Add to collection(s) Add to saved
  1. Business
  2. Management

What to Audit & Why

advertisement 
What to Audit & Why
Derek J. Oliver
Ravenswood Consultants Ltd
Ravenswood
Consultants Ltd
Derek J. Oliver
Why me ?
Derek J. Oliver







20+ years in IS Audit & Security
 Former Head of UK Internal Audit, FDC
Certified Information Systems Auditor
Certified Information Security Manager
Certified Fraud Examiner
Fellow of the British Computer Society
Fellow of the Institution of Analysts & Programmers
Past President, ISACA, London Chapter
Ravenswood
Consultants Ltd
Derek J. Oliver
Programme
The Failsafe Approach


Essential Audits
“Nobody ever got the sack. . . . .”
The Real Life Approach

Risk-based auditing
 What could go wrong?
 Would it matter if it did?
 What can we do about it
Ravenswood
Consultants Ltd
WHO
CARES?
The Failsafe Approach
Nobody ever got the sack for
scheduling these audits
Ravenswood
Consultants Ltd
Derek J. Oliver
The Annual Audit Plan #1
 Transaction Processing


Trace key transactions through the process
from document receipt to final print
Input Controls
 Validation; credibility etc

Processing Controls
 Run-to-run totals; check pointing etc

Output Controls
 System Balancing; Report Distribution etc
Ravenswood
Consultants Ltd
Derek J. Oliver
The Annual Audit Plan #2
Logical Security






Access Control
Hierarchic restrictions
Access to Source Code
Access to Production Systems
Access to Operating Systems
Access to Utilities
Ravenswood
Consultants Ltd
Derek J. Oliver
The Annual Audit Plan #3
Change Management







Access to Source Code
Development Libraries
Testing
Quality Assurance
Transfer to Production
Implementation Control
Division of Duties
Ravenswood
Consultants Ltd
Derek J. Oliver
The Annual Audit Plan #4
Physical Security
Ravenswood
Consultants Ltd
Derek J. Oliver
Justification
Risk Based Audit Planning!
 #1:


Is the computer system working?
Are all the controls working?
 #2:


Is essential data secure?
Are programs secure?
 #3:


But what if confidentiality is not
A Business Risk in your
Organization?
Can unknown changes be made to programs?
Are all changes properly tested & authorized
 #4:

But this only needs to be done
once because systems cannot
change themselves
Do you need
Sophisticated
Change management?
Can strangers or unauthorised people disrupt your
systems
Probably a likely annual audit
Ravenswood
Consultants Ltd
But how do you know what’s
Important to your business?
The “Real Life” Approach
Risk Based Auditing
Or
Meeting the Business Needs!
Ravenswood
Consultants Ltd
Derek J. Oliver
The Risk-Based Approach
MUST address BUSINESS risk
No other risk is relevant
 For every audit, you should ask:
“How will this audit help my company to
achieve it’s stated business objectives”
 If you can’s answer this, then . . . .

Why are you conducting the audit?
Ravenswood
Consultants Ltd
Derek J. Oliver
It’s the old, old question . . . . .
Why did the Auditor cross the road ?
Because according to the
audit file, that’s what they
did three years ago !
Ravenswood
Consultants Ltd
Derek J. Oliver
Why is RISK important ?
Business must take risks !
Business must live with risks !
Business must understand risks !
Business must control risks !
BUSINESS !
Ravenswood
Consultants Ltd
Derek J. Oliver
How can RISK be identified ?
Work backwards . . . . . .

What could happen to the business ?
 Fail to comply with legislation
 Lose business to competitors
 Lose customer / public confidence



How could it happen ?
Are there controls to prevent it happening ?
Are there controls to minimise the effect ?
What do we need to know?
Ravenswood
Consultants Ltd
Derek J. Oliver
Core Businesses and Critical Support
Units
An Inventory of Core Businesses
Should Be Made




Has this been done?
What are they?
Why are they core?
When these have been established then
we can further analyze the situation.
Ravenswood
Consultants Ltd
Derek J. Oliver
Core Businesses and Critical Support
Units
What constitutes a core business
operation for an organization?
a. Revenue
b. Net income
c. Cash flow
Ravenswood
Consultants Ltd
Derek J. Oliver
Core Businesses and Critical Support
Units
 What constitutes a critical business unit
within core business?


What criteria would you use?
Would you make any classifications by type?
 Productive Operations
 Support Operations

How would you define them?
 Function
 Product line
 Department
Ravenswood
Consultants Ltd
Derek J. Oliver
Core Businesses and Critical Support
Units
 What is the importance of making these
determinations?
 What critical computer application systems
support these operations or departments?


