ICT Audit Planning
advertisement
1 ICT Auditing Introduction - limitations and purpose This document does NOT seek to provide guidance on how to conduct every type of IT audit assurance activity that may be required in every environment as it is impractical to do so and many other dedicated sources of guidance (which are referenced in this document) can assist in that regard. This document simply aims to provide clarity over the nature and scope of ICT Audit and Assurance activities and to provide links to appropriate information sources about most ICT Risk and Assurance Areas. Content summary The Basics Core ICT Risks Overview of the Four Types of ICT Audit Sets out the fundamental tenants for audit and assurance activities that culminate in the Annual Governance Statement. This section covers the fundamental risks associated with ICT: non-compliance – Data Protection Act, Code of Connection confidentiality – access controls and identity management integrity – accuracy and completeness of records availability – hardware, project or software failures Summary of the four primary types of ICT audit activities: application audits of in house and third party business systems ICT service delivery and management issue audits infrastructure audits – networks, servers and databases CAATS (duplicate payments, gaps in invoice numbers etc) ICT Audit Planning Explains how the ICT audit planning methodology for both annual plans and individual audits helps to establish appropriate “ICT audit plans” that consolidate, enhance and compliment, rather than duplicate or conflict with, existing assurance activity ICT Audit This covers the specific qualifications and skills that Skills and an ICT auditor can possess to provide an indication of Qualifications their knowledge and experience Sources of ICT Auditing List of links to sources of other best practice standards and organisations 2 Information Multiple Examples of ICT Audit Scope and Objectives Business Application Audits ICT Service Delivery and Management Audits Infrastructure Audits CAATS Data Analysis/Interrogations The Basics Internal audit provides an independent assurance on the adequacy of the management control frameworks established to: safeguard and secure assets ensure reliability of records monitor adherence to policy; and promote operational effectiveness. Overall and departmental risk registers and risk management arrangements are evaluated each year as part of the audit needs assessment to help establish the appropriate range of external and internal audit activities required to address the corporate governance and assurance needs. The assurance evaluation activities of internal audit assessments, together with any additional assurance sources such as health and safety activity reports, culminate in the Annual Governance Statement which is signed by the accountable senior governance members and officers. Audit committees take an ever increasing interest in ICT related risks and governance practices due to the ever increasing reliance being placed on ICT solutions. All auditors need to be aware of the scope of ICT within the organisation they work for and how it is structured and managed, as ICT is an essential aspect of the planning and conduct of any audit. Without access to the information that business systems contain, managers and auditors alike will be unable to perform their responsibilities effectively. It is therefore essential that there is clear accountability for assurances over the primary areas of ICT activities and the risks by ensuring that auditors seek to establish effective ICT audit resources and methodologies, such as the use of Computer Assisted Audit Techniques or even the development of continuous audit and assurance solutions. The need to cover IT auditing in the audit plans can be shown in an analogy with an office building (the business application): one can gain a level of assurance that unauthorised individuals can’t gain 3 access to the building because there is a fully working access control system in place (applications’ authentication controls) which are administered and monitored as being in line with effective (management) arrangements and policies. However, without also verifying the adequacy of controls around the ‘goods-in’ entrance and fire exits (database and operating system logical access controls), the process for allowing visitors or contractors access to the building (application change management process), and the alarm systems etc (application intrusion detection systems), you cannot gain full assurance that the building is adequately protected from unauthorised access. Auditing solely at a business process/application level will only provide a partial view of the control environment because weaknesses in the ICT infrastructure can completely undermine controls within ICT applications. For example, a weakness within the database management system supporting an application could easily enable the bypassing of controls over authentication, authorisation, integrity and segregation of duties. Core ICT Risks The key risks in the delivery of ICT solutions, which now encompass almost every aspect of public service delivery from email to payments and management information, are: Non-compliance risks. These include: Data Protection Act – high financial penalties and reputational damage Code of Connection – inability to effectively deliver joined up services Compute Misuse Act – abuse of computer resources for fraudulent gain Confidentiality Identity management, virus detection and access controls help ensure data is adequately secured Integrity Data input, processing, interface and output management monitoring controls ensure the accuracy and completeness of records (eg duplicate payments or CRB checks) Availability Network resilience, backup/restore arrangements and environmental data centre controls help minimise the probability and impacts of ICT service disruptions such as hardware/software failures or deletion by error or intent Overview of the Four Types of ICT Audits ICT audit and assurance activities assess the extent to which the above risks are mitigated and the basic audit control principles are applied to: safeguard and secure assets 4 ensure reliability of records monitor adherence to policy; and promote operational effectiveness. The key risks in the delivery of ICT solutions, which now encompass almost every aspect of public service delivery from email to payments and management information, are non-compliance, confidentiality, integrity and availability. As a result IT audit has to develop and maintain appropriate assurance assessment plans that address these risks in the four primary areas that IT audit covers: business applications, management issues, infrastructure and computer assisted audit tools and techniques: business applications – eg payroll, grants, benefits, AP – these audits cover the software system used to deliver business functionality and testing includes: – roles and responsibilities – access permissions and security – input, output and processing – system interfaces and audit trails – system maintenance; and – backup and recovery ICT service delivery and management – these audits cover the control framework and processes established for the implementation and delivery of IT services and skills associated with good practice and legislative compliance (ie the areas not directly looking at hardware or software): – general computer controls – IT strategy, policies, organisation, governance and responsibilities – project risks – statutory compliance (licensing, data protection and freedom of information) – IT security (Code of Connection) – IT service management arrangements (ITIL); and – data quality and integrity 5 infrastructure – these audits cover the supporting hardware and software generic to the delivery of secure service connectivity (eg anti-virus, operating systems and device configuration settings): – network operating systems – firewalls and device security – Wi-Fi/remote access (SSL/VPN) – server security (eg UNIX/SQL) – virtual servers and network management – laptops and mobile storage devices – public sector networks and G-Clouds. computer assisted audit techniques (CAATs) are IT data interrogation techniques to conduct tests on the accuracy and completeness of data to help perform assurance and compliance audits. (See ISACA Guideline G3 Use of Computerassisted Audit Techniques and the IIA GTAG 16: Data Analysis Technologies and GTAG-3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment). ICT Audit Planning Annual ICT audit plans This section sets out the approach for developing computer audit needs assessments to establish an appropriate ICT audit activity plan. Where annual governance statements state that effective risk management arrangements exist, IT auditors should use the existing corporate and departmental risk registers to determine IT audit activities. Where risk management arrangements are poor or absent IT audit should adopt the Global Technology Audit Guides prepared by the Institute of Internal Audit for Developing the IT Audit Plan (GTAG 11) and for the Management of IT Auditing (GTAG 4). IT audit plans should ensure that gaps in risk assurance coverage are identified and prioritised for attention and plans should always complement, not duplicate, existing assurance activities. For example, if a project office function exists to provide quality and compliance checks for ICT programmes and project risks, IT audit resource should focus on the adequacy of the corporate project 6 management standards and the results of project office activities, lessons learnt, and the effective transition of any residual project risks into the “business as usual” environment. Individual ICT audit