Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

dpga discipleship programme

advertisement 
CAACM’s 7th Annual
General Meeting &
Conference
David Hall
President
Institute of Internal Auditors, Jamaica
July 29, 2013
“Demystifying IT Audit Issues and
Jargon for More Effective Reporting
and Issues Resolution.”
Agenda
1. IT Jargon
2. What is Information Technology Audit
3. Categories of IT Audit
4. Wireless Network
5. Mobile network
6. System Interface
7. Data Management
8. Segregation of Duties
9. Administrative Access
10.What is IT Governance
11.What should IT Governance Deliver
12.Questions for Executive Management & CEO
13.Questions for the Board
IT
Information
Technology
Jargon
What
Is It ?
APPLE
APPLE – it is not a fruit
IT IS an American company famous for developing the
Macintosh computer and the iPod MP3 player
APPLICATION – It is not an application form
APPLICATION
IT IS a program used to perform a specific task, e.g. a wordprocessor. Microsoft – Suite of products
BACKUP - IT IS NOT A CAR BACKIN UP
IT IS a secondary copy of important documents and data
kept as insurance against loss due to a hardware failure or
accidental deletion.
ADSL - Asymmetric Digital Subscriber Line.
Technology that allows rapid transmission of data over a telephone
line. ADSL provides a convenient method of accessing the Internet
at broadband speeds without the need for a cable connection.
Unlike dial-up, ADSL allows you to make phone calls whilst online.
BIT – IT IS NOT SOMETHING IN A HORSES MOUTH
The smallest element of computer data. A bit is a number equal to 1 or 0.
The number is represented in digital electronics by a switch that is either
On or off. Larger numbers can be stored as groups of several bits.
A group of eight bits is known as a byte
BLUETOOTH – IT IS NOT A DECAYING TOOTH
IT IS a short-range wireless technology used to transfer data between mobile
phones, computers and other devices.
BOOT - COMPUTER START UP
BUG –IT IS NOT A CREEPY INSECT
It is a mistake in the design of a computer program that prevents it from
working correctly. The term originates from a malfunction in one of the
earliest computers which was caused by a moth
Debugging - The process of finding and correcting bugs in a computer program
COOKIE – IT IS NO A CHOCOLATE CHIP
A small file created by a browser to store information about a web site.
Cookies are typically used to identify previous visitors to the site, remember
their user names and passwords, and customize the site to suite their preferences.
It is usually safe to delete all the cookies on your computer
THE “MAC” IS NOT
A HAMBURGER
IT IS A COMPUTER
.
FIREWALL - IT IS NOT A WALL ON FIRE
A program or device that limits access to a computer from an
external network for security reasons. A computer connected to the
Internet without a firewall is more vulnerable to hackers.
A MOUSE – IS NOT THAT ANNOYING RODENT
A device that controls a pointer on
the screen and allows objects to be
manipulated by clicking or dragging
them.
PHISING
A form of Internet fraud that involves
tricking people into revealing confidential
information (e.g. credit card details, user
names, passwords etc.) by means of a
fake e-mail that appears to come from a
well-known, legitimate organisation (e.g. a
bank).
PORT
.
WORM
WORM
A self-replicating program that spreads from one
computer to another, usually causing damage
and compromising security in the process.
They are purposefully written by vandals to cause
as much disruption as possible, or by hackers to
compromise the security of a computer.
IIA Research Foundation
ZIP
A type of compression commonly applied to text-based files.
A file that has been compressed in Zip format must be extracted
(i.e. decompressed) before it can be opened.
Compressed files
IIA Research Foundation
CLOUD
IIA Research Foundation
There's a good chance you've already used some form of
cloud computing.
If you have an e-mail account with a Web-based e-mail
service like Hotmail, Yahoo! Mail or Gmail, then you've had
some experience with cloud computing.
Instead of running an e-mail program on your computer, you
log in to a Web e-mail account remotely.
The software and storage for your account doesn't exist on
your computer -- it's on the service's computer cloud
Software as a service (SaaS)
Cloud-based applications—or software as a service (SaaS)—run
on distant computers “in the cloud” that are owned and operated
by others and that connect to users’ computers via the Internet
and, usually, a web browser
Platform as a service (PaaS)
Platform as a service provides a cloud-based environment with
everything required to support the complete lifecycle of building
and delivering web-based (cloud) applications—without the cost
and complexity of buying and managing the underlying hardware,
software, provisioning and hosting
What is an Information Technology Audit ?
