1/29/2012 • Main Reference : – Hall, James A. 2011. Information Technology Auditing and Assurance, 3rd Edition, Florida, USA : Auerbach Publications • Suggested Reference : – Senft, Sandra; Gallegos, Frederick., 2009. Information Technology Control and Audit. Third edition. Auerbach Publications – Davis, Chris., 2007. IT Auditing : using control to protect information assets. McGraw-Hill 1 1/29/2012 • Introduction to IT Audit and Control • Information Technology Environment: Why Are Controls And Audit Important ? • Legal Environment and Its Impact on Information Technology • Audit and Review: Its Role in Information Technology • Audit Process in an Information Technology Environment • Audit and Review: Its Role in Information Technology 2 1/29/2012 • Organizing the IT Function – The IT Function must be organized and structured. – IT Manager must define the role and articulate the value of the IT Function. – Configuration within a company depends on external and internal organizational factors. – Sound internal controls are essential to the structural framework. Designing the IT Function • Designing the ultimate structure of the IT function is often determined by cultural, political and economic forces inherent in each organization. • Separate from one another : – systems development – computer operations – computer security 3 1/29/2012 Systems Development • Staff has access to operating systems, business applications and other key software. • Systems developers are authorized to create and alter software logic, therefore, they should not be allowed to process information • They should not maintain custody of corporate data and business applications. Computer Operations • Operation staff are responsible for: – Entering Data (similar to the internal control concept of ‘authorizing transactions’) – Processing information (similar to the internal control concept of ‘recording transactions’) – Disseminating Output (similar to the internal control concept of ‘maintaining custody’) • Must segregate duties. 4 1/29/2012 Computer Security • Responsible for the safe-keeping of resources – includes ensuring that business software applications are secure. – responsible for the safety (‘custody’) of corporate information, communication networks and physical facilities • Systems analysts and programmers should not have access to the production library. IT Organization Function IT Function Manager Systems Development Manager (a) Computer Operations Manager (b) Computer Security Manager (c) Systems Analysis (a) Data Input (a) Software Security Technical Support Computer Programming (b) Database Administration (c) Information Processing (b) Information Output (c) Information Security Application Support Network Security User Training Continuity of Operations Physical Security Help Desk Quality Control User Services Manager 5 1/29/2012 IT Auditors Examination • IT Auditors Examination of the IT Function – Auditors should ensure that systems developers and computer operators are segregated. – It is also advisable for the IT function to form a separate security specialization to maintain custody of software applications and corporate data. Funding the IT Function • Must be adequately funded to fulfill strategic objectives. • Business risk of under-funding: – Needs and demands of customers, vendors, employees and other stakeholders will go unfulfilled. – can adversely impact the success of the company. • Audit risk of under-funding: – Heavy workloads can lead to a culture of ‘working around’ the system of internal controls 6 1/29/2012 Two funding approaches 1. Cost Center Approach • Submit detailed budget to upper management • Justify each line item • Use the IT function scorecard approach – Operational Performance – User satisfaction – adaptability and scalability – Organizational contribution Two funding approaches 2. Profit Center Approach • Submit detailed budget to upper management. • Charge internal users for services through intracompany billing. – Positive Outcome: Managers will not be overly demanding of IT services – Negative Outcome: IT can build excessive expenses into billing rates until the rates exceed costs of outside providers. 7 1/29/2012 Acquiring IT Resources • IT manager should justify IT Capital projects using a methodological approach. – Determine the net benefit • Present value of benefits minus costs – Use Scorecard approach for non-quantifiable paybacks. Controlling the IT Function • The major control categories involved in the IT function are – Security – Input – Processing – Output – Databases – backup and recovery • Each of these categories is intended to minimize business and audit risk via internal controls. 8 1/29/2012 Security Controls • Secure the computing infrastructure from internal and external threats. • A compromise of the infrastructure can result in: – business risk • network downtime • database corruption – audit risk • material misstatements in accounts due to incomplete or inaccurate data capturing Security Controls • Secure the computing infrastructure from internal and external threats. • A compromise of the infrastructure can result in: – business risk • network downtime • database corruption – audit risk • material misstatements in accounts due to incomplete or inaccurate data capturing 9 1/29/2012 Physical Security • Focuses on keeping facilities, computers, communication equipment and other tangible aspects of the computing infrastructure safe from harm. Physical Security Access Restriction • Only authorized personnel should be allowed into the facility. • Visitors should be accompanied by authorized personnel at all times. • Use at all ingress and egress points --Security guards --Card readers -- Keys & lock -- Biometric devices • Penetration points should be adequately secured 10 1/29/2012 Physical Security Monitor Access • Monitor who is entering, roaming and leaving the facility. – Security guards – Video Cameras – Penetration alarms • Review access evidence. – Signage log, paper or electronic • Formal review procedures in place. Physical Security Monitor Access… Security Issue Physical Controls Logical Controls Security Guards Locks & Keys Biometric Devices ID and Passwords Authorization Matrix Firewalls & Encryption Monitor Controls Security Guards Video Cameras Penetration Alarms Access logs Supervisory Oversight Penetration alarms Review Controls Formal Reviews Signage Logs Violation Investigations Formal Reviews Activity Logs Violation Investigations Unauthorized attempts to enter IT facilities Attempts to break in through vulnerable points As authorized visitor, attempts to leave authorized personnel and wander around the facility without oversight Unauthorized attempts to enter servers and networks Attempts to override access controls (hacking) As authorized user, attempts to use unauthorized applications and view unauthorized information Access Controls Penetrating Tests 11 1/29/2012 Physical Security Communication & Power Lines • The IT manager should: – monitor the primary communication and power lines via cameras and guards – install secondary (backup) lines in case the primary lines fail. • Contingency plan must address the possible failure of lines. Physical Security Off-Site Equipment • Equipment located in other places needs to be monitored in the same way. • Effective backup plan must be in place. 12 1/29/2012 Logical Security • Data and software nature known as ‘logical’ components of the infrastructure: – Corporate data – Computer software • • • • user applications network systems communication systems operating systems User #3 [ID = XXXXX, Password = YYYYY] User #2x [ID = XXXXX, Password = YYYYY] Sample Authorization Matrix User #1 [ID = XXXXX, Password = YYYYY] Information Customers Applications A/R A/P Add Edit Read Delete Add Edit Read Delete Vendors Sales Add Edit Read Delete Add Edit Read Delete Purchasing Receipts Payments Add Edit Read Delete x Add Edit Read Delete 13 1/29/2012 Logical Security • Physical controls – most corporate data and software are located on computers, servers, storage devices • Computer controlled access, monitor & review systems Logical Security Points of Entry • Computer Terminal – Supply Authorized ID – Password • Internet – Controls need to control external access Points – Firewalls – Track failed attempts to enter system 14 1/29/2012 Logical Security Access and Monitor Systems • Supervisory Oversight • Penetration alarms – Track usage patterns – Report failed attempts • Formal review procedure Information Controls • Controls need to be in place and working effectively to ensure the integrity and accuracy of vital decision-making information. • Must Integrate sound backup controls. 15 1/29/2012 Information Controls Input Controls • The company must have and follow written procedures regarding the proper authorization, approval and input of accounting transactions. • These are incompatible functions. – they should be carefully segregated, to the extent possible, and controlled. Information Controls Input Controls – 3 Scenarios- #1 • A customer purchases goods at a store counter. – Authorizing the sale • A cashier records the sale on the cash register – Approving the sale, balances the register, logs the logs into the register with ID • An accounting clerk later processes cash register sales in batches. – Inputs sales transactions into accounting system in batches 16 1/29/2012 Information Controls Input Controls – 3 Scenarios- #2 • Same except cash register automatically records the sale into the accounting system. Process Controls • Validating • Error Handling • Updating 17 1/29/2012 Database Controls • Database processing involves simultaneous updating of multiple tables. • Multiple tables and data items can be instantaneously corrupted when an interruption occurs. Database Controls Why corruption is so quick 1. 2. Related tables are inexorably linked to one another. Update routines often incorporate one or more of the following processing techniques: – Multi-tasking -- where the computer executes more than one task [program] at a time – Multi-processing -- where multiple CPUs simultaneously execute interdependent tasks [programs] – Multi-threading -- where a computer executes multiple parts of a program [threads] at one time. 18 1/29/2012 Database Controls Roll-back and Recovery • Databases operate on a transaction principle. – A logical unit of work is considered a transaction. – The processing of a transaction takes the database from an initial state to an altered state, to the new initial state. – Each step must be completed. – Any failure will result in database corruption. Database Controls Roll-back and Recovery • When there is an interruption, the database management system (DBMS) begins to restore. • There are numerous technical processes depending on the DBMS in use. 19 1/29/2012 Database Controls Roll-back and Recovery – Basic Recovery • A unique identifier tags each transaction. • An activity log tracks the transaction as it processes. • After interruption, the DBMS identifies the transactions in process. • Roll-back procedure is performed: – Uncompleted transactions placed back into queue • Recovery takes place. Database Controls Concurrency Control • Multiple users attempt to update the same data item simultaneously. or when • One user is updating while another user is reading the same data item. 20 1/29/2012 Database Controls Concurrency Control • A common way to prevent concurrency problems is to lock a database object while it is in use and release the object upon completion. • The DBMS can determine which operation to perform in what order, as it timestamps each transaction when the processing request is initiated. Database Controls Concurrency Control – Levels of Granularity • Course level – database is locked during updates. – No one can use the database until update is complete. • Moderate level – Database locks at tuple (record) level. – No one else could use the record until update is finished. • Fine level – Database locks at attribute (field) level. – Only the field being updated would be locked. 21 1/29/2012 Database Controls Concurrency Control – Levels of Granularity • Tradeoff: There is an inverse relationship between the granularity level and system performance. – A lower level of granular locking equates to slower computer performance. Output controls • Only properly authorized parties can request certain output – – computer screens – printed reports • Such logical access control is accomplished via the ID-password authorization matrix procedure. 