plans As with all audit and assurance activities a “terms of reference” will always need to be agreed in advance of each ICT audit. See the examples section for suggestions on audit scope and objectives. Every effort should be made to avoid any duplication of audit resources and maximise the use of specialist IT audit resources. When general or external audit resources conduct a key business application audit, the IT audit resources should be assigned to evaluate specific ICT risks areas that complement the general audit coverage of “segregation of duties” etc so that the overall assurance opinion can be formed following comprehensive evaluation of the control environment. ICT audit resources are often allocated areas such as evaluation of backup and recovery solutions, system support and database administration (DBA) arrangements and work can also include the use of CAATS data analysis/interrogations to provide the general audit team colleagues with highly focused potential record exception reports to vouch such as potential duplicates or gaps in invoices. All auditors have expertise in risk assessment and internal control, and there is a need for all auditors to have a level of ICT awareness and knowledge. This should cover general ICT controls such as backup and recovery, password access control, data validation controls etc. They should also have the ability to comfortably use ICT in conducting audits, such as word processing and computer assisted audit techniques. Consequently, it is not unreasonable or uncommon to expect a non-ICT auditor to undertake reviews of general ICT and automated controls. These may include application controls around user authentication, authorisation of transactions, system enforced segregation of duties and disaster recovery plans for an application. However, the distinction between ICT and non-ICT auditors arises because the ICT auditor needs sufficient skills to be able to identify and evaluate technical risks associated with the use of ICT and the controls in place to manage those risks. Where appropriate the ICT auditor needs to provide an effective challenge and/or contribution to the existing ICT risk assessments. ICT Audit Skills and Qualifications Generally, ICT auditors are either auditors trained in ICT, or ICT staff trained in auditing. There has been much debate around which is the preferred route/background for an ICT auditor but the 7 essential criterion remains, as with any auditor, that they must have the appropriate skill set to be able to undertake the assignments allocated to them. It is unreasonable to expect anyone to have full expertise in all areas of ICT. The area is too large and constantly changing to make this viable. As such, it is common for ICT auditors to specialise in specific areas of ICT (eg operating systems, or specific databases, or else project implementation assurance). Many organisations, therefore, seek the services of specialist ICT auditors when the nature of assignments dictates and in-house resources are unavailable. For this, the services of a specialist organisation or contractor are commonly used, together with consortium arrangements or partnerships with other organisations. There are specific qualifications that an ICT auditor can possess, which provide an indication of their knowledge and experience. Primarily these are the: Certified Information System Auditor (CISA) qualification operated by the Information Systems Audit and Control Association (ISACA) Certified Information System Security Professional (CISSP) by ISC2 IT Auditing Certificate, which was initiated after the Qualification in Computer Audit (QiCA) was withdrawn in 2010 by the Institute of Internal Auditors UK. The IIA IT Auditing Certificate is aimed at qualified internal auditors (holding PIIA, CMIIA or CIA designations) who wish to gain skills in IT threats and vulnerabilities. As well as demonstrating knowledge through exams, these qualifications also require the candidate to demonstrate their experience before gaining certification and being able to use the QICA, CISSP and CISA designations. For example to obtain the CISA designation an ICT auditor is required to demonstrate five years’ practical experience of the following areas: IT audit process IT governance systems and infrastructure lifecycle management IT service delivery and support protection of information assets business continuity and disaster recovery. 8 Where organisations are too small to justify specific full time ICT audit resources, consideration should be given to: using ICT audit resources of other organisations, including external auditors maximising impact by identifying areas where audit principles may be applied to important ICT areas without the need for an in-depth technical understanding developing staff while minimising the investment in training use of short-term contactors or specialist firms focused upon specific audits that need to be conducted to assess specific technical risks. Sources of ICT Auditing Information Institute of Internal Auditors Global Technology Audit Guidance Series PG GTAG-16: Data Analysis Technologies PG GTAG-15: Information Security Governance PG GTAG-14: Auditing User-developed Applications PG GTAG-13: Fraud Prevention and Detection in an Automated World PG GTAG-12: Auditing IT Projects PG GTAG-11: Developing the IT Audit Plan PG GTAG-10: Business Continuity Management PG GTAG-9: Identity and Access Management PG GTAG-8: Auditing Application Controls PG GTAG-7: Information Technology Outsourcing PG GTAG-6: Managing and Auditing IT Vulnerabilities PG GTAG-5: Managing and Auditing Privacy Risks PG GTAG-4: Management of IT Auditing PG GTAG-3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment PG GTAG-2: Change and Patch Management Controls: Critical for Organizational Success PG GTAG-1: Information Technology Controls ISACA Further guidance can also be obtained from the International Systems Audit and Control Association (ISACA). ISACA is fully dedicated to the promotion and ongoing maintenance of ICT audit and security via its comprehensive Control Objective for Business Objective Information Technology (COBIT) audit and 9 control standards. This seeks to connect other major frameworks, standards and resources, including ITIL, ISO, ISF, OECD, AICPA and NIST, and to integrate other ISACA guidance, including Val IT, Risk IT, the IT Assurance Framework and the Business Model for Information Security (BMIS), into one cohesive and comprehensive picture. IT Governance Institute The IT Governance Institute is a one-stop-shop for everything to do with IT governance. Government Connect This site includes excellent support and guidance on ICT security and policy initiatives including the 2009 Local Government Data Handling Guidelines by Mark Brett of Socitm. Socitm Socitm is the professional Society of IT Management for the public sector. It includes the Socitm TV facility which provides free-to-view video content covering key aspects of technology-enabled improvement and public sector ICT management initiatives. itSMF UK itSMF UK is the IT Service Management Forum, a community for leadership in IT service management. IRMA The Information Risk Management and Assurance Group of the British Computer Society (IRMA) supports and promotes the awareness and use of computer auditing, control and risk management techniques. This includes: phone hacking and data storage compliance top IT management challenges in 2011 practical mobile business intelligence. CIPFA's Computer Audit Guidelines: Fully Revised Sixth Edition 2006 This is an essential key reference publication in this field that is endorsed by the Institute of Internal Auditors. It covers the following IT audit activities: planning IT audit 10 IT audit resources security and control management controls file controls PC controls network controls internet controls e-commerce controls environmental controls business continuity planning data protection reviewing systems project management controls application controls change control post-implementation review management issues IS/IT strategy procurement of IT facilities financial management of IT outsourcing using IT for audit data retrieval other CAATs audit control matrices. CIPFA also produces the following publications: Systems Based Auditing Control Matrices including: Systems Based Auditing Control Matrices: Series 7 (2008) 11 A Guide to Enhanced Systems Based Auditing: The Exeter Approach (2009) A Risk-based Approach to the Audit of Procurement (2010) Systems Based Auditing Control Matrices: Series 8 – IT Governance (2010) Systems Based Auditing Control Matrices: Series 9 – People Management (2011) The Excellent Internal Auditor: A Good Practice Guide to Skills and Competencies (2011). Using the CIPFA Systems Based Auditing Control Matrices – Series 8 IT Governance The purpose of these matrices is to provide tests for use by general and specialist IT auditors, as well as those concerned with IT governance. They are non-sector-specific and so can be used in the public, the private and the third sector. By undertaking these tests, a succinct overview will be obtained of the extent that IT governance standards, etc are being met, and in turn this will enable a gap analysis to be undertaken so that areas for improvement can be clearly identified and reported to senior management and the managing body. Series 8 consists of a Hazard Identification Document (the purpose of which is self-evident) and 18 control matrices. The first control matrix (ITG01 General) covers the overall ‘top-level’ direction and management, and includes the strategic plan, information architecture and technological direction. It is therefore suggested that the ITG01 compliance and assurance tests are undertaken before