway. • The challenges IT auditor faces today. • Discuss IT crimes and explain the three main categories of crimes involving computers. • Summarize the Sarbanes–Oxley Act of 2002 federal financial integrity legislation. • Describe and discuss the purposes of Computer and Homeland Security Act and Web Copyright Law. • Describe and discuss Privacy Legislation and the Federal Government Privacy Act • Summarize the Health Insurance Portability and Accountability Act of 1996 and discuss its main purposes and compliance. -related crimes affect the auditing profession. • Describe the types of auditors and their duties, functions and responsibilities, and the roles of IT auditors. • Discuss the different auditors’ Standards of Practice and the organizations that have issued standards or guidance to the auditor. • Discuss the importance of GAAP and GAAS to IT auditor. • Learn the audit process for IT and the demands that will be placed on the profession in the future. • Learn the important objectives of this function are better control, complete audit trails, and compliance with organizational policies. • Have knowledge on what IT auditors face with many concerns about the exposure of computer information systems to a multitude of risks. • Know the concerns that arise from the objectives for the audit process and function. • Know what IT auditors must prepare for and move into a world that literally depends on large, heavily integrated computer systems. Information Technology (IT) Environment: Why are Controls and Audit Important? IT Today and Tomorrow Information technology (IT) is broadly used in all areas of commerce around the world. It is imperative that the developing world of commerce needs a parallel growth of knowledge for IT processes and control that is basically significant for every business’s stance on information. The manner of pacing on how information should be available for businesses is a primary concern for every each of them. To name a few, control-oriented organizations such as American Institute of Certified Public Accountant (AICPA), Canadian Institute of Chartered Accountants (CICA) and Association of Certified Fraud Examiners (ACFE) recognizes the importance of further research, studies and development regarding improved control for IT processes in businesses. This is to avoid howsoever the growing numbers of cases of white-collar crimes, information theft, computer fraud, information abuse, and other information/technology control concerns that is being heard more repeatedly by the following security organizations, to wit: SANS (SysAdmin, Audit, Network, Security) Institute, U.S. Government Accountability Office (GAO), Federal Bureau of Investigation (FBI), Federal Trade Commission (FTC), Computer Security Institute (CSI), and Computer Emergency Response Teams (CERT). In addition, Control Objectives for Information and Related Technology (COBIT) is the most recent addition to the major studies conducted regarding IT controls. It basically defines a set of generic processes for the management of IT. Its components include: 1. Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements. 2. Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor. 3. Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process. 4. Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes. 5. Maturity models: Assess maturity and capability per process and helps to address gaps. Colloquium for Information Systems Security Educators (CISSE) has been a leading proponent for implementing the course of Instruction in information security (InfoSec) and Information Assurance in education ever since 1996. Due to the fast dispersion of computer technologies and the ease of information accessibility, knowledgeable and trained IT auditors are needed to ensure that effective IT controls are in its comprehensive location to preserve data integrity and manage access to information. Information Integrity, Reliability, and Validity: Importance in Today’s Global Business Environment Based on historical events, organizations are crucially reliant on information’s accuracy and availability. Information proven by facts and is timely communicated is an essential mechanism a business need in its day-to-day operation. It serves as basis and foundation of trust between the entity and the stakeholders. Previous events reported pertaining to business dependency on information technology has somehow evidently occurred during 1998 when an AT&T major switch failed on its software and procedural processes that lasts for 18 hours which had prevented customers in accessing their funds. The second event was regarding the communication satellite that had undergone uncontrollable rotation that directly affected the pager communication systems around the world as “useless” and companies using this kind of technology for e-account transactions were not able to process their information for 24 hours where they have ended up paying by cash. Moreover, having a deeper understanding about information’s standards will pave the way on efficiency and efficacy of fair and just sharing of data communication among businesses, to wit: a. Integrity –completeness, honesty, and fairness of information. b. Reliability – the extent to which information yields the same results on repeated trials. c. Validity –is the state of being well-grounded, just, and relevant. The instance that will make this kind of information be relegated and accessed by the users will be accomplished through the help of global area networks. Still, information technology continues to play a major role in this situation. However, stringent control and reasonable dissemination of the related data should somehow be considered in the progressing years to prevent data privacy violations, system errors, and internet-crime related cases that may befall in the developing business environment. E-Commerce and Electronic Fund Transfer In the developing world today, it is undeniably gotten that transactions among businesses and customers grew even larger than before. Payments have been frequently dealt through cash, checks, or thru online banking. The financial system became more advanced, integrated, and sophisticated which by far is supported by e-transaction platform particularly known as Electronic Funds Transfer (EFT). Electronic Funds Transfer (EFT) is a system for transferring money from one bank to another without using a ‘paper money’. The funds flow could be either a single institution or across a multiple institution. It has become broadly known and initiated via mobile phones, personal computers, internet networks, and improved cryptography. In short, this transaction has no direct engagement or intervention of a bank staff. It has started to play its role in the industry since 19th century in funds transferring which is a usual thing in a commercial transaction. Finally, it emerged to become accessible and comprehensive for electronic money transfers thru computer-based systems. It is well-known by a number of names throughout countries and different payment systems e.g., “electronic check” or “e-check” in United States, “bank transfer” or “bank payment” in United Kingdom and lastly, “giro transfer” in several European countries. Generally, the main advantage of EFT is time. Other benefit is immediate payment, which brings an up to date cash flow. It reflects a real-time e-receipt and proof of transactions on which it is being engaged with. Besides, it is indisputable that users of this platform are basically satisfied with the result and convenience it provides for the commerce world and the society as