COMPUTER AUDIT & SECURITY

DCCP 2015

INTRODUCTION

1.1 PURPOSE

To give potential computer auditors an overview of the different activities

of computer audit and the role of a computer auditor

Since many organizations now requires business auditors to have

awareness of computer audit

Increasing difficulty in distinguishing between IT and business areas

Basic principles of computer auditing should be common to all sectors

and to most types of hardware and software

1.2 DEFINITION
Computer audit can mean different things to different people. In any
organization, computer audit may mean one of the following:

Auditing systems software

Auditing systems under development

Review of clerical procedures, and

Production of compliance-based audit work

Commonality in audit scopes can be observed but there can also be variation in
the depth of audit undertaken.

COMPUTER AUDIT & SECURITY

DCCP 2015

1.3 CHANGE
Change is a key feature of many organizations of today and still continues to
be. It is considered as an intrinsic component and made many changes in
different fields possible. Its impact can be observed as follows:

Social, economic and political fields

Led to the creation of new professions

Revolutionized

other

fields

(office

works,

robotics,

manufacturing

industries)
Computer audit operates in constant and rapid change making computer
auditors continually faced with prospect of faster, smaller and cheaper IT
systems. With such increase in development, IT legislation was also developed
in different countries.

Data Protection act 1984 UK

Computer Misuse act UK

(Give assignment on the most notable rules / law regarding IT in the

Philippines).

1.4 NATURE OF COMPUTER AUDIT

Although

an IT system

may

achieve the same

end result

as a manual

system, the way in which it does so, and hence the level of security and
control required, can

differ considerably. There are a number of significant

risks associated with the processing of IT systems. It is important, therefore,

COMPUTER AUDIT & SECURITY

DCCP 2015

that high standards of security and control are maintained to minimize the
potential impact on the organisation.
Computer fraud and abuse can have detrimental effect on an organization.
Some common instances of these are the following:

Unauthorized disclosure of confidential information

Unauthorized modification / destruction of software

Unauthorized modification / destruction of data

Unavailability of key IT systems

Theft of IT hardware and software

Use of IT facilities for personal business

When considering computer audit, it should be noted that the basic control
objectives and principles do not change. The manner in which those objectives
are achieved, however, does change fundamentally. Specifically, there
need

for greater preventative controls

rather

than

is a

a reliance on the

more detective and corrective control mechanisms which would usually

be found in manual systems. The development of on-line real time systems,
where the immediacy of processing can result in millions of pounds being
transferred away in a funds transfer system, requires a robust level of
security.

1.5 COMPUTER AUDITORS

Computer audit is an integral part of an overall audit activity; therefore,
computer auditors too, are considered the same. To add value to an
organization and deliver effective service, risk based computer auditing should
also be integrated.

COMPUTER AUDIT & SECURITY

DCCP 2015

Computer auditors are involved in the development phase of a project to:

Give comments prior to an implementation to make a project costeffective

Improve security and control features

Undertake audit on logical access controls

Computer auditors are expected to:

Provide value added service to a business

Cope up with the increasing sophisticated technology

Provide independent and objective assurance as to a level of security

COMPUTER AUDITORS vs. COMPUTER SECURITY SECTION

The role of a computer auditor may overlap with that of a computer security
section and can cause confusion or duplication of work.
Computer Security Section

To assist users in developing security solutions and to administer that

security on a day to day basis

Computer Auditor

Keep up to date with constant and rapid development in IT (Key

Challenge)

1.6 SCOPE

COMPUTER AUDIT & SECURITY

DCCP 2015

The following are the sections that describe the main areas of computer audit
activity:

Systems under development

Live applications

IT infrastructure

Audit Automation

The extent to which these areas are reviewed and the depth to which they
are

examined will

vary.

Key to the performance of audit work is a

comprehensive risk based evaluation which should determine the amount of

audit

resource required and

should

also assist

in determining an

assessment of a satisfactory level of security and control.

QUIZ #1:
1. Define yourself as a Computer Auditor (5 points)
2. What would be the importance of Computer Audit in

Social (3)

Economics (3)

Political fields (3)

System Development (3)

System Implementation (3)

3. Preventative Control vs. Detection and Correction Control (5)

4. Differentiate Security and Control give system citations (5)

COMPUTER AUDIT & SECURITY

DCCP 2015

SYSTEMS UNDER DEVELOPMENT

The development of a new computer system represents an area of potentially
significant risk to an organisation. New computer systems are developed to
meet a variety of business needs:

Meet new legal requirements

Maintain or enhance profitability

Improve efficiency

Reduce costs

The potential sources of a new IT application are many and varied. A number
of factors, such as:

Cost

Time

Constraints & availability

Skilled resource (including human resource)

All of which determine the most appropriate for a particular organization.

Options may vary but also includes the following:

A bespoke development by an in-house IT team

A package solution from a software house

A bespoke development by a software house

Joint bespoke development (partnership) by a software house and the inhouse IT team

End-user development

COMPUTER AUDIT & SECURITY

DCCP 2015

Computer audit activity within systems under development is focused on two

main areas:
1. The manner in which a new IT application is developed
2. The adequacy of security and control within an IT Application
It is important to ensure that new IT applications are developed in a controlled
manner so that they perform only those functions that the user requires
and that adequate security and control is included. The manner in which a
new IT system is developed is generally considered fewer than two main
headings:

Project management

The systems development life cycle

PROJECT MANAGEMENT
Project Management is concerned with:

delivering a solution on time

within budget

appropriate level of quality

The basic principles of good project management are:

Clearly defined management responsibility

Clear objectives and scope

Effective planning and control

Clear lines of accountability

COMPUTER AUDIT & SECURITY

In spite

DCCP 2015

of the widespread availability of such methodologies and

tools,

research has shown that the majority of IT projects are not implemented on
time, within budget or to the appropriate level of quality.
Typical components in a project management methodology include:
ORGANIZATION

management is committed to the project and to enable issues to be

resolved promptly

PLANNING

to ensure that work activities are addressed at an appropriate level of

detail

resource requirements are identified and that risks are properly

evaluated

key to successful project management

a project will be broken down into a number of sub-projects, each with a

number of specific stages

CONTROL

ensure that potential problems can be identified

project viability can be continuously monitored

generally consists

of financial controls such

as budgets and

time

controls such as milestones

Computer Involvement in Project Management is to assess whether:

an effective project team has been set up

comprehensive and sufficiently detailed plans have been prepared

effective mechanisms have been established to continuously monitor

project progress

COMPUTER AUDIT & SECURITY

DCCP 2015

SYSTEMS DEVELOPMENT LIFE CYCLE

concerned with the formal development of an IT application

Aims to ensure the following:

Systems are developed in a controlled manner
Adequately documented
Maintainable in the future
Developed efficiently and securely
Meets user requirements

Stages of a life cycle are consistent with the basic principles of TQM (Total
Quality Management). Typical stages are:
1. Project Initiation/Feasibility Study

to progress an initial idea to a stage where a project can be

formally defined

to determine feasibility and cost benefit

2. Analysis and User Requirements

to confirm the project objectives and scope

to identify and classify the required data

to identify and priorities business requirements

3. Design

to complete a logical and detailed technical design

4. Build (Development)

involves programming and testing the system

5. Implementation

Delivery and installation of the new system

6. Maintenance

COMPUTER AUDIT & SECURITY

DCCP 2015

Fixes and new updates for the system

Modern methods of IT Applications development

CASE (Computer Aided Software Engineering)

working

environment

consisting

of

programs

and

other

developmental tools

users to automate the design and

implementation of programs

and procedures
Texas Instrument
Andersen Consulting
OBJECT ORIENTATION

a program is viewed as a collection of discrete objects

self contained collections of data structures and routines that

interact with other objects

C++, JAVA

PROTOTYPING

systems are developed on-screen interactively

development technique to create a throwaway version of a product

RAPID APPLICATION DEVELOPMENT (RAD)

end to end development life cycle

based upon the premise that 80% of the solution can be achieved in 20%
of the time it would take to develop 100%

COMPUTER AUDIT & SECURITY

DCCP 2015

QUIZ #2:
1. This factor refers to the skills and technical abilities of people involved in
a project
2. Stage of a project to determine cost benefit
3. Component of project management that should be committed to a certain
project
4. Concerned with formal application development
5. A key to successful project / project management
6. For organizations, the development of new IT applications is considered
as a _________
7. A Throw-away development technique
8. Stage where Logical and Technical aspects of a project should be
completed
9. Those who will use the system will also be the one to develop it is called
as ____________
10.

Component of project management where potential problems

should be identified
11.

A tool for project progress monitoring

12 14. Factors of new IT Application development

15.

End to end development cycle

16.

Stage where feasibility study should be performed

17 19. Concerns of project management

COMPUTER AUDIT & SECURITY

DCCP 2015

COMPUTER AUDIT & SECURITY

DCCP 2015