Information Technology Audit

advertisement
1/29/2012
• Main Reference :
– Hall, James A. 2011. Information Technology
Auditing and Assurance, 3rd Edition, Florida, USA :
Auerbach Publications
• Suggested Reference :
– Senft, Sandra; Gallegos, Frederick., 2009.
Information Technology Control and Audit. Third
edition. Auerbach Publications
– Davis, Chris., 2007. IT Auditing : using control to
protect information assets. McGraw-Hill
1
1/29/2012
• Introduction to IT Audit and Control
• Information Technology Environment: Why
Are Controls And Audit Important ?
• Legal Environment and Its Impact on
Information Technology
• Audit and Review: Its Role in Information
Technology
• Audit Process in an Information Technology
Environment
• Audit and Review: Its Role in Information
Technology
2
1/29/2012
• Organizing the IT Function
– The IT Function must be organized and structured.
– IT Manager must define the role and articulate the
value of the IT Function.
– Configuration within a company depends on
external and internal organizational factors.
– Sound internal controls are essential to the
structural framework.
Designing the IT Function
• Designing the ultimate structure of the IT
function is often determined by cultural,
political and economic forces inherent in each
organization.
• Separate from one another :
– systems development
– computer operations
– computer security
3
1/29/2012
Systems Development
• Staff has access to operating systems, business
applications and other key software.
• Systems developers are authorized to create
and alter software logic, therefore, they
should not be allowed to process information
• They should not maintain custody of
corporate data and business applications.
Computer Operations
• Operation staff are responsible for:
– Entering Data (similar to the internal control
concept of ‘authorizing transactions’)
– Processing information (similar to the internal
control concept of ‘recording transactions’)
– Disseminating Output (similar to the internal
control concept of ‘maintaining custody’)
• Must segregate duties.
4
1/29/2012
Computer Security
• Responsible for the safe-keeping of resources
– includes ensuring that business software
applications are secure.
– responsible for the safety (‘custody’) of corporate
information, communication networks and
physical facilities
• Systems analysts and programmers should not
have access to the production library.
IT Organization Function
IT Function Manager
Systems
Development
Manager
(a)
Computer
Operations
Manager
(b)
Computer
Security
Manager
(c)
Systems
Analysis (a)
Data
Input (a)
Software
Security
Technical
Support
Computer
Programming
(b)
Database
Administration
(c)
Information
Processing
(b)
Information
Output (c)
Information
Security
Application
Support
Network
Security
User
Training
Continuity of
Operations
Physical
Security
Help
Desk
Quality
Control
User
Services
Manager
5
1/29/2012
IT Auditors Examination
• IT Auditors Examination of the IT Function
– Auditors should ensure that systems developers
and computer operators are segregated.
– It is also advisable for the IT function to form a
separate security specialization to maintain
custody of software applications and corporate
data.
Funding the IT Function
• Must be adequately funded to fulfill strategic
objectives.
• Business risk of under-funding:
– Needs and demands of customers, vendors,
employees and other stakeholders will go
unfulfilled.
– can adversely impact the success of the company.
• Audit risk of under-funding:
– Heavy workloads can lead to a culture of ‘working
around’ the system of internal controls
6
1/29/2012
Two funding approaches
1. Cost Center Approach
• Submit detailed budget to upper management
• Justify each line item
• Use the IT function scorecard approach
– Operational Performance
– User satisfaction
– adaptability and scalability
– Organizational contribution
Two funding approaches
2. Profit Center Approach
• Submit detailed budget to upper management.
• Charge internal users for services through intracompany billing.
– Positive Outcome: Managers will not be overly
demanding of IT services
– Negative Outcome: IT can build excessive expenses
into billing rates until the rates exceed costs of outside
providers.
7
1/29/2012
Acquiring IT Resources
• IT manager should justify IT Capital projects
using a methodological approach.
– Determine the net benefit
• Present value of benefits minus costs
– Use Scorecard approach for non-quantifiable
paybacks.
Controlling the IT Function
• The major control categories involved in the IT function
are
– Security
– Input
– Processing
– Output
– Databases
– backup and recovery
• Each of these categories is intended to minimize business
and audit risk via internal controls.
8
1/29/2012
Security Controls
• Secure the computing infrastructure from
internal and external threats.