well. Federal Security Legislation The IT auditor should recognize that the U.S. federal government has passed a number of laws to deal with issues of computer crime and security and privacy of IS. Private industry has in the past been reluctant to implement these laws because of the fear of the negative impact it could bring to a company's current and future earnings and image to the public. An example of a number of past laws in place is as follows. Computer Fraud and Abuse Act of 1986 The Computer Fraud and Abuse Act of 1986 makes it a crime for anyone to access without authorization a computer or computer system used by a financial institution, US government agency, or any organization or individual involved in interstate or foreign commerce or communication. In addition to criminalizing many forms of computer hacking, intrusion, or actions that exceed authorized use, the law also addresses computer espionage, computer trespassing, committing fraud using a computer, or causing or threatening to cause damage to a computer. Although the law focuses on behavior by outsiders against an organization or its computing infrastructure, it highlights the need for organizations to establish effective security controls and to monitor their own environments to protect against outside attacks and to ensure that none of its own computing resources are used in ways that would violate the law. The Computer Fraud and Abuse Act has been amended several times by subsequent legislation, increasing the number and types of actions considered crimes under the law and resulting in a broader definition of computers subject to its provisions. Because the statutory definition of “protected computer” includes any computing device used in interstate or international communication, the law can be interpreted to include mobile equipment such as cellular phones or other devices capable of Internet connectivity. Computer Security Act of 1987 The Computer Security Act of 1987 was a United States federal law enacted in 1987 due to congressional concerns and public awareness on computer security-related issues and because of disputes on the control of unclassified information. It was intended to improve the security and privacy of sensitive information in federal computer systems and to establish minimally acceptable security practices for such systems. It required the creation of computer security plans, and appropriate training of system users or owners where the systems would display, process or store sensitive information. Privacy on the Information Superhighway The term “Information Superhighway” is attributed to the former US Vice President Al Gore. He used the term to describe a communications network akin to a highway system. The system will allow everyone to be connected to everyone else, have a universal standard, and minimize bottlenecks. One major concern in information superhighway is privacy. “Forging e-mail is notoriously easy,” said Gary Jackson, the director of academic computing at the Massachusetts Institute of Technology. The messages can be manipulated such that it looks as if someone else sent it which makes verifying the origination of the message difficult. There is also a potential for the unauthorized opening of electronic mail; this would be considered misuse of Internet facilities. On the other hand, activities between two consenting adults are usually private and harmless. Anyone who uses the Internet or puts any document out on the Internet needs to be concerned with the copyright law and intellectual property protection. “All works of expression have at least one thing in common: they are protected by copyright as soon as they are created and fixed in a tangible medium”. The copyright law grants author the right of intellectual property and certain exclusive rights to their works for a limited time. This applies to Usenet postings and e-mail messages as well. Both are original works of authorship fixed in a tangible medium of expression. There are two doctrines which will probably allow some copying of Usenet postings and e-mail messages: fair use and implied license. Appropriate fair use may be considered if it was not used in a commercial nature, the postings or message was not an artistic or dramatic work, only a short quotation was copied, and there was little or no impact on any market for the posting or e-mail message. With e-mail messages, one must also be concerned with other laws such as defamation, invasion of privacy, and trade secrecy when contents of a private e-mail message are revealed. Others support the idea of an implied license; they argue that anyone who posts their ideas to Usenet “is granting an implied license for others to similarly copy or quote that posting, too”. There has been little litigation testing these theories in court since most postings are not registered with the Copyright office. In order for the defendant to win, he/she must show actual damages. These cases do not usually result in any actual damages, and therefore it becomes too expensive to sue for negligible damages. However, a copyright only protects an author’s original expression and not the “ideas, system or factual information that is conveyed in the copyrighted work”. It also does not apply to U.S. Government works. Works of the U.S. Government cannot be copyrighted and are considered public domain, thus becoming available to be freely used by anyone for any purpose. Security Privacy and Audit The computer is changing the world. Business operations are also changing, sometimes very rapidly, because of the fast-continuing improvement of technology. Events such as September 11, 2001, and financial upheavals from corporate scandals such as Enron and Global Crossing have resulted in increased awareness. Yes, IT controls are very important. Today, people are shopping around at home through networks. People use "numbers" or accounts to buy what they want via shopping computers. These "numbers" are "digital money," the modern currency in the world. Digital money will bring us benefits as well as problems. One major benefit of digital money is its increased efficiency. However, it will also create another problem for us. "Security" is perhaps the biggest factor for individuals interested in making online purchases by using digital money. Also, it must be remembered that vigilance needs to be maintained over those who use the Internet for illegal activities, including those who are now using it for scams, crime, and covert activities that could potentially cause loss of life and harm to others. IT control and security are everyone's business. Most people fear giving their credit card numbers, phone numbers, or other personal information to strangers. They are afraid that people will be able to use these to retrieve their private or other valuable information without their consent. With identity theft and fraud on the rise, much care is needed in the protection, security, and control of such information. Security, indeed, is the biggest risk in using digital money on the Internet. Besides the problem of security, privacy is a significant factor in some electronic payment systems. To encourage people to use digital money, these electronic payment systems should ensure that personal and unrelated information is not unnecessarily disclosed. For the IT auditor, the need for audit, security, and control will be critical in the areas of IT and will be the challenge of this millennium. There are many challenges ahead; everyone must work together to design, implement, and safeguard the integration of these technologies in the workplace.