What is the importance of knowing this?
Are they in a state of transition?
Ravenswood
Consultants Ltd
Derek J. Oliver
Why analyse RISK ?
 Enable risks to be compared

Using a standard approach !
 Enable risks to be addressed

By an appropriate parameter
 By the most serious effect
 By the easiest / cheapest / quickest to control
 According to Business objectives / strategy
 Enable a business decision on Risk strategy
Ravenswood
Consultants Ltd
Derek J. Oliver
What is RISK Strategy ?
 Linking Risk to Business Objectives
 Balancing cost of control against potential
loss
Ravenswood
Consultants Ltd
e.g. Disaster Recovery :
Derek J. Oliver
Managing & Controlling RISK
1. Identify the THREATS
2. Assess the level of RISK
3. Establish the EXPOSURE
4. Design & Implement CONTROL
Ravenswood
Consultants Ltd
Derek J. Oliver
Managing Risk
 PREVENTION : Remove the THREAT
 DETERRENCE : Minimise the RISK
 DETECTION : Minimise the EXPOSURE
Ravenswood
Consultants Ltd
Derek J. Oliver
Managing Risk ?
Nothing new :
Consider the
Caveman . . . ?
Ravenswood
Consultants Ltd
What about the
Romans . . . !
Not forgetting
the Merchant
Navy . . . . !
Derek J. Oliver
Preventive Control
 Early Man feared attack from animals so
lived in a cave : Most armies fought with
the protection of armour.
We may identify confidentiality as a
risk so implement strict logical access
control
Ravenswood
Consultants Ltd
Derek J. Oliver
Deterrent Control
The Romans feared insurgence so
maintained a big, well-trained army
We may identify information theft as
a risk so log all user online activity
Ravenswood
Consultants Ltd
Derek J. Oliver
Detective Control
Ships were sinking through being
overloaded so the Plimsoll Line was
introduced
We may identify fraud as a risk and
implement balancing controls &
management checks
Ravenswood
Consultants Ltd
Derek J. Oliver
Risk - Summary
 RISK must be Managed
 RISK must be Controlled
 RISK must be Understood
 CONTROL must reflect BUSINESS needs
 CONTROL must be appropriate
 CONTROL must be reasonable
Ravenswood
Consultants Ltd
Derek J. Oliver
So, the WHY is likely to be
 What represents RISK to the BUSINESS

Losing Money
 Theft
 Fraud





Losing Market Share
Losing Customers
Losing out to Competition
Failing to achieve objectives
Failing to achieve growth
Ravenswood
Consultants Ltd
Derek J. Oliver
That’s the why, but HOW
 Loss of:


Money –





Poor management controls = opportunity?
Poor logical security = fraud? abuse?
Poor physical security = theft? vandalism?
Incorrect data processing = disappearing money?
Late or over budget projects = disappearing money!!!




Poor logical security = espionage? legislation?
Poor management controls = legislation?
Poor physical security = errors? fraud?
Poor availability = lost or corrupted data?
Information –
Ravenswood
Consultants Ltd
Derek J. Oliver
Resulting in . . . apart from the
obvious
 Lost money = lost cash flow = poor
performance = lost market share =
shareholder concern
 Released data = public humiliation = lost
confidence = lost market share =
shareholder concern
 Lost/bad data = lost business = lost money
= lost market share = shareholder concern
Ravenswood
Consultants Ltd
Derek J. Oliver
Then, to get to the audit plan
WHERE can this go wrong?






#2
Logical Security
Physical Security #4
Transaction Control #1
Change Management & QA #3
Project Management #5
Disruption #6
Ravenswood
Consultants Ltd
Derek J. Oliver
Which gives us our Annual Audit
Plan . . .
1.
2.
3.
4.
5.
6.
Transaction Processing Management
Logical Security
Change Management
Physical Security
Project Management & QA
Disaster Recovery Planning
Ravenswood
Consultants Ltd
Derek J. Oliver
So lets start to reach the
conclusion
The Audit Plan must be based on






‘What Could Go Wrong?’
‘What would be the effect if it did?’
‘How could it happen?’
‘Can we prevent it by removing the risk?’
‘Can we minimise the effect by control?’
What risk are we living with?’
Ravenswood
Consultants Ltd
Derek J. Oliver
And of course, we now have

Is about Risk Management
 Identify the inherent risk
 Quantify the risk
 Control the risk
 Assess the residual risk
 Evaluate controls
 Regularly assess & report residual risk
Ravenswood
Consultants Ltd
Derek J. Oliver
Conclusion
When considering how to manage Risk . . . .
It’s the
BUSINESS NEEDS
that count !
Ravenswood
Consultants Ltd
Derek J. Oliver
What to Audit & Why?
Questions ?
Derek J. Oliver CISA, CFE
Ravenswood Consultants Limited
Ravenswood
Consultants Ltd
Related documents
My Life By Aidan
My Life By Aidan
Fact sheet-II
Fact sheet-II
INTEGRATED SERVICES DESIGN LTD Environmental Policy
INTEGRATED SERVICES DESIGN LTD Environmental Policy
Exercise 2
Exercise 2
ENVIRONMENTAL POLICY – GLASS DIRECT
ENVIRONMENTAL POLICY – GLASS DIRECT
Download
advertisement