• A compromise of the infrastructure can result
in:
– business risk
• network downtime
• database corruption
– audit risk
• material misstatements in accounts due to incomplete
or inaccurate data capturing
Security Controls
• Secure the computing infrastructure from
internal and external threats.
• A compromise of the infrastructure can result
in:
– business risk
• network downtime
• database corruption
– audit risk
• material misstatements in accounts due to incomplete
or inaccurate data capturing
9
1/29/2012
Physical Security
• Focuses on keeping facilities, computers,
communication equipment and other tangible
aspects of the computing infrastructure safe
from harm.
Physical Security
Access Restriction
• Only authorized personnel should be allowed
into the facility.
• Visitors should be accompanied by authorized
personnel at all times.
• Use at all ingress and egress points
--Security guards
--Card readers
-- Keys & lock
-- Biometric devices
• Penetration points should be adequately
secured
10
1/29/2012
Physical Security
Monitor Access
• Monitor who is entering, roaming and leaving
the facility.
– Security guards
– Video Cameras
– Penetration alarms
• Review access evidence.
– Signage log, paper or electronic
• Formal review procedures in place.
Physical Security
Monitor Access…
Security Issue
Physical Controls
Logical Controls
Security Guards
Locks & Keys
Biometric Devices
ID and Passwords
Authorization Matrix
Firewalls & Encryption
Monitor Controls
Security Guards
Video Cameras
Penetration Alarms
Access logs
Supervisory Oversight
Penetration alarms
Review Controls
Formal Reviews
Signage Logs
Violation Investigations
Formal Reviews
Activity Logs
Violation Investigations
Unauthorized attempts to enter IT
facilities
Attempts to break in through
vulnerable points
As authorized visitor, attempts to
leave authorized personnel and
wander around the facility without
oversight
Unauthorized attempts to enter
servers and networks
Attempts to override access controls
(hacking)
As authorized user, attempts to use
unauthorized applications and view
unauthorized information
Access Controls
Penetrating Tests
11
1/29/2012
Physical Security
Communication & Power Lines
• The IT manager should:
– monitor the primary communication and power
lines via cameras and guards
– install secondary (backup) lines in case the
primary lines fail.
• Contingency plan must address the possible
failure of lines.
Physical Security
Off-Site Equipment
• Equipment located in other places needs to be
monitored in the same way.
• Effective backup plan must be in place.
12
1/29/2012
Logical Security
• Data and software nature known as ‘logical’
components of the infrastructure:
– Corporate data
– Computer software
•
•
•
•
user applications
network systems
communication systems
operating systems
User #3 [ID = XXXXX, Password = YYYYY]
User #2x [ID = XXXXX, Password = YYYYY]
Sample
Authorization
Matrix
User #1 [ID = XXXXX, Password = YYYYY]
Information
Customers
Applications
A/R
A/P
Add
Edit
Read
Delete
Add
Edit
Read
Delete
Vendors
Sales
Add
Edit
Read
Delete
Add
Edit
Read
Delete
Purchasing
Receipts
Payments
Add
Edit
Read
Delete
x
Add
Edit
Read
Delete
13
1/29/2012
Logical Security
• Physical controls
– most corporate data and software are located on
computers, servers, storage devices
• Computer controlled access, monitor & review
systems
Logical Security
Points of Entry
• Computer Terminal
– Supply Authorized ID
– Password
• Internet
– Controls need to control external access Points
– Firewalls
– Track failed attempts to enter system
14
1/29/2012
Logical Security
Access and Monitor Systems
• Supervisory Oversight
• Penetration alarms
– Track usage patterns
– Report failed attempts
• Formal review procedure
Information Controls
• Controls need to be in place and working
effectively to ensure the integrity and
accuracy of vital decision-making information.
• Must Integrate sound backup controls.
15
1/29/2012
Information Controls
Input Controls
• The company must have and follow written
procedures regarding the proper
authorization, approval and input of
accounting transactions.
• These are incompatible functions.
– they should be carefully segregated, to the extent
possible, and controlled.
Information Controls
Input Controls – 3 Scenarios- #1
• A customer purchases goods at a store counter.
– Authorizing the sale
• A cashier records the sale on the cash register
– Approving the sale, balances the register, logs the
logs into the register with ID
• An accounting clerk later processes cash register
sales in batches.