An information technology audit, or information systems
audit, is an examination of the management controls within
an Information technology (IT) infrastructure.
The evaluation of obtained evidence determines if the
information systems are safeguarding assets, maintaining data
integrity, and operating effectively to achieve the
organization's goals or objectives.
These reviews may be performed in conjunction with a
financial statement audit, internal audit, or other forms.
Further Definition: An information technology audit is an
examination of the checks and balances, or controls, within an
information technology (IT) group.
An IT audit collects and evaluates "evidence" of an
organization's information systems, practices, and operations.
The evaluation of this evidence determines if the information
systems are safeguarding the information assets, maintaining
data integrity, and operating effectively and efficiently to
achieve the organization's business goals or objectives.
The IT audit aims to evaluate the following:
1. Availability - Will the organization's computer systems be
available for the business at all times when required?
2. Security and Confidentiality - Will the information in the
systems be disclosed only to authorized users?
3. Integrity - Will the information provided by the system
always be accurate, reliable, and timely?
The audit hopes to assess the risk to the company's valuable
asset (its information) and establish methods of minimizing
those risks.
Five (5) Categories of IT Audits
(1) Systems and Applications: An audit to verify that systems and
applications are appropriate, are efficient, and are adequately
controlled to ensure valid, reliable, timely, and secure input,
processing, and output at all levels of a system's activity.
(2) Information Processing Facilities: An audit to verify that the
processing facility is controlled to ensure timely, accurate, and
efficient processing of applications under normal and potentially
disruptive conditions.
Five (5) Categories of IT Audits
(3) Systems Development: An audit to verify that the systems
under development meet the objectives of the organization, and
to ensure that the systems are developed in accordance with
generally accepted standards for systems development.
(4) Management of IT and Enterprise Architecture: An audit to
verify that IT management has developed an organizational
structure and procedures to ensure a controlled and efficient
environment for information processing.
Five (5) Categories of IT Audits
(5) Client/Server, Telecommunications, Intranets, and
Extranets: An audit to verify that telecommunications controls
are in place on the client (computer receiving services),
server, and on the network connecting the clients and servers.
I. Wireless Networks
Wireless networks are proliferating throughout organizations,
because they are useful and can support business objectives
directly.
However, they are also easy to set up (as any person who
has set up a home wireless network can likely attest to) and
provide a potential entry point into the corporate
network.
CAEs should be concerned both with the security of wireless
networks that are authorized by the organization as well as
rogue wireless networks that users have established without
authorization
2.
Role of the Audit Committee
IIA Research Foundation
I. Wireless Network Risks
•
Intrusion
– Wireless networks may allow unauthorized entry
into the corporate network.
Eavesdropping – Wireless networks may allow
unauthorized personnel to access confidential information
that is transmitted across wireless networks.
Hijacking – An unauthorized user may hijack the session of
an authorized user connected to a wireless network and use
that session to access the corporate network.
I. Wireless Network Risks
•
Radio Frequency (RF) Management – The wireless network
may send transmissions into unwanted areas, which may
have other impacts.
For example, hospitals may have equipment that reacts
poorly to radio wave transmissions and therefore should not
be exposed to wireless networks.
I. Recommendations for Wireless Networks. Perform a
thorough wireless network audit that includes the following
two components:
The IT function should assess the existence and location
of all approved and non-approved networks across all
locations.
This will entail an IT auditor physically going through
business unit locations with an antenna, trying to detect
the presence of wireless devices.
I. At a minimum, the IT auditor should obtain and review
a listing of all wireless networks approved by the
organization.
Corporate policies and procedures should be
established for wireless networks and should provide
guidelines for securing and controlling these networks,
including the use of data encryption and authentication
to the wireless network.
The IT auditor should review the configuration of the
known wireless networks to ensure compliance with
developed policies and procedures.
II. Mobile Devices
Most organizations have recognized the value of wireless
devices such as Blackberrys, Personal Digital Assistants
(PDAs) or smart phones.
However, not all organizations have grasped the risk of
using these devices.
IIA Research Foundation
II. Mobile Device Risks
If the device is not configured in a secure fashion, the
confidentially of this data may be impacted if the device is
lost or stolen.
The transmission of data to the device itself may not be
secure, potentially compromising the confidentiality or
integrity of that data.
II. Mobile Device Risks
Furthermore, these devices may allow remote access into
corporate networks.
Consider, for example, a beverage distribution company
that equips route drivers with wireless devices that are
used to book inventory transactions as they deliver product
to each customer.