any of the other matrices. However, this is not essential – if a particular area gives concern or is considered high risk, then the tests contained in the relevant matrix can be undertaken before ITG01. A notable difference in this series is that the Internal Control Questionnaires have been dispensed with (as they were considered superfluous), and that as well as Compliance Test Papers (CTPs), there are also now Assurance Test Papers (ATPs). The latter were introduced by the authors, Exeter City Council’s internal auditors, as part of the Enhanced Systems Based Auditing (ESBA) and Enterprise Risk Management Auditing (ERMA) approach they devised to further incorporate best practice risk management techniques, particularly those of COSO. COSO is the abbreviation of the Committee of Sponsoring organizations of the Treadway Commission, of which the Institute of Internal Auditors is one of the five sponsors. In September 2004 COSO published the Enterprise Risk Management – Integrated 12 Framework. One of its key messages is that it is essential for good corporate governance and effective enterprise risk management that when organisations, for example: establish policies, standards, rules and procedures allocate roles and responsibilities, they actually tell the target audience about them, provide them with training where appropriate, and regularly remind them. The ATPs therefore serve as a means of assessing how well, or otherwise, the organisation has (for example) made its employees aware of what they are and what they are not allowed to do, and thereby identifying weaknesses that can be addressed, thus avoiding potential management problems. It is suggested that, once the various IT governance control matrices have been tested, for future audits only selective testing is undertaken rather than all of the CTPs and ATPs. Selective testing should only be undertaken for high risk areas (based upon risk assessments) or vulnerabilities, and for those areas where the results of previous testing were far from satisfactory. It should also be borne in mind that if the result of the ATP testing was satisfactory, and there have been no new staff appointments, there is no need to retest. The matrices cover: general – strategy, information architecture and technological direction infrastructure change management configuration management system security physical and environmental management service level management operations management service desk, incident and problem management service continuity management cost management data management performance and capacity management 13 procure IT resources project management acquire, implement and maintain application software management of third party services education and training of IT users. Legislation and standards Freedom of Information Act 2000 Data Protection Act 1998 Computer Misuse Act 1990 and the 2008 Amendments Copyright, Design and Patents Act 1988 Digital Economy Act 2010 BISO 27001: Information Security Management System ISO 20000, the ITIL based international IT Service Management Standard ISO 25999, the Business Continuity Standard ISO 27033, IT Network Security Standard ISO 38500 The IT Corporate Governance Standard. Supporting guidance and organisations Cloud Security Alliance Centre for Internet Security Department for Business Enterprise and Regulatory Reform information security pages Federal Financial Institution Examination Council (FFIEC) IT Audit Office Guides Federation Against Software Theft (FAST) www.best-management-practice.com Information Commissioner’s Office ISO:27000 Information (Department for Business Enterprise and Regulatory Reform) 14 IT Governance and Audit Guidance 2012 Multiple Examples of ICT Audit Scope and Objectives The following sections of this document address some of the key areas for the IT auditor to consider, together with a brief summary of the main risks associated with the selected area and controls that should exist to help reduce the organisation’s exposure to the identified risks. Business Application Audits The work of the auditor as regards information systems that have an ICT base has traditionally been broken down into three main areas of controls that were identified in the CIPFA Statement on Computer Audit published in the early 1980s. These are: systems procedural controls administrative and organisational controls controls over the use of resources. This analysis holds good today for all information systems irrespective of whether they are manual or ICT based. The three areas are covered in the following sections. Reference should be made to: CIPFA's Computer Audit Guidelines - Fully Revised Sixth Edition for a more detailed analysis of control objectives and desirable controls the IIA GTAG-8: Auditing Application Controls. Objectives and risks This area of control is concerned with accuracy and security. The advantages afforded an organisation by information systems and technology are unlikely to be fully realised if data is inaccurately processed or not processed at all. Organisations are also under a duty imposed by the Data Protection Act 1998 to ensure that all personal data held on computers is kept secure. However, public access has been increased as part of the Freedom of Information Act 2000. Auditors will have to be satisfied that access controls meet the potentially conflicting requirement of these Acts and of compliance requirements such as the PCCDSS for online payment processing. The objective of auditing this area is to assess the controls in place to help ensure: 15 system access is restricted to appropriately authorised individuals system inputs/data captured is processed and validated as planned and that any unexpected data is thoroughly investigated before being processed all data is authorised and processed correctly in accordance with the appropriate standards and procedures (eg the Payment Card Industry Data Security Standard (PCI DSS) and Data Protection Act) all outputs are as anticipated and passed to the appropriate individuals in a timely manner sufficient electronic audit trails are produced. Information processing: systems procedural controls The auditor should review systems to ensure that the following areas are covered: user identification and authentication (see IIA GTAG-9: Identity and Access Management and the ISACA Guide G38 on Access Controls) user account management user privileges configuration management event and activity logging and monitoring communications, email, and remote access security malicious code protection, including viruses, worms, and trojans software change management, including patching (see GTAG2: Change and Patch Management Controls: Critical for Organizational Success) firewalls/vulnerability management – antivirus patching and gateway protection (see GTAG-6: Managing and Auditing IT Vulnerabilities) data encryption backup and recovery incident and vulnerability detection and response (see GTAG15: Information Security Governance) 16 collaboration with management to specify the technical metrics to be reported to management accuracy of data input proper processing of data reasonableness and completeness of outputs adequacy of audit trail (see GTAG-3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment). Input controls Controls should be built into the system to help ensure that data input is genuine, complete and accurate. While data is normally input into a system by keyboard, all methods of data entry should be reviewed. This could include the electronic submission of data via removable media such as CD-ROMs and memory sticks, as well as through interfaces, including electronic data interchange (EDI). Data input should be by authorised persons whose access to the system is adequately restricted from unauthorised access. Data input should be subject to appropriate restrictions and validation. Data submitted for batch processing should have controls to ensure input is authorised, and where possible each batch should have control totals to ensure completeness. Incomplete or erroneous batches can then be rejected or held in suspense until corrected. Controls should also exist to prevent duplication of input. Where data enters a system from an interface, controls should exist to help ensure the integrity of the data between leaving its source to entering the receiving system. This may include reconciliation controls such as record counts, hash totals and control totals. Suitable processes and procedures should also exist to manage any data completeness or integrity issues encountered. Processing controls Processing controls within a computer system should ensure that the correct data and program files are used, that all data is processed in a secure manner, accounted for and written to the appropriate file, and that data conforms to predetermined standards or falls within specified parameter values. When the data is processed, the auditor should be satisfied that only the latest authorised version of the program is run. Many applications are now run as suites of programs controlled through the operating software. Procedures should be in place to ensure that the latest version is being used, and the auditor should be satisfied that appropriate controls are in place. The correct data files should be accessed both by ensuring that naming conventions are always 17 used and, ideally, by the renaming or deleting of processed data files within the process itself. Input logs should be kept and be available for audit. All processing should be performed in such a way that only authorised users of the data can have access to the data files and programs used, although it may be necessary for technical or development staff to have access if program errors occur. In such circumstances, clearly