– Inputs sales transactions into accounting system in
batches
16
1/29/2012
Information Controls
Input Controls – 3 Scenarios- #2
• Same except cash register automatically
records the sale into the accounting system.
Process Controls
• Validating
• Error Handling
• Updating
17
1/29/2012
Database Controls
• Database processing involves simultaneous
updating of multiple tables.
• Multiple tables and data items can be
instantaneously corrupted when an
interruption occurs.
Database Controls
Why corruption is so quick
1.
2.
Related tables are inexorably linked to one another.
Update routines often incorporate one or more of the
following processing techniques:
– Multi-tasking -- where the computer executes more
than one task [program] at a time
– Multi-processing -- where multiple CPUs
simultaneously execute interdependent tasks
[programs]
– Multi-threading -- where a computer executes
multiple parts of a program [threads] at one time.
18
1/29/2012
Database Controls
Roll-back and Recovery
• Databases operate on a transaction principle.
– A logical unit of work is considered a transaction.
– The processing of a transaction takes the database
from an initial state to an altered state, to the new
initial state.
– Each step must be completed.
– Any failure will result in database corruption.
Database Controls
Roll-back and Recovery
• When there is an interruption, the database
management system (DBMS) begins to
restore.
• There are numerous technical processes
depending on the DBMS in use.
19
1/29/2012
Database Controls
Roll-back and Recovery – Basic Recovery
• A unique identifier tags each transaction.
• An activity log tracks the transaction as it
processes.
• After interruption, the DBMS identifies the
transactions in process.
• Roll-back procedure is performed:
– Uncompleted transactions placed back into queue
• Recovery takes place.
Database Controls
Concurrency Control
• Multiple users attempt to update the same
data item simultaneously.
or when
• One user is updating while another user is
reading the same data item.
20
1/29/2012
Database Controls
Concurrency Control
• A common way to prevent concurrency problems is
to lock a database object while it is in use and
release the object upon completion.
• The DBMS can determine which operation to
perform in what order, as it timestamps each
transaction when the processing request is
initiated.
Database Controls
Concurrency Control – Levels of Granularity
• Course level – database is locked during updates.
– No one can use the database until update is complete.
• Moderate level – Database locks at tuple (record)
level.
– No one else could use the record until update is finished.
• Fine level – Database locks at attribute (field) level.
– Only the field being updated would be locked.
21
1/29/2012
Database Controls
Concurrency Control – Levels of Granularity
• Tradeoff:
There is an inverse relationship between the
granularity level and system performance.
– A lower level of granular locking equates to
slower computer performance.
Output controls
• Only properly authorized parties can request
certain output –
– computer screens
– printed reports
• Such logical access control is accomplished via
the ID-password authorization matrix
procedure.
22
1/29/2012
Output controls
Computer Screens
• Screens need to be physically secure when
output is visible.
• Output should be removed when user leaves
the terminal.
• Return to the screen should require a
password.
Output controls
Printed Reports
• Printer rooms need trail of accountability.
– Locks to prevent unauthorized access.
– Logs to sign in anyone entering.
– Logs to sign for reports.
• End user report requests should be password
protected.
• Network printers should be placed where
unauthorized persons will not have access.
23
1/29/2012
Output controls
Printed Reports
• Must have record retention and destruction
policies.
– Mandated by regulatory agency.
– Dictated by company policy.
• Permanent reports must be in secured area.
• Temporary reports must by properly
destroyed.
Continuity Controls
• Must develop and follow a sound backup
strategy to prevent disruption of business
activity due to computer failures and
disasters.
• Two key considerations: downtime and cost.
• Shorter downtime requirements equate to
higher backup costs.
24
1/29/2012
Continuity Controls
Backup Controls – Data Backup
• Slow Company
– Can Survive for days without its computer system.
– Would perform full backup each week.
• Medium Company
– Must be back on computers same day.