II. Recommendations for Mobile Devices
The IT auditor should review mobile device management
At a minimum, consideration should be given to:
Provisioning – The process for a user to procure a
device.
Standardization – Are devices standardized?
Security Configuration – What policies and procedures
have been established for defining security baselines for
devices?
II. Recommendations for Mobile Devices
Data Transmission – How is data transmission controlled?
Access Into Corporate Networks – Do devices provide
access into the corporate network? If so, how is that
controlled?
Lost or Stolen Devices – How would the company identify
lost or stolen devices and terminate service to them?
Interface Software – If these devices initiate business
transactions, how is that information interfaced into the
corporate applications?
III. Interfaces
Complex IT environments often require complex interfaces to
integrate their critical business applications.
These interfaces may be enabled with middleware
technology, which acts a central point of communication and
coordination for interfaces.
This may be because interfaces are difficult to classify.
They are similar in function to an infrastructure, or supporting
technology, yet they are software applications that may
actually process transactions.
IIA Research Foundation
III. Interface Risks
Interfaces, and middleware in particular, are a critical link
in the end-to-end processing of transactions. At a
minimum, they move data from one system to another.
Interfaces may also pose a single point of failure to the
organization. Consider Company XYZ, which is running
an ERP system for financial consolidation.
The distributed business units all maintain interfaces
from a variety of disparate systems up to the central
corporate system. of the company
III. Interface Risks
There are approximately 200 of these interfaces, all
running through a single middleware server and
application.
That middleware server suddenly stops functioning. This
would have a substantial impact on the operations of the
company
III. Recommendations for Interfaces
The CAE should ensure the IT risk assessment and audit
universe considers interfaces and middleware. Specific items
that should be considered are:
Use of Software to Manage Interfaces – Does the software
transform data or merely move it from place to place?
Interface IDs – The interface software will probably need
access into the systems to/from which it is moving data. How
is this access managed? Are generic IDs used? What access
are these IDs granted, and who has access to use these
IDs?
III. Recommendations for Interfaces
Interface Directories – Are all data moved through a
single interface directory? Who has access to that directory?
How is it secured and controlled?
If so, does the directory also contain data used in wire
transfers or outbound electronic payments? How is the clerk
restricted from these data sets?
Interface Types – What types of interfaces are used?
Are they real-time or batch-oriented? What transactions
do they support? Do they initiate the processing of
other transactions (e.g. interfaced sales orders initiating
the shipment of goods).
IV. Data Management
Organizations are automating more and more business
processes and functions. At the same time, the cost of
data storage is becoming cheaper and cheaper.
These issues have led to the proliferation of large
corporate data storage solutions.
As organizations begin to manage these large repositories
of data, many issues emerge.
IIA Professional Practices Framework
IV. Data Management Risks
Failure to manage data repositories, or storage area
networks. may result in the loss of critical business data
availability.
Organizations must ensure that the integrity of these storage
solutions is maintained adequately. New management and
maintenance technologies must be deployed, and new
management processes must be defined.
Moreover, the growth in data storage also coincides with the
promulgation of many new laws, statutes, and regulations
regarding the management of data.
Data Management Recommendations - Perform a
thorough data management review. At a minimum,
consideration should be given to:
Data Classification – Has the organization gone through a
data classification exercise? What types of data categories
have been established, and what were the criteria for
organizing data into those categories?
Data Ownership – Has the organization formally assigned
ownership of data to specific data owners? Have the
responsibilities of these data owners been documented?
Data Retention – Has a data retention strategy been
developed?
V. Privacy
Data privacy and consumer rights are highly visible topics
today. A large number of data privacy laws with which large
companies must comply have been promulgated.
For example, a large organization that does business in
Europe and North America is subject to the EU Privacy
Directive on Data Protection, Canada’s Personal
information Protection and Electronic Documents Act of
2000, any number of U.S. state-level regulations.
If an organization wants to put up a Web site that provides
games or media that children might access, they need to
be aware of child-protection data privacy laws as well.
IIA Professional Practices Framework
V.
Privacy Risks
Failure to comply with certain privacy laws could result in
fines and/or criminal prosecution. In addition, there could be
a significant impact to brand equity.
v.
Recommendations for Privacy
Perform a privacy audit. At a minimum, the organization
should consider:
What Privacy Laws Apply to the Organization – Has
the organization identified all various laws, regulations,
and statutes with which it must comply?
Responsibility for Privacy – Has a chief privacy
officer role been created?