defined procedures should be laid down and files and programs should be kept secure at all times. Output controls All programs should be properly documented and a list of any expected output from a process kept in the ICT control section of the organisation (usually within the ICT department). The actual output from the system should always be checked against that list for completeness and reasonableness. Confidentiality is as vital with output as it is with input and only authorised officers of the appropriate user department should be allowed to receive the output of the system. A separate person from the one receiving the output should validate control total data. User departments should also be made aware of the need to dispose of sensitive output appropriately, in order not to contravene the Data Protection Act 1998. Audit trail As a fundamental of good governance and accountability for system processing arrangements it is the responsibility of management to establish and maintain system and procedure logs to record all input, including changes to data, to establish who did what and when they did it. This is known as a management audit trail. For example, if a fraudulent payment was initiated by online input at a particular terminal, the log should show who initiated the payment and who authorised it. Such controls are crucially dependent on strong controls over accountability arrangements for the creation of user accounts and the means of authenticating user identity (eg strong passwords and identification. In this way computer audit is no different from any other form of audit in that the system should ensure that all actions are sufficiently documented. Logs should be stored off-site, as should any manual control records. Management should also ensure that discrete logins are used, which identify users. Sharing logins or leaving a PC logged on should be discouraged. 18 As with all data sets management must determine and automate appropriate timescales for the retention of audit logs, as they take up storage space and data protection regulations may be breached if logs contain personal data and are kept for longer than necessary. Management should also ensure that system and user passwords are changed frequently to protect access and help ensure security of data. System controls should also be reviewed by management and audit to ensure that there is an appropriate division of duties. Information processing: administrative and organisational controls This area of control concerns the way in which departments are organised. In small departments it is more difficult to establish and apply adequate segregation of duties control principles. However, as a minimum detective system activity alert and reporting controls should exist to act as a deterrent against potential misuse of access rights. In addition, controls in this area can also include other centrally managed controls such as those in place to act as safeguards against infection by computer viruses. Objectives and risks The auditor should appraise departmental organisation and procedures to establish that: there are documented standards of operation for all aspects of the work of the department access to and retention of data/information, whether in the form of computerised or manual records, is limited to authorised personnel only and to comply with the requirements of the Data Protection Act 1998 adequate physical safeguards exist for the continued operation of computers logical safeguards exist to comply with appropriate standards to preserve software and data from corruption and viral infection (eg the Payment Card Industry Data Security Standard (PCI DSS)). For risks, see the Data entry section below. Key control areas Key control areas may include: clearly documented procedure and operation manuals. For ICT based systems these would include systems techniques, program specification and programming standards, testing techniques and documentation standards. For both ICT based 19 and manual systems the auditor should expect up to date user manuals and procedure notes to be maintained control of access to data, through mechanisms within the operating system in the case of ICT based systems, and by physical security measures for manual systems management of appropriate arrangements for dealing with disasters, including procedures for taking backups of data and storing them securely security of installations against potential catastrophe. The auditor should look for controls designed to prevent or mitigate the risk of disasters and those designed to minimise the effects of a loss of the installation, eg membership of disaster consortia and storage of key data at remote sites. For data stored in manual systems, sprinkler installations may be considered more appropriate protection from theft of PCs, especially laptops. In particular information contained within PCs and laptops may need to be protected from unauthorised access by methods such as encryption protection of software and data from corruption by means of virus checkers, protocols for the transfer of information between PCs, and firewalls between internet connections and live systems. In addition, data can be protected from loss through hacking via the use of vulnerability management, for example adoption of Intrusion Detection System (IDS) or Intrusion Protection System (IPS). Information processing: use of resources ICT resources are particularly valuable and auditors need to be aware that spare capacity inevitably exists on all computer environments. This is because they are purchased in anticipation of the future system capacity requirements that are in the process of being developed. The auditor should take steps to ensure that appropriate key performance indicators exist to demonstrate the efficient use of ICT resources as advocated by ITIL, the best practice IT Service Management Framework, and ISO 38500 the ICT Governance Standard. Applying risk management techniques, including disaster recovery and business continuity planning, can highlight the key areas of concern and ensure that controls are in place to help reduce exposure to risk. See GTAG-10: Business Continuity Management. 20 Objectives and risks The auditor should appraise the organisation’s procedures to ensure that: resources are not used for unauthorised purposes resource requirements are clearly established and the most efficient use is made of existing resources the costs of maintaining systems are regularly reported to both the managers of the central computer department and user department managers. For risks, see the Data Capture and Data Entry section below. Key control areas Key control areas may include: the adequate recording and monitoring of all use of ICT regular reviews of calculations of resource requirements to establish that they are adequately monitored documented standards and procedures exist which help ensure that effective and efficient data processing requirements are defined and monitored for achievement management review of the work done by individuals on a regular basis regular reporting of the true cost of systems to all levels of management accurate and prompt recharging where appropriate. ICT Service Delivery and Management Audits ICT strategy Objectives and risks The primary objective of the ICT strategic plan is to set out, in a clear and concise manner, the way in which ICT will be used within the organisation to effectively enable the achievement of the wider business objectives. A clear strategic plan is required covering the development, maintenance and enhancement of information systems. Ideally these will be encompassed within an ICT strategy that: 21 aligns with the organisation’s statement of aims and objectives, business plans, corporate plans or mission statement sets out the risk management and governance assurance frameworks and standards in use for the effective management of IT resources and mitigation of known vulnerabilities, threats and risks reviews and considers existing information systems to ensure they best serve the organisation in times of change, and continue to integrate to other (new) systems sets out the control around the development design and transition of new information systems into the organisation; and is reviewed and updated on a regular basis. Therefore, failure to have an up to date ICT strategy that is aligned with the current corporate plans could prevent corporate aims and objectives from being met, or being met in the most efficient and effective manner. See also the ICT Strategy section for further information. Key control areas The key control is the existence of a clearly stated ICT strategy. The auditor should investigate the strategy to establish that: the strategy includes a written statement setting out clearly and unambiguously what senior management have approved, together with when the strategy was formally issued and authorised senior management have been briefed and received sufficient training in information systems and technology to be capable of authorising the strategy in an informed manner there will be regular reviews to take account of new developments in both information requirements and technology the strategy takes a comprehensive and forward-looking approach. In this area more than any other, it is vital that not only current technology and thinking is reflected in the document but also that potential developments in technology and future information requirements are considered alternative ways of providing an information systems service have been considered during the drawing up of the strategy, ranging from non-ICT solutions to facilities management by external contractors 22 IT strategy monitoring compliance responsibility is clearly assigned