22 1/29/2012 Output controls Computer Screens • Screens need to be physically secure when output is visible. • Output should be removed when user leaves the terminal. • Return to the screen should require a password. Output controls Printed Reports • Printer rooms need trail of accountability. – Locks to prevent unauthorized access. – Logs to sign in anyone entering. – Logs to sign for reports. • End user report requests should be password protected. • Network printers should be placed where unauthorized persons will not have access. 23 1/29/2012 Output controls Printed Reports • Must have record retention and destruction policies. – Mandated by regulatory agency. – Dictated by company policy. • Permanent reports must be in secured area. • Temporary reports must by properly destroyed. Continuity Controls • Must develop and follow a sound backup strategy to prevent disruption of business activity due to computer failures and disasters. • Two key considerations: downtime and cost. • Shorter downtime requirements equate to higher backup costs. 24 1/29/2012 Continuity Controls Backup Controls – Data Backup • Slow Company – Can Survive for days without its computer system. – Would perform full backup each week. • Medium Company – Must be back on computers same day. – Would perform weekly full backups – Daily incremental backups Continuity Controls Backup Controls – Data Backup • Fast Company – Must be back on computers within hours – Needs daily full backup – Hourly incremental backups • Lightening Company – Must be back on computers within minutes – Needs real-time backup – Simultaneouse updating on remote computer 25 1/29/2012 Continuity Controls Storage location & hardware redundancy Physical Vaulting • One backup on-site, one off-site – On site copy is readily accessible if no disaster – Off-site copy retrievable if disaster • Strategy involves more time and money Continuity Controls Storage location & hardware redundancy • • • • • Electronic Vaulting Send backup data over a communications network (such as the Internet) to an off-site storage medium. Send to home of employee. Send to another company location. Purchase outside service. Costs and accessibility are considerations. 26 1/29/2012 Continuity Controls Storage location & hardware redundancy • Hardware Backup usually needed for component failures: – Power supplies – Anything with moving parts • There are 3 common configurations for redundant storage devices: – Redundant Array of Independent Disks (RAID) – Network Attached Storage (NAS) – Server Area Network (SAN) Continuity Controls Redundant Array of Independent Disks (RAID) • Disk mirroring – Data is simultaneously written to the primary disk and one or more redundant disks • Disk striping – An array of at least three, but usually five, disks is established – scheme of parity checks is utilized – if one disk drive in the array fails, the remaining drives can reconstruct the data on the failed drive and continue processing 27 1/29/2012 RAID Mirroring and Striping Disk Mirroring (RAID) Duplicate Recording On single mirrored disk RAID Mirroring and Striping Disk Striping (RAID) Duplicate Recording On an array of disks 28 1/29/2012 Continuity Controls Network Attached Storage (NAS) • Integrates one or more storage devices, (NAS appliances,) into the local area network (LAN) . • Comprised of one or more disk drives and an internal controller. • Employs RAID technology to ensure hardware redundancy. • Can be shared by multiple users on the network. • Appliances are relatively affordable and scalable Printer User #1 Scanner User #2 Network Attached Storage (NAS) 29 1/29/2012 Continuity Controls Server Area Network (SAN) • • • • • Expands NAS to wide area networks (WAN). SAN is a dedicated network. SAN can be linked to multiple LANs. Multiple SANs can be simultaneously utilized. SAN can be expensive and technically complicated • Capable of handling very high volumes • SAN is a great solution for large companies. • SAN is designed to be very fault tolerant. Wide Area Network Input-Output Controller Disk Storage Disk Storage Disk Storage Disk Storage 30 1/29/2012 Disaster Recovery Controls • The first step is to plan for various disaster scenarios: – a) a single server is damaged – b) an entire company site is demolished – c) multiple company locations are simultaneously stuck with disaster – d) the entire company is destroyed? Disaster Recovery Controls • IT managers and auditors should plan for what, who, when, where, how, which and why. – determine what just happened – specify who to contact, in what order, and what they are expected to do – when to enact the remainder of the contingency plan 31 1/29/2012 Disaster Recovery Controls • where to transfer the lost computer processing load – Plan to shift to one or more alternate company locations – Establish contractual relationships with peer companies in the same industry • Affordable, but needs may not be a priority. • Compatibility problems with operation systems – Establish contractual relationships with third-party providers of alternate computing sites. Disaster Recovery Controls • Three Levels: 1. Cold Site: Includes building & basic infrastructure • • bring own computing equipment establish the necessary infrastructure – – – telephone service - Internet connections specialized computer cooling systems (if needed) unique power requirements 2. Warm Site: provides basic computer needs • Not the computers 3. Hot Site: Ready to Go! • • Complete with computers Operating system 32 1/29/2012 Disaster Recovery Controls • • • How is the company going to get the computer hardware, people, software and data to the alternate site? Which applications are mission critical? Why one application or set of applications is more time sensitive than another ? Disaster Recovery Controls • All affected parties need to be involved in planning phase. • The disaster recovery plan is a living document. • It must be reviewed and updated on a recurrent basis. • Everyone involved should be initially trained and required to attend periodic refresher sessions. • Portions of the recovery plan should be tested on an unannounced basis. 33