Auditing General and Application Controls

advertisement

IT AUDIT MANUAL

For many enterprises, information and the technology that supports it represent their most valuable, but often least understood, assets. Successful enterprises recognize the benefits of information technology and use it to drive their stakeholders' value. These enterprises also understand and manage the associated risks, such as increasing regulatory compliance and critical dependence of many business processes on IT.

The need for assurance about the value of IT, the management of IT-related risks and increased requirements for control over information are now understood as key elements of enterprise governance. Value, risk and control constitute the core of IT governance.

What is IT governance?

IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise's IT sustains and extends the organization’s strategies and objectives.

Furthermore, IT governance integrates and institutionalizes good practices to ensure that the enterprise's IT supports the business objectives. IT governance thus enables the enterprise to take full advantage of its information, thereby maximizing benefits, capitalizing on opportunities and gaining competitive advantage. These outcomes require a framework for control over IT.

Organizations should satisfy the quality and security requirements for their information, as for all assets. Management should also optimize the use of available IT resources, including applications, information, infrastructure and people. To discharge these responsibilities, as well as to achieve its objectives, management should understand the status of its enterprise architecture for IT and decide what governance and control it should provide.

About Control Framework

Control Framework provides good practices across a domain and presents activities in a manageable and logical structure. Control Framework good practices represent the consensus of experts. They are strongly focused on control and less on execution. These practices will help optimize IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.

1

For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. A control framework contributes to these needs by:

Making a link to the business requirements

Organizing IT activities into a generally accepted process model

Identifying the major IT resources to be leveraged

Defining the management control objectives to be considered

The business orientation control framework consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

In summary, to provide the information that the enterprise needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.

Management needs control objectives that define the ultimate goal of implementing policies, procedures, practices and organizational structures designed to provide reasonable assurance that:

Business objectives are achieved.

Undesired events are prevented or detected and corrected.

In complex environments, management is continuously searching for condensed and timely information to make difficult decisions on risk and control quickly and successfully.

Control framework supports IT governance to ensure that:

IT is aligned with the business

IT enables the business and maximizes benefits

IT resources are used responsibly

IT risks are managed appropriately

Performance measurement is essential for IT governance. It includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Many surveys have identified that the lack of transparency of IT's cost, value and risks is one of the most important drivers for IT governance. While the other focus areas contribute, transparency is primarily achieved through performance measurement.

2

IT Governance Focus Areas:

Strategic alignment focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations.

Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.

Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.

Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise's appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities into the organization.

Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery.

These IT governance focus areas describe the topics that executive management needs to address to govern IT within their enterprises. Operational management uses processes to organise and manage ongoing IT activities. Control Framework provides a generic process model that represents all the processes normally found in IT functions, providing a common reference model understandable to operational IT and business managers. The

Control framework process model has been mapped to the IT governance focus areas providing a bridge between what operational managers need to execute and what executives wish to govern.

To achieve effective governance, executives expect controls to be implemented by operational managers within a defined control framework for all IT processes. IT control objectives are organized by IT process; therefore, the framework provides a clear link among

IT governance requirements, IT processes and IT controls.

The benefits of implementing control framework over IT include:

3

Better alignment, based on a business focus

A view, understandable to management, of what IT does

Clear ownership and responsibilities, based on process orientation

General acceptability with third parties and regulators

Shared understanding amongst all stakeholders, based on a common language need for a control framework for it governance

Why

Increasingly, top management is realizing the significant impact that information can have on the success of the enterprise. Management expects heightened understanding of the way information technology (IT) is operated and the likelihood of its being leveraged successfully for competitive advantage. In particular, top management needs to know if information is being managed by the enterprise so that it is:

Likely to achieve its objectives

Resilient enough to learn and adapt

Judiciously managing the risks it faces

Appropriately recognizing opportunities and acting upon them

Successful enterprises understand the risks and exploit the benefits of IT, and find ways to deal with:

Aligning IT strategy with the business strategy

Cascading IT strategy and goals down into the enterprise

Providing organizational structures that facilitate the implementation of strategy and goals

Creating constructive relationships and effective communications between the business and IT, and with external partners

Measuring IT's performance

Enterprises cannot deliver effectively against these business and governance requirements without adopting and implementing a governance and control framework for IT to:

Make a link to the business requirements

Make performance against these requirements transparent

Organize its activities into a generally accepted process model

4

Identify the major resources to be leveraged

Define the management control objectives to be considered

Furthermore, governance and control frameworks are becoming a part of IT management best practice and are an enabler for establishing IT governance and complying with continually increasing regulatory requirements.

IT best practices have become significant due to a number of factors:

Business managers and boards demanding a better return from IT investments, i.e., that IT delivers what the business needs to enhance stakeholder value

Concern over the generally increasing level of IT expenditure

The need to meet regulatory requirements for IT controls in areas such as privacy and financial reporting and in specific sectors.

The selection of service providers and the management of service outsourcing and acquisition

Increasingly complex IT-related risks such as network security

IT governance initiatives that include adoption of control frameworks and best practices to help monitor and improve critical IT activities to increase business value and reduce business risk

The need to optimize costs by following, where possible, standardized rather than specially developed approaches

The growing maturity and consequent acceptance of well-regarded frameworks such as Cobit, ITIL, ISO 17799, ISO 9001, CMM and PRINCE2

The need for enterprises to assess how they are performing against generally accepted standards and against their peers.

What

To meet the previous requirements, a framework for IT governance and control should meet the following general specifications:

Provide a business focus to enable alignment between business and IT objectives.

Establish a process orientation to define the scope and extent of coverage, with a defined structure enabling easy navigation of content.

Be generally acceptable by being consistent with accepted IT best practices and standards and independent of specific technologies.

5

Supply a common language with a set of terms and definitions that are generally understandable by all stakeholders.

Help meet regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and external auditors.

Control Framework’s Information Criteria:

To satisfy business objectives, information needs to conform to certain control criteria Based on the broader quality, fiduciary and security requirements, seven distinct, certainly overlapping, information criteria are defined as follows:

Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.

Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.

Confidentiality concerns the protection of sensitive information from unauthorized disclosure.

Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.

Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Compliance deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria, as well as internal policies.

Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities.

6

BUSINESS GOALS AND IT GOALS

While information criteria provide a generic method for defining the business requirements, defining a set of generic business and IT goals provides a business-related and more refined basis for establishing business requirements and developing the metrics that allow measurement against these goals. Every enterprise uses IT to enable business initiatives and these can be represented as business goals for IT.

If IT is to successfully deliver services to support the enterprise's strategy, there should be a clear ownership and direction of the requirements by the business and a clear understanding of what needs to be delivered and how by IT

IT Resources

The IT resources can be defined as follows:

Applications are the automated user systems and manual procedures that process the information.

Information is the data in all their forms input, processed and output by the information systems, in whatever form is used by the business.

Infrastructure is the technology and facilities (hardware, operating systems, database management systems, networking, multimedia, etc., and the environment that houses and supports them) that enable the processing of the applications.

People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required.

IT Audit Basics

The IS Audit Process

Information systems audit is a part of the overall audit process, which is one of the facilitators for good corporate governance. It has defined as the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.

7

The purpose of IS audit is to review and provide feedback, assurances and suggestions.

These concerns can be grouped under three broad heads:

1.

Availability: Will the information systems on which the business is heavily dependent be available for the business at all times when required? Are the systems well protected against all types of losses and disasters?

2.

Confidentiality: Will the information in the systems be disclosed only to those who have a need to see and use it and not to anyone else?

3.

Integrity: Will the information provided by the systems always be accurate, reliable and timely? What ensures that no unauthorized modification can be made to the data or the software in the systems?

Elements of IS Audit

An information system is not just a computer.İnformation systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the components are evaluated and secured.The major elements of IS audit can be broadly classified:

1.

Physical and environmental review: This includes physical security, power supply, air conditioning, humidity control and other environmental factors.

2.

System administration review: This includes security review of the operating systems, database management systems, all system administration procedures and compliance.

3.

Application software review: The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures.

Additionally, a review of the system development lifecycle should be completed.

4.

Network security review: Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.

8

5.

Business continuity review: This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan.

6.

Data integrity review: The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques).

All these elements need to be addressed to present to management a clear assessment of the system.

It is important to understand that each audit may consist of these elements in varying measures; some audits may scrutinize only one of these elements or drop some of these elements. While the fact remains that it is necessary to do all of them, it is not mandatory to do all of them in one assignment. The skill sets required for each of these are different. The results of each audit need to be seen in relation to the other. This will enable the auditor and management to get the total view of the issues and problems. This overview is critical.

Risk-based Approach

Every organization uses a number of information systems. There may be different applications for different functions and activities and there may be a number of computer installations at different geographical locations.

The auditor is faced with the questions of what to audit, when and how frequently. The answer to this is to adopt a risk-based approach.

While there are risks inherent to information systems, these risks impact different systems in different ways.

The steps that can be followed for a risk-based approach to making an audit plan are:

1.

Inventory the information systems in use in the organization and categorize them.

2.

Determine which of the systems impact critical functions or assets, such as money, materials, customers, decision making, and how close to real time they operate.

3.

Assess what risks affect these systems and the severity of impact on the business.

9

4.

Rank the systems based on the above assessment and decide the audit priority, resources, schedule and frequency.

The auditor then can draw up a yearly audit plan that lists the audits that will be performed during the year, as per a schedule, as well as the resources required.

IT Audit's Role and Management Role:

The IT auditor and IT management must review existing standards and ensure compliance with national information infrastructures.

Auditing the processing environment is divided into two parts. The first and most technical part of the audit is the evaluation of the operating environment, with major software packages (e.g., the operating and security systems) representing the general or environmental controls in the automated processing environment. This part usually is audited by the IS audit specialist. The second part of the processing environment is the automated application, which is audited by the general auditor who possesses some computer skills.

The role of IS auditor can be examined through the process of IT governance and the existing standards of professional practice for this profession.IT governance is an organizational involvement in the management and review of the use of IT in attaining the goals and objectives set by the organization.

Reasons for implementing an IT governance program include:

Increasing dependence on information and the systems that deliver the information

Increasing vulnerabilities and a wide spectrum of threats

Scale and cost of current and future investments in information and information systems

Potential for technologies to dramatically change organizations and business practices, create new opportunities and reduce costs.

10

Auditing General and Application Controls

Auditing General Controls

A general controls review attempts to gain an overall impression of the controls that are present in the environment surrounding the information systems. These include the organizational and administrative structure of the IS function, the existence of policies and procedures for the day-to-day operations, availability of staff and their skills and the overall control environment. It is important for the IS auditor to obtain an understanding of these as they are the foundation on which other controls reside.

A general controls review would also include the infrastructure and environmental controls.

Physical access control is an other important area for review. Today in a highly networked world, logical access to computer systems is literally universal, yet there is a necessity to control physical access too.

Application Software Audit Methodology

The information systems audit of application software should mainly cover the following areas:

Adherence to business rules in the flow and accuracy in processing

Validations of various data inputs

Logical access control and authorization

Exception handling and logging

The steps to be performed in carrying out an application software review are as follows:

Study and review of documentation relating to the application. However, the IS auditor may find situations in real life where documentation is not available or is not updated.

In such cases, the auditor should obtain technical information about the design and architecture of the system through interviews.

Study key functions of the software at work by observing and interacting with operating personnel during work. This gives an opportunity to see how processes actually flow and also observe associated manual activities that could act as complementary controls.

11

Run through the various menus, features and options to identify processes and options for conformance to business rules and practices. (Studying the documentation before this can significantly hasten the activity.) To illustrate with an example, it is a well accepted rule in financial accounting that once an accounting transaction has been keyed in and confirmed on the system to update the ledgers it should not be edited or modified. The correct method would be to pass a fresh reversal transaction to correct errors, if any. However, if the IS auditor observes that there is an option in the software to "edit/modify transactions," this would be noted as a control deficiency for correction.

This kind of run-through can be done more effectively if a development/test system is made available to the IS auditor. In the absence of such a facility, the auditor only can watch the system run by the system administrator and make notes. The auditor is advised not to do any testing on a production system as this could affect adversely a

"live" system.

Validate every input to the system against the applicable criteria. Such validations go a long way in eliminating errors and ensuring data integrity. Apart from simple validations for numeric, character and date fields, all inputs should be validated with range checks, permissible values, etc. Validation checks that are built on applicationspecific logic can act as powerful controls not only for ensuring data accuracy but also to prevent undesirable data manipulations. The IS auditor can check validations by actually testing them out in the development/test system. Alternatively, looking at the database definitions, the associated triggers and stored procedures would be the way for a technically savvy IS auditor to review the validations.

Verify access control in application software. This consists of two aspects--the inherent design of the access control module and the nature of access granted to various users and its maintenance. Every application software has a number of modules/options/menus that cater to the different functionality provided by the software. Different users will need access to various features based on their responsibilities and job descriptions. All access should be strictly based on the need to know and do. The design of the access control module may be of varied types. Most software would check a combination of user id and passwords before allowing access.

Access may be controlled for each module, menu option, each screen or controlled through objects. Often the matrix of users versus the options/actions becomes too large

12

and complex to maintain hence it is normal to define certain roles for different classes of employees and group them together and assign them similar access. The IS auditor should review the design of the access control module keeping in mind the criticality of the functions/actions possible in the software and evaluate whether the design provides the level of control and granularity to selectively and strictly allows access as per the job requirements of all the users. Having done this, the auditor should proceed to verify whether all existing users have appropriate access as evidenced by their job descriptions and whether access to certain critical activities are allowed only to select personnel duly authorized.It also is necessary to verify who has administrator/superuser rights and how such rights are used/controlled. Ideally no one in the IT/development group should have any access to the production data. All actions on the data by the superuser should be logged and verified by the data owners regularly.

Verify how errors and exceptions are handled. In many activities software provides options and ways to reverse transactions, correct errors, allow transactions under special circumstances, etc. Each one of these is special to the business and based on the rules and procedures defined by the organization for these. The IS auditor needs to see how the software handles these. Are these circumstances properly authorized in the software? Does it capture the user id and time stamp for all transactions to provide suitable trails? Are the exceptions and critical activities like updates to global parameters logged for independent review later?

Correct any weaknesses found at the end of an applications review in the software that could lead to errors or compromises in security. These would need to be corrected by either changes in design and/or some recoding. While this would be addressed by the

IT department, the user or owner of the application from the functional area would want to know if any of these weaknesses have been exploited by anyone and whether there have been any losses. To provide an answer to this question the IS auditor should download all the data for the period in question and run a series of comprehensive tests using an audit software and determine if any error or fraud really occurred or not.

Evaluate the environment under which the application runs. The audit of the application software alone is not enough. Generally, it is prudent to conduct a security review of the operating system and the database in which the application runs while doing an application review.

13

All critical applications used in an organization need to be subjected to detailed review by an

IS auditor. This is one of the most important aspect of IS audit for a business. The job of application review becomes more complex as the application becomes larger and integrated.

While auditing complex applications, it is always good to start with a generic industry-based template of an audit work program and slowly customize the work program to the specific situation as the audit progresses.

14

Download