and operated. ICT asset management The ICT asset management function is the primary point of accountability for the life-cycle management of information technology assets throughout the organisation. Included in this responsibility are development and maintenance of policies, standards, processes, systems and measurements that enable the organisation to manage the IT asset portfolio with respect to risk, cost, control, IT governance, compliance eg ISO:38500 and business performance objectives as established by the business. Audit should be aware of the difference between tangible and nontangible assets in terms of IFRS and that IFRS also affects hardware bought by a supplier for an organisation’s IT service, which may need to be recognised as an asset. ICT business continuity/disaster recovery plan The more the business relies on its IT systems, the more it needs to consider how unexpected disruptions might affect the business. These disruptions could come in many forms, from fire and floods to theft or malicious attacks on systems, such as viruses or hacking. The main benefit from business continuity planning is to improve a business’s ability to react to such disruptions. It describes how the business will restart its operations in order to meet its businesscritical requirements. The main risk the auditor should consider is the risk exposure of IT failure and the business impact that this may have. Key areas for the auditor to consider are: is an IT business continuity plan in place does the plan meet standards eg BS25999 (business continuity) or BS25777 (IT continuity) has the IT plan been communicated to appropriate staff has the IT business continuity plan developed in line and in conjunction with other businesses/departments are the systems ranked in terms of business critical has the plan been tested; and has the plan been updated as a result of the test. 23 ICT procurement and disposals Objectives and risks ICT procurement generally involves the procurement of hardware, software and ICT related services. Specific ICT considerations include: hardware – has future demand been taken into account when determining the specifications of the hardware being purchased? Has consideration been given to associated costs and procurement implications such as ongoing support, backup and recovery arrangements, peripherals etc? software – generally an organisation will not own the software purchased, and it should have a valid a licence to use the software. There are many different types of software licence arrangement such as per user, concurrent usage, site or enterprise agreements. It is important that the organisation obtains the most appropriate licence for its purposes. Software support agreements are also a consideration. It may be appropriate to insist that the supplier lodge a copy of the source code with a trusted third party so that another developer can support the system in the event of the supplier’s business failing ICT related services – see the following paragraphs and the Outsourcing section below for some important considerations when procuring ICT services, which are covered in GTAG 7 Information Technology Outsourcing of the series of IIA Global Technology Audit Guides ICT disposals – organisations and their employees have a responsibility under several EU Directives, including Data Protection directives, the Landfill Directive, the Waste Electronic & Electrical Equipment Directive (WEEE) and the Hazardous Waste Directive, to ensure that final disposal of all waste electronic and electrical equipment is responsible and traceable. In order to meet this obligation, it is the responsibility of an organisation to follow the procedures when purchasing electronic equipment and when disposing of such items. All ICT equipment containing data should be securely erased and/or destroyed beyond recovery. Further general details on procurement can be found in the Procurement information stream. The primary objective of ICT procurement is to ensure that the procurement of computer hardware, software and ICT services is aligned with the ICT strategy and takes place in accordance with the 24 organisation’s procurement rules and EU tendering legislation. Therefore ICT procurement should: align with ICT strategies and policies (including capital/revenue budget provision) be authorised following an objective assessment of alternative solutions be based upon a clear specification of requirements of what is needed appraise alternative suppliers and alternative products within an invitation to tender (ITT) process include the installation of the product and testing prior to handover note the use of “vanilla” off the shelf solutions rather than bespoke IT makes any software upgrading straightforward involve both pre- and post-implementation reviews. Weaknesses within this area can result in the procurement of hardware and software solutions that are ineffective and inefficient in meeting the organisation’s aims and objectives. This can be due to incorrect specifications or lack of interoperability with other areas of ICT. Failure to follow procurement policy standards can also result in poor value for money and non-compliance with legislation. Key control areas The key control is that appropriate procurement arrangements are in place, and followed. As part of this, this auditor should ensure that: ICT facilities management or cloud hosting services and hardware procured are fit for purpose, specifically in terms of its specification, strategic fit within the ICT strategy, and ongoing support and maintenance, with best prices being obtained software procured meets the business need, is aligned with the ICT strategy, appropriately licensed for the organisation, adequately supported, and best prices are obtained any movements to external provision of the services accord with the ICT strategy any arrangements made with third parties for the delivery of ICT services are adequately specified and contain sufficient safeguards for the organisation the organisation is obtaining value for money 25 post-implementation support and security are in place best value is being obtained and can be demonstrated there is a formal contract with the supplier that includes elements such as: – performance monitoring is in place, with action taken where the contract requirements are not being met (this also includes service levels agreements – SLAs) – security, backup and data retrieval procedures have been tested and operate with minimal disruption – there is both formal and informal communications with the supplier, and that problems are rectified – managers are proactively reviewing current practices in line with the best practice ITIL framework and looking to provide enhanced performance either during the outsourcing or when the contract is renegotiated – there are appropriate insurance and exit strategy termination arrangements in place – there is a clearly agreed tariff for system upgrades and support; and – there is a right of access for internal audit to the systems operated or provided by third parties. ICT outsourcing Objectives and risks Outsourcing of the whole ICT function is rare but increasing and most organisations have some degree of outsourcing. Auditors are, however, familiar with auditing procurement in general and third party work in particular, and the same general principles can be applied. The primary objective of auditing within this area is to ensure that appropriate actions have been identified and implemented to reduce the organisation’s exposure to risk. Failure to adequately control risks within this area can have a significant negative operational impact on the organisation. See GTAG 7 Information Technology Outsourcing of the series of IIA Global Technology Audit Guides. 26 Key control areas The auditor should appraise the quality and standard of an outsourced ICT function, or part of it, by ensuring that: a management framework is in place and performance is monitored against contract requirements, with action taken when the supplier fails to meet contract requirements there is a formal contract with the supplier, drawn up in accordance with the organisation’s contract procedures, that includes areas such as: – service levels and incentives – supplier personnel – data protection, privacy and intellectual property – price protections – management of subcontractors – ownership of existing and new assets – conflicts among different legal systems – contingency management and change planning – notice of adverse material impacts – right to audit – termination. there is both formal and informal communications with the supplier, and that problems are rectified security arrangements are tested to ensure adequate backup and retrieval of the organisation’s data, and that disruption to the organisation is minimised there is daily, and local where necessary, support (possibly including out of hours) to ensure that disruption to the organisation is minimised managers are reviewing current practices proactively and looking to provide enhanced performance either during the outsourcing or when the contract is renegotiated there are appropriate insurance arrangements in place comparisons are made with other organisations/providers, to ensure that costs and service provision are comparable; and 27 the supplier agrees to comply with the organisation’s security policy. Information systems architecture An information systems architecture is a formal definition of the business processes and rules, systems structure, technical framework, and product technologies for a business or organisational information system. Information systems are complex artefacts, and therefore they have to be developed very carefully. There are five main elements: 1. business architecture – business processes and the object classes that play a role considered from the perspective of the information system 2. functional architecture – the logical decomposition of the system into (logical) components and the assignment of processes and object classes to these components 3. software architecture – software components that realize the functional architecture, eg the database management system, the workflow engine and the connectivity software (middleware) 4. network architecture – a computer and communications network together with their operating systems 5. data architecture – the organisational model for business data storage and integration. Some benefits of information systems architecture are: business processes are streamlined systems information complexity is reduced enterprise-wide integration is enabled through data sharing and consolidation rapid evolution to new technologies is enabled. The auditor should be expected to cover risks relating to: ISA not aligned with business objectives inappropriate data storage utilisation of data maintenance costs data disposal. 