7/3/2016

WhyAreInformationTechnologyControlsandAuditImportant?

ITPerformanceImprovement
Management
Security
Networkingand
Telecommunications
SoftwareEngineering
ProjectManagement

WhyAreInformationTechnologyControlsandAudit
Important?

Database

ShareThisArticle
ShareThis

Tweet

FreeSubscriptiontoIT
Today

Poweredby
VerticalResponse

Like

15

Theroleofinformationtechnology(IT)controlandaudithasbecomeacriticalmechanismforensuringtheintegrityofinformation
systems(IS)andthereportingoforganizationfinancestoavoidandhopefullypreventfuturefinancialfiascossuchasEnronand
WorldCom.Globaleconomiesaremoreinterdependentthaneverandgeopoliticalrisksimpacteveryone.Electronicinfrastructure
andcommerceareintegratedinbusinessprocessesaroundtheglobe.TheneedtocontrolandauditIThasneverbeengreater.
Initially,ITauditing(formerlycalledelectronicdataprocessing(EDP),computerinformationsystems(CIS),andISauditing)
evolvedasanextensionoftraditionalauditing.Atthattime,theneedforanITauditfunctioncamefromseveraldirections

EnterEmailAddress:

SignupNow

byFrederickGallegosandSandraSenft

Auditorsrealizedthatcomputershadimpactedtheirabilitytoperformtheattestationfunction.
Corporateandinformationprocessingmanagementrecognizedthatcomputerswerekeyresourcesforcompetinginthe
businessenvironmentandsimilartoothervaluablebusinessresourcewithintheorganization,andtherefore,theneedfor
controlandauditabilityiscritical.
Professionalassociationsandorganizations,andgovernmententitiesrecognizedtheneedforITcontrolandauditability.
TheearlycomponentsofITauditingweredrawnfromseveralareas.First,traditionalauditingcontributesknowledgeofinternal
controlpracticesandtheoverallcontrolphilosophy.AnothercontributorwasISmanagement,whichprovidesmethodologies
necessarytoachievesuccessfuldesignandimplementationofsystems.Thefieldofbehavioralscienceprovidedsuchquestions
andanalysistowhenandwhyISarelikelytofailbecauseofpeