Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

IS-Audit

advertisement 
IS AUDIT
DR. MITIL CHOKSHI
CHOKSHI & CHOKSHI
CHARTERED ACCOUNTANTS
For MIPA
2nd May 2014
Contents
 Introduction
 Guidelines
 Need for controls
 Internal Control Framework
 Security Threats
 Information Systems Risks
 IS Audit Process
For MIPA
2nd May 2014
Introduction
“The process of collecting and evaluating evidence to determine
whether:
•
•
•
•
Computer system safeguards assets
Maintains data integrity, confidentiality and availability
Allows organizational goals to be achieved
Determines the efficient use of resources”
Gain understanding
of the organisation
Understand Risks and
evaluate Controls
Test Controls
For MIPA
2nd May 2014
For MIPA
2nd May 2014
Guidelines
ISACA Guidelines
•
•
•
•
IS Auditing Standards
IS Auditing Guidelines
IS Auditing Procedures
COBIT (Control objectives for information and related
technology)
ISO 27001
Guidelines by Institute of Internal Auditors
For MIPA
2nd May 2014
Guidelines
COSO’s Internal Control – Integrated Framework
(the COSO Framework) published by the Committee of
Sponsoring Organisations of the Treadway Commission
COCO (Criteria of Control) Framework published by the
Canadian Institute of Chartered Accountants
For MIPA
2nd May 2014
COSO Framework
Monitoring Applied to the Internal Control Process
For MIPA
2nd May 2014
Need for Controls
The Organization must protect itself from:
•
Corruption of Data and Database.
•
Poor decision making due to poor quality of MIS.
•
Losses due to abuse of controls.
•
Loss of hardware, software and personnel.
•
Maintenance of Privacy .
•
Malicious Internet Content.
•
Authentication and Privilege attacks
For MIPA
2nd May 2014
For MIPA
2nd May 2014
Security Threats
For MIPA
2nd May 2014
Security Threats
For MIPA
2nd May 2014
Security Threats
For MIPA
2nd May 2014
Security Threats
For MIPA
2nd May 2014
Security Threats
Example: Phishing
For MIPA
2nd May 2014
Security Threats
Example: Drive-by downloads
Unintended Software
For MIPA
2nd May 2014
Security Threats
Example: Virus Scan
For MIPA
2nd May 2014
Security Threats
Example: Trojan Horse
For MIPA
2nd May 2014
Security Threats
Example: Spoofing
For MIPA
2nd May 2014
Security Threats
Example: Spoofing
For MIPA
2nd May 2014
For MIPA
2nd May 2014
Relationship Between General
and Application Controls
Risk of unauthorized change
to application software
Risk of system crash
Cash receipts
application
controls
Sales
application
controls
Payroll
application
controls
Other cycle
application
controls
Risk of unauthorized
master file update
For MIPA
GENERAL CONTROLS
Risk of unauthorized
processing
2nd May 2014
Information Systems Risks
Access controls :
• Non-detection of Compromised passwords.
• Unauthorized users can access systems.
• Inappropriate access allowing recognised users greater access
than necessary.
• Unauthorized changes to data in master files.
• Unauthorized changes to systems or programs.
• Denial to access systems, DBMS’s and servers in the event of a
system interruption or disaster.
For MIPA
2nd May 2014
Information Systems Risks
Controls to Mitigate Risks arising from unauthorized Accesses :
• Authentication (identification) controls need to be strong.
• Roles and privileges should be granted on need-to-know basis
only to authorized users.
• Job scheduling procedures and stored procedures need to be
secure.
• An alternate method to identify and register users needs to be
tested and made available when needed.
For MIPA
2nd May 2014
Information Systems Risks
Input Controls
• Unauthorized data received for computer processing.
• Loss of data or duplication of data.
• Automated segregation of duties and access rights.
• Automated authorization approval
• Incorrect output due to wrong input (GIGO)
For MIPA
2nd May 2014
Information Systems Risks
Mitigating Risks arising from Input Controls:
• Review access rights that set and amend configurable approval
and authorization limits.
• Accesses with super user rights.
• Maker Checker Controls
• Range check
• Completeness check
• Duplicate check
For MIPA
2nd May 2014
Information Systems Risks
Process Controls
• Wrong Validation of data
• Risks arising out of Editing
Procedures
• Incorrect processing of data
• Absence of Data File Control
Procedures
For MIPA
2nd May 2014
Information Systems Risks
Mitigating Risks arising from Process Controls:
• Parity checking
• Reasonableness check
• Transaction logs
• Table lookups
• Version Usage
• Existence check
• File updating and
• Key verification
maintenance authorization
• Sequence check
For MIPA
• Logical Relationship check
• Limit check
2nd May 2014
Information Systems Risks
Output Controls
•
Non-integrity of output
•
Untimely distribution of output
•
Availability of output to unauthorized users
•
Data processing results are unreliable
For MIPA
2nd May 2014
Information Systems Risks
Mitigating Risks arising from Output Controls:
Checklist for mitigating
Risk
For MIPA
2nd May 2014
For MIPA
2nd May 2014
Statistics
For MIPA
2nd May 2014
Issues Involved
For MIPA
2nd May 2014
For MIPA
2nd May 2014
Preliminary Steps
-
Understanding of the Organisational Structure to identify CIO,
CISO, etc.
-
Understanding of the System Architecture.