28 Systems development Objectives and risks ICT is one of the fastest developing areas of most organisations. This is partially fuelled by the ever improving speed and capacity of computers, and the continual stream of similarly enhanced programs and operating systems. Therefore, the auditor needs to ensure that developments are managed and are in line with the strategic plan. See the IIA GTAG-12: Auditing IT Projects. There are a number of different ways in which new systems can be obtained, including bespoke developments, off-the-shelf systems, and customised solutions. Each brings with it a different set of risks and challenges. The organisation must take the most appropriate route to develop a new system, taking into account factors such as requirements, cost, time to develop, inherent risk of the solution and ongoing support and maintenance. In addition the organisation needs to ensure that sufficient resources, especially suitably trained personnel, are on hand to enable strategies and plans to be carried out. The key risks of inadequate control within this area include the development and implementation of procedures and/or systems that do not meet organisational or user requirement. At best this will lead to inefficient use of resources and it could also adversely affect the operation of the organisation. However, most organisations now use and apply project management techniques, for example PRINCE 2, to ensure systems developed is managed and implemented to the correct standard. Key control areas To ensure that exposure to risk is minimised during the development of procedures and systems, the auditor should establish that: off-the-shelf solutions adequately meet the organisation’s requirements, with compromise only on those requirements where this is deemed acceptable ongoing support and maintenance is available once the system is operational, with an appropriate level of knowledge and expertise being retained. This is especially true for tailored or customised solutions and where external resources are used in any development developments are following appropriate project management and system development lifecycle methodologies 29 only systems included in the approved information systems strategy and/or development plan are being developed and they are supported by appropriately approved business cases that clearly set out the justification for change and measurable business benefits developments are programmed in an organised and prioritised manner to make optimum use of available resources the programming of systems development work ensures that only authorised projects are being developed there is adequate user involvement and representation at all stages of the development of systems system specifications are clearly documented so that development staff are aware of the requirements of users and that systems are not over-specified with facilities that will not be used (ie essential developments should be considered and actioned before desirable ones). As an example, in purchasing mobile phones would one that simply makes and receives calls be sufficient or is a more technically advanced phone required with a sophisticated operating system allowing ‘push’ email, diary synchronisation, internet access, java applications etc? the auditor’s views are sought on the controls to be incorporated into any system all developments are adequately tested including system and user documentation systems are reviewed once they are in place to establish that they meet the objectives originally envisaged users are trained at an appropriate time to make the best possible use of the system and retain the knowledge once they need to use the system there is a method of costing and recharging or where appropriate. Infrastructure Audits Networks and communication Objectives and risks Networks are key for information flow and communication, linking users and computers in different locations across the globe. Networks can be regarded as the technological infrastructure that facilitates communication between users and systems. Therefore, managers and auditors need to understand the use and impact of 30 networks within the organisation, including those such as the internet, to enable them to ensure they meet the needs of the organisation and are properly managed and secure. Protecting networks is a complex task, requiring a clear understanding of business needs and the nature of the organisation’s systems that use networks, as well as a sound technical understanding of network technologies and controls. This is an important area for the auditor as weaknesses can adversely impact upon many areas of the organisation. When auditing networks, the auditor should consider the following objectives: a network strategy exists and standards and policies are in place to support its delivery connections and access to the network are approved and secure unauthorised access to data transmitted over the network is minimised management commission independent penetration testing whenever external links are changed the risk and impacts of network failure are minimised. For risks, see the Data Capture and Data Entry section below. Key control areas Key controls areas for the auditor to focus on in this area include ensuring that: a strategy exists for the continued effective, efficient and secure use of network facilities responsibilities for the management and operation of the network is clearly defined network users and administrators are trained appropriately technical standards and configuration information are clearly documented network activity is monitored for security breaches and to ensure performance is optimised commercial and service arrangements for the network are fully documented, supported, monitored, and agreed by all parties all relevant procedures are clearly documented 31 only authorised users and devices are able to make network connections and the network is monitored for unauthorised connections encryption is used to help prevent unauthorised access to data transmitted over the network data and programs are safeguarded from loss, misuse, theft, damage, and accidental or deliberate corruption or denial of service attacks hardware and communication media are protected against damage, malfunction and misuse arrangements exist for the maintenance and insurance of hardware, communications infrastructure, network management software and consequential loss recovery and business continuity arrangements exist in the event of failure of communication lines or network components. G-Cloud solutions to prevent staff violating corporate policy Objectives and risks On 27 October 2011, the government published four strategies covering G-Cloud, end user devices, ICT capability and greening government ICT. These provide the environment and approaches to radically transform the ICT landscape to create a more productive, flexible workforce that delivers digital public services in a much more cost effective way. The government strategy aims to “deliver better public services for less cost”. This is because the government views ICT as the enabler to release savings and increase public sector productivity to reduce the structural deficit and continue to fund front-line services. The government ICT strategy will enable the building of a common infrastructure underpinned by a set of common standards and government will work to accelerate the strategy as part of its drive to cut down costs and improve current capabilities. Specifically the strategy will build on the ICT moratorium, project review and contract renegotiations which have allowed the government to appraise and take control of spending and ensure that projects demonstrate value for money and effectiveness. It will further underline the government’s commitment to increasing governance and transparency. In preparation for the G-Cloud the compliance and assurance requirements for the ICT Code of Connection (Co-Co) Security Standards of the Government Secure eXtranet will be increasingly 32 important to protect sensitive enterprise data, intellectual property and financial information security. In a perfect world, all employees would take the guiding security principles to heart and carefully abide by all policies and procedures. Instead of a perfect world, we are living in a threat-conscious one in which hacking attempts and breaches are daily news items – and those are just the ones that are successful. Other attempts are thwarted before any damage occurs, thanks to companies that enforce good security policies – ones that align with business realities and the need to protect sensitive enterprise data. Employees present the biggest risk to the cloud security challenges. Employees will violate the security policy either by error or intent for any of the following reasons: they don’t understand the risk or think the threats are far less severe than they are told they don’t care about the risk they are rushed and feel abiding by security policies is too time consuming security policies impede their ability to perform their duties they think IT can stop outside threats and will cover for any security policy violations. Key control areas A May 2010 study by the Aberdeen Group indicated that organisations using cloud-delivered security (see Cloud Security Alliance) saw a significant improvement in malware incidents, website compromises, data loss and exposure, security related downtime and audit deficiencies. Adopting the cloud risk mitigation policies below helps to ensure that its data is adequately protected. Deliver security protocols. This enables the enterprise to control and ensure that security measures like password protocols, firewalls and security patches are current and adhered to, rather than leaving the decision making to sometimes-fickle employees. Enable deletion of data from endpoint devices in the event that they are lost or stolen. Deliver news items regarding the latest security threats. Keeping employees abreast of security breaches, phishing attempts and trick email ploys will help heighten their awareness about the issue. 