VI. Segregation of Duties
As organizations integrate their environments into larger,
more complex applications, segregation of duties is less a
function of job role and more a function of what
transactions the user can perform in the system.
Consequently, appropriate segregation of duties is largely
dependent on application level security.
Application level security is becoming increasingly complex
and requires a greater level of expertise to administer.
IIA Professional Practices Framework
vi. Segregation of Duty Risks
Inadequate segregation of duties could expose the organization to theft, fraud,
or unauthorized use of information resources.
vi. Recommendations for Segregation of Duties
Perform a segregation of duties audit, which should include:
Understanding How Segregation of Duties is Being
Managed and Controlled – What processes, people, and
tools are used to support the management of segregation of
duties?
Defining Conflicts – Has the organization developed a
comprehensive listing of all job functions that are deemed
to be incompatible?
Determining Specific Deficiencies – Has the
organization used the list of conflicts to identify either
specific security roles, or specific individuals who have been
granted access that presents a violation of segregation of
duties?
VII.
Administrative Access
Systems administration personnel are generally granted
high levels of access to IT resources. This is explained
away because they are presumed to be administrators
who need this access to perform their job.
Recommendations for Administrative Access
In every environment, administrative access is required to
operate the systems. However, the IT audit function
should help ensure that systems administrators only have
access to data and functions required to perform job
responsibilities.
The IT auditor should also consider:
Splitting the access to perform a function so that two
people are needed to perform the function.
Reviewing generic Ids which are shared by more than
one users.
Limit access to administrative functions to a small
number of persons
Periodic independent reviews of audit trails.
WHAT IS IT GOVERNANCE ?
IT governance has been defined by the Information
Systems Audit & Control Association ( ISACA ) as:
…the responsibility of executives and the board of directors.
It consists of the leadership, organizational structures and
processes that ensure that the enterprise’s IT sustains and
extends the organisation’s strategies and objectives.
The term ‘governance’ is derived from the Latin word
gubernare, which means to direct or to steer.
ISACA – Information Systems Audit &
Control Association
WWW.ISACA.ORG
COBIT FRAMEWORK
- 4 Domains
- 32 processes
WHAT IS IT GOVERNANCE ?
(i) Primarily determines how IT decisions are made,
(ii) Who makes the decisions,
(iii) Who is held accountable, and
(iv) How the results of decisions are measured and
monitored
What Should IT Governance Deliver?
IT governance can thus be pictured as focusing primarily
on the following five areas:
• Strategic alignment —Alignment of IT Strategy and
Business Strategy
• Value delivery —Creating new value for the enterprise
through IT, maintaining and increasing value derived
from existing IT investments, and eliminating IT
initiatives and assets that are not creating sufficient
value for the enterprise.
Risk management —Addressing IT-related risks. IT risk
is the business risk associated with the use, ownership,
operation, involvement, influence and adoption of IT
within an enterprise.
Resource management —Ensuring that the right
capabilities are in place to execute the strategic plan and
sufficient, appropriate and effective resources are
provided.
Performance measurement —Tracking the achievement
of the objectives of the enterprise’s IT-related services
and solutions and compliance with specific external
requirements.
Questions for Executive Management & the CEO
1. Is it clear what IT is doing?
2. How often do IT projects fail to deliver what they
promised?
3. Are end users satisfied with the quality of the IT service?
4. Are sufficient IT resources and infrastructure available to
meet required enterprise strategic objectives?
5. How well are IT outsourcing agreements being managed?
6. How is the value delivered by IT being measured?
Questions for the Board
1. Does the Board assess the criticality of IT, whether
on a project or operational basis?
2. Is the Board aware of IT risk exposures and their
containment? Is IT on the Board’s Agenda
3. Does the Board ascertain that management has put
processes and practices in place to ensure that IT
delivers value to the business?
4. Does the Board work with the executives to define
and monitor high level IT performance?
5. Does the Board ensure that IT investments represent
a balance of risk and benefits and that budgets are
acceptable?
THANK YOU
David A. Hall
President
Institute of Internal Auditors, Jamaica
Telephone : (876) 997-1040
E-mail
: davidyasmin@aol.com
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Marketing Plan Rubric
Marketing Plan Rubric
Finance & Investment Day-Audit Panel
Finance & Investment Day-Audit Panel
Chapter 10
Chapter 10
TECHNICAL MESSAGES OF THE IIA – UK AND IRELAND
TECHNICAL MESSAGES OF THE IIA – UK AND IRELAND
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Download
advertisement