– Would perform weekly full backups
– Daily incremental backups
Continuity Controls
Backup Controls – Data Backup
• Fast Company
– Must be back on computers within hours
– Needs daily full backup
– Hourly incremental backups
• Lightening Company
– Must be back on computers within minutes
– Needs real-time backup
– Simultaneouse updating on remote computer
25
1/29/2012
Continuity Controls
Storage location & hardware redundancy
Physical Vaulting
• One backup on-site, one off-site
– On site copy is readily accessible if no disaster
– Off-site copy retrievable if disaster
• Strategy involves more time and money
Continuity Controls
Storage location & hardware redundancy
•
•
•
•
•
Electronic Vaulting
Send backup data over a communications
network (such as the Internet) to an off-site
storage medium.
Send to home of employee.
Send to another company location.
Purchase outside service.
Costs and accessibility are considerations.
26
1/29/2012
Continuity Controls
Storage location & hardware redundancy
• Hardware Backup usually needed for
component failures:
– Power supplies
– Anything with moving parts
• There are 3 common configurations for
redundant storage devices:
– Redundant Array of Independent Disks (RAID)
– Network Attached Storage (NAS)
– Server Area Network (SAN)
Continuity Controls
Redundant Array of Independent Disks (RAID)
• Disk mirroring
– Data is simultaneously written to the primary disk
and one or more redundant disks
• Disk striping
– An array of at least three, but usually five, disks is
established
– scheme of parity checks is utilized
– if one disk drive in the array fails, the remaining
drives can reconstruct the data on the failed drive
and continue processing
27
1/29/2012
RAID Mirroring and Striping
Disk Mirroring (RAID)
Duplicate Recording
On single mirrored disk
RAID Mirroring and Striping
Disk Striping (RAID)
Duplicate Recording
On an array of disks
28
1/29/2012
Continuity Controls
Network Attached Storage (NAS)
• Integrates one or more storage devices, (NAS
appliances,) into the local area network (LAN) .
• Comprised of one or more disk drives and an
internal controller.
• Employs RAID technology to ensure hardware
redundancy.
• Can be shared by multiple users on the network.
• Appliances are relatively affordable and scalable
Printer
User #1
Scanner
User #2
Network Attached
Storage (NAS)
29
1/29/2012
Continuity Controls
Server Area Network (SAN)
•
•
•
•
•
Expands NAS to wide area networks (WAN).
SAN is a dedicated network.
SAN can be linked to multiple LANs.
Multiple SANs can be simultaneously utilized.
SAN can be expensive and technically
complicated
• Capable of handling very high volumes
• SAN is a great solution for large companies.
• SAN is designed to be very fault tolerant.
Wide Area
Network
Input-Output
Controller
Disk
Storage
Disk
Storage
Disk
Storage
Disk
Storage
30
1/29/2012
Disaster Recovery Controls
• The first step is to plan for various disaster
scenarios:
– a) a single server is damaged
– b) an entire company site is demolished
– c) multiple company locations are simultaneously
stuck with disaster
– d) the entire company is destroyed?
Disaster Recovery Controls
• IT managers and auditors should plan for what,
who, when, where, how, which and why.
– determine what just happened
– specify who to contact, in what order, and what
they are expected to do
– when to enact the remainder of the contingency
plan
31
1/29/2012
Disaster Recovery Controls
• where to transfer the lost computer
processing load
– Plan to shift to one or more alternate company
locations
– Establish contractual relationships with peer
companies in the same industry
• Affordable, but needs may not be a priority.
• Compatibility problems with operation systems
– Establish contractual relationships with third-party
providers of alternate computing sites.
Disaster Recovery Controls
•
Three Levels:
1. Cold Site: Includes building & basic infrastructure
•
•
bring own computing equipment
establish the necessary infrastructure
–
–
–
telephone service - Internet connections
specialized computer cooling systems (if needed)
unique power requirements
2. Warm Site: provides basic computer needs
•
Not the computers
3. Hot Site: Ready to Go!
•
•
Complete with computers
Operating system
32
1/29/2012
Disaster Recovery Controls
•
•
•
How is the company going to get the computer
hardware, people, software and data to the
alternate site?
Which applications are mission critical?
Why one application or set of applications is
more time sensitive than another ?
Disaster Recovery Controls
• All affected parties need to be involved in
planning phase.
• The disaster recovery plan is a living document.
• It must be reviewed and updated on a recurrent
basis.
• Everyone involved should be initially trained and
required to attend periodic refresher sessions.
• Portions of the recovery plan should be tested on
an unannounced basis.
33
Download