33 Provide layered authorisation. This lets the company control server access depending on who is trying to use it: customers, employees or managers. For example, customers may need to access servers to buy products, while financial managers will need to access the firm’s internal financial data. Use the cloud to route all network requests such as email and server access through a centralised, protected connection such as message labs that stays up to date with the latest security protocols. This way any threats are blocked before they get to the network. Once there, they are extremely difficult and expensive to eradicate. Deliver new applications to employees and managers via the cloud. This ensures they use business, accounting, word processing and other solutions that include the same updated security protocols used throughout the network. Provide social networking solutions via the cloud to leverage the growing popularity of social networking while at the same time ensuring applications adhere to corporate security protocols. Taking steps towards the above controls in advance of the G-Cloud requirements being mandated can help proactively protect enterprise data from the known and burgeoning threats while still fulfilling the needs of employees, managers, business partners and customers. Voice communication networks Objectives and risks The voice network is also an important communication channel for organisations. Traditionally this facility was provided via a private branch exchange (PBX), which is a telephone system owned and operated by an organisation to switch calls between users within the organisation and the telephone network. More recently organisations are moving to voice over internet protocol (VoIP) technology for their voice communications. This technology routes voice conversations over the internet or through an internal internet protocol (IP) based network alongside data communications. Key risks associated with voice networks include theft of service, denial of service, unauthorised disclosure of information, data modification, unauthorised access, and traffic analysis. When auditing voice communication networks, the auditor should consider the following objectives: 34 the telecommunications organisation is effectively structured and has sufficient policies, strategies, resources and training monthly usage is reviewed and challenged by management for controlling costs telecommunications assets and facilities are effectively managed physical security controls are in place for the telecommunications facilities logical and system security controls are in place to protect the system from abuse controls are in place for making changes to configurations, software and users controls are in place to protect the system when problems are detected emergency and business continuity procedures are in place and reliable adequate controls are in place to ensure the system meets business requirements. For risks, see the Data Capture and Data Entry section below. Key control areas Key control areas for the auditor to focus on in this area include ensuring that: call patterns, capacity and errors are monitored network class of service is used to manage user profiles and restrict numbers that can be dialled and the times of day when calls can be made equipment is physically secured long distance calls are protected call forwarding and dial through are restricted remote maintenance is protected changes follow formal change control procedures. 35 Monitoring Objectives and risks Management need to be confident that the organisation’s information systems are working efficiently and effectively and that information systems strategies and development plans are produced. This should help to ensure that any potential problems are identified and rectified at the earliest opportunity to minimise disruption, and that the organisation’s changing needs are identified and plans put in place to reflect those changing requirements. Weaknesses within this area can lead to problems with ICT not being identified in a timely manner, not being anticipated sufficiently early enough to be avoided, or ICT not meeting changing business needs, and thereby being unable to support business requirements. For risks, see the Data Capture and Data Entry section below. Key control areas Key controls areas for the auditor to focus on in this area include ensuring that: policies and plans are reviewed on a regular basis information systems are adequately reviewed by management regular reviews take place of performance against the information systems strategy and development plan and reporting to senior management regular management reviews of systems usage and storage capacity take place. Security of Electronic Data Objectives and risks A good background to data security, including relevant legislation, can be found within the ICT Security section. The coverage here is not designed to give a detailed understanding of data security, but rather an overview of the subject and the risk areas for consideration. This overview will look at a number of risks to the security of electronic data (although a number of these risks are equally applicable to non-electronic data). It will then look at possible controls to mitigate these risks. See GTAG-15: Information Security Governance and the seventh principle of the Data Protection Act. 36 It must be borne in mind that developments in IT move at a great pace and therefore the list of risks and controls may not be comprehensive, however, the categories of risk will remain appropriate and with a little application and understanding the auditor can determine if the controls in place are appropriate. Data capture Risks The wrong data is collected, for example through poor form design or ambiguous questions. Data is captured by inappropriate methods, for example could barcodes and barcode readers be used as more accurate data capture methods than manual data input? The organisation collects data which it is not entitled to, for example personal data is collected for a use for which is not covered within a data protection registration. Potential controls Ensure all appropriate stakeholders are involved in developing and reviewing the requirements of new systems and ensure post-implementation reviews of “new systems”/“system changes” (to ascertain views of system users) are carried out. See GTAG-2: Change and Patch Management Controls: Critical for Organizational Success. There should be a mechanism for all “new systems”/“systems changes” to be reported to the data protection officer. Positive confirmation is needed that data protection issues have been assessed. Data entry Risks Data is entered into the system incorrectly. Key data is not entered into the system. Data entered is unreasonable, for example the age of a child at school is greater than that which could be possible. Data is duplicated. Data is missing or not entered. Data entry processes are unavailable. 37 Potential controls Validation and verification routines are embedded within the system to detect data entry errors. Key fields are made mandatory and require an entry in order to progress with data entry. Wherever possible, the data entered is restricted to predefined values, usually by the use of selection lists. Data is derived using other data where possible. For example, addresses are automatically derived from just entering a post code and house number, or an age is generated automatically from a date of birth. Exception reports are produced and subject to review to ensure data entry errors are resolved. Continuity plans are in place covering data entry mechanisms. User access management Risks Data can be accessed by unauthorised individuals. An inappropriate level of access is allowed to applications and files. Remote access to applications and data is not secure. Potential controls Access to applications, where appropriate, is via a menu and/or appropriate levels of user password and identification. Appropriate levels of passwords and user identity controls are used to grant and to limit, as appropriate, access to various levels of information by various classes of user or individual users. Firewall network protection programs including virus detection software are used. Software is used to regulate the use of the internet, possibly with a dial back procedure for external log-on. Encrypted data transfer is used. 38 Equipment security Risks Inappropriate access is granted to the hardware where data is stored. Equipment including data is removed off site. Potential controls Appropriate levels of physical access security, appropriate operating procedures/performance monitoring for equipment, and appropriate recovery and restart procedures are maintained. Storage of data Risks Data is inappropriately stored (eg stored off site; stored locally on PC hard disks or memory sticks). Data is not properly backed up. Data retention does not comply with the Data Protection Act 1998. Data is not stored in compliance with information governance policy. Potential controls The hard disk is disabled and dumb terminals are used with USB ports disabled or restricted to authorised users and encrypted devices. Reviews of compliance with the data security policy are carried out. Data encryption is used. Backup policy and procedures are in place, including backup copies subject to appropriate security (off site backup). Backup integrity checks are carried out (regular testing of the ability to restore data from backups). Backups for servers are automated. 