-
Understanding components of the systems (number of servers,
routers, users, desk users, on/offsite users)
-
Reviewing the IS Security Policy
-
Performing systems walk - throughs.
-
Assessment of the risks and understanding of the related
controls.
For MIPA
2nd May 2014
IS Audit Process
For MIPA
2nd May 2014
For MIPA
2nd May 2014
Procedures
Interviews.
-
Interviews are a useful audit tool to gather information about
internal system controls and risks.
-
Employees involved in the day - to - day operations of a
functional area possess the best knowledge of that area.
-
They are in a position to identify the weak internal system
controls and risks.
For MIPA
2nd May 2014
Procedures
Preparation of Checklist & Questionnaire
-
A detailed checklist should be prepared after having an
understanding of the architecture of the system.
-
Checklist should be comprehensive.
For MIPA
2nd May 2014
For MIPA
2nd May 2014
Access Controls testingProcedures
• Verifying access rights allotted vis-à-vis organizational policy for
need to know
• Implementation of Password controls
• Process of review of logs of super users, database administrator
• Logs of active users vis-à-vis HR records for exit, leave, etc.
• License control processes
• Virus control procedures
For MIPA
2nd May 2014
Access controls testing- Procedures
Vulnerability testing through internal resources
• Internal Security Vulnerability Assessment (ISVA) is a
comprehensive analysis of all of the workstations and servers on
your network.
• The ISVA detects and identifies Trojan horses, hacker tools, DDoS
(Distributed Denial-of-Service) agents, and spyware through
code analysis and signature matching, in much the same way as
anti-virus.
• It also identifies specific vulnerabilities such as configuration
problems in FTP servers, exploits in Microsoft IIS or problems in
NT security policy configuration.
For MIPA
2nd May 2014
Access controls testing- Procedures
Vulnerability testing through external resources
• One of the most common vulnerability assessment activities for
companies of all sizes is an external penetration testing scan,
typically targeting internet-facing websites.
• Once you set yourself outside of the company, you immediately
are given an untrusted status. The systems and resources
available to you externally are usually very limited.
For MIPA
2nd May 2014
VIDEO CLIP
For MIPA
2nd May 2014
Input Controls -Procedures
• Verification by entering invalid data
• Verification by entering incomplete data
• Testing Arithmetic Accuracy
For MIPA
2nd May 2014
Processing Controls -Procedures
Integrated Test Facility (ITF) Approach
Parallel Simulation
For MIPA
2nd May 2014
Processing Controls -Procedures
Integrated Test Facility (ITF) Approach
•
A dummy ITF center is created for the auditors.
•
Creation of transactions to test the controls.
•
Creation of Working papers showing expected results from
manually processed information.
•
Running of Auditor transactions with actual transactions.
•
Comparing of ITF results to working papers.
For MIPA
2nd May 2014
Processing Controls -Procedures
Parallel Simulation
•
Processing of real client data on an audit program similar to the client’s
program.
•
Comparison of results of processing with the results of the processing
done by the client’s program.
For MIPA
2nd May 2014
Processing Controls -Procedures
Parallel Simulation- Flowchart
Computer Operations
Actual
Transactions
Computer
Application
System
Actual Client
Report
For MIPA
Auditors
Auditor’s
Simulation
Program
Auditor Compares
Auditor
Simulation
Report
2nd May 2014
For MIPA
2nd May 2014
Application Controls -Procedures
Blackbox
Boxtesting
Testing
Black
•
Method of software testing
• Examines the functionality of an application (e.g. what the
software does) without peering into its internal structures or
workings.
• Can be applied to virtually every level
testing: unit, integration, system and acceptance.
•
of
software
Typically comprises most if not all higher level testing, but can
also dominate unit testing as well.
For MIPA
2nd May 2014
Application Controls -Procedures
White Box testing
Testing
White-box
• Also known as clear box testing, glass box testing, transparent
box testing, and structural testing.
• Method of testing software that tests internal structures or
workings of an application, as opposed to its functionality
(i.e. black-box testing).
• Internal perspective of the system, as well as programming skills,
are used to design test cases.
•
The tester chooses inputs to exercise paths through the code and
determine the appropriate outputs.
For MIPA
2nd May 2014
Output Controls -Procedures
•
Checking whether output contain key control information
necessary to validate the accuracy and completeness of the
information contained in the report such as last document
reference period, etc.?
•
If the data has to be transferred from one process to another
process, verify if no manual intervention is possible and no
unauthorized modification to data can be made.
•
Verify physical controls over hardcopy printouts.
For MIPA
2nd May 2014
For MIPA
2nd May 2014
Format
Format of IS Audit Report
For MIPA
2nd May 2014
For MIPA
2nd May 2014
Related documents
Forensic-Audit - Mauritius Institute of Professional Accountants
Forensic-Audit - Mauritius Institute of Professional Accountants
Standard Document Template Microsoft Word versi 7 Untuk Jurnal
Standard Document Template Microsoft Word versi 7 Untuk Jurnal
Program Plan
Program Plan
Cloud-Assisted Mobile-Access of Health Data With Privacy and Audit
Cloud-Assisted Mobile-Access of Health Data With Privacy and Audit
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
How Cities Work - Urban Systems Collaborative
How Cities Work - Urban Systems Collaborative
Sample Information Security Program
Sample Information Security Program
SNELL-ARK-PP
SNELL-ARK-PP
Download
advertisement