39 Communication of data Risks The data is intercepted and corrupted. Data is lost or corrupted during transfer. Potential controls Data encryption is used. Control totals are used. Network software has inbuilt completeness and integrity checks. Dedicated communication lines are used. Inappropriate disclosure of data Risks The organisation fails to comply with the Data Protection Act 1998. The organisation fails to comply with Caldicott requirements within the NHS. Reputational damage is caused by disclosure of sensitive data. The organisation is sued for loss suffered by an individual due to inappropriate disclosure. Potential controls Reviews of compliance with the data security policy are carried out. Payments/transactions data Payment being made or received over the internet is becoming increasingly common within the public sector, and therefore, security on payments is the primary security risk with electronic transactions. The organisation must comply with payment card security standards where credit or debit card payments are accepted. Three of the best known options for the encryption and security of personal and card details are: Public Key Software Infrastructure (PKI) Secure Electronic Transaction (SET) 40 Secure Socket Layer (SSL). In addition, the government has initiated the set up of the Public Services Network (PSN) to create a “network of networks” for the public sector from the existing commercial network providers in compliance with the Government Connect Secure Extranet (GCSX) requirements. This is a secure, private, wide area network (WAN) which enables secure interactions between connected local authorities and other GSi connected organisations. GCSX is connected to the Government Secure Intranet (GSi), thus enabling secure interactions between local authorities and central government departments and national bodies. It also provides secure access from connected local authorities to many other secure networks such as the NHS. There are many benefits to local authorities from achieving the standard, uniform and high level security Code of Connection (CoCo), including compliance with the Data Protection Act and with both central government policy and the local government data handling guidelines. GCSX now provides a foundation upon which to build shared services and secure multi-agency joint working programmes. Data quality, security and sharing Information in both electronic and paper formats is vital to the operation of an organisation’s business activities and the volume of information held is increasing rapidly. Before sharing personal data, the following should be considered to ensure the risk of loss or unauthorised access is minimised: the sharing is lawful and necessary the recipient is verified the proposed method of sharing the personal data is appropriate and secure ie encrypted remote access to data is via a secure link such as a such as a virtual private network connection a risk assessment is carried out and documented before sharing any data either electronically or otherwise. Further information on this subject can be found in the Data Security and Transfer section. CAATS Data Analysis/Interrogations Computer Assisted Audit Techniques (CAATs) are data interrogation techniques that are increasingly used by auditors to help perform 41 assurance and compliance audits by testing the accuracy and completeness of data. See ISACA Guideline G3 Use of Computerassisted Audit Techniques, IIA GTAG 16: Data Analysis Technologies and GTAG-3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment. It is the volume of records examined via CAATs that makes an enormous difference in audit reports and this volume of testing adds real value to the quality of the assurance opinion provided. For example, which looks better in an audit report: “Audit tested 50 transactions and noted one transaction that was processed incorrectly” or “Audit used CAATS to test every payment made last year and found X exception records amounting to £n in value”. The value of CAATs driven audit reviews is limited by the quality of the business application data saved in files and the extent to which data is stored in accordance with a systematic pattern. Much data is not documented in a specific structure or else the saved data is poorly classified and contains deficiencies that make it integrity suspect. So, for now CAATs can complement audit activities in certain audits but can’t be used at all in some while in others the value of the audit opinion can be challenged unless CAATs have been used. “CAATs” can refer to any computer program used to improve the audit process. Generally, however, the term is used to refer to any data extraction and analysis software. This would include programs such as spreadsheets (eg Excel), databases (eg Access), statistical analysis (eg SAS), business intelligence (eg Crystal Reports and Business Objects), etc. There are, however, companies that have developed dedicated data analytic software specifically for auditors. Benefits of audit software include the following. The software is independent of the system being audited and will use a read-only copy of the file to avoid any corruption of an organisation’s data. Many audit-specific routines are used such as sampling. Many provide documentation of each test performed in the software that can be used as documentation in the auditor’s work papers. Automation of multiple tests is possible including: – data queries – data stratification 42 – sample extractions – missing sequence identification – statistical analysis – calculations – duplicate inquires – pivot tables and cross tabulation. Some advantages of using specialist computer audit software tools, rather than standard PC software reporting tools such as SQL query, MS Access and MS Excel, are: ability to scrutinise huge data volumes in a fraction of the time ability to help identify erroneous or exceptional items eg duplicate payments user friendly maintains a log of the tests undertaken ability to develop and run macros and automated test scripts. Some disadvantages of using software are: cost of software staff training learning development and retention obtaining access to data understanding the data obtained. ACL and IDEA dominate the proprietary market for CAATs but the open source alternative solution Picalo (www.picalo.org) represents a valid zero cost alternative. The Picalo software, which reads any Open DataBase Connectivity (ODBC) source files and any open source Python programming data, was designed with fraud detection in mind so while it does not include sampling it does include Benford's law and calculated columns. Picalo scripts are written in Python so sampling can easily be added and the documentation is very good. CAATs provide auditors with fraud detection tools that can identify unexpected or unexplained patterns in data that may indicate fraud. Whether the CAATs are simple or complex, data analysis provides many benefits in the prevention and detection of fraud. 43 CAATs form the basis of the annual National Fraud Initiative (NFI), which was initiated in the London boroughs by the Audit Commission and the London Audit Group, and now covers the national data matching and analysis of both public and private sector records. The NAO may take the NFI activities when the Audit Commission is decommissioned. CAATs can also provide audit and management with a continuous monitoring and assurance capability to implement an ongoing process for acquiring, analysing, and reporting on business data to identify and respond to operational business risks. See the IIA GTAG 16: Data Analysis Technologies and GTAG-3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment. CAATs links www.caats.ca/default.php?file=acl www.acl.com/products/ccm.aspx www.caseware.com/about-us/news-reviews/idea-script-is-asimple-way-to-automate-testing-for-continuous-controlsmonitoring Conclusion on the use of CAATs CAATs data analysis is a complex area that can provide real value in assessing the level of controls being applied but it is always necessary to understand the organisational policies and procedures and how they impact on the specific area under review. Data integrity and security is likely to be an audit consideration in a number of individual audit reviews and specialists may be required in order to undertake more detailed work in certain areas of data analysis, as they are in other technical ICT audit areas such as data security, network security, server security, intrusion detection systems, firewalls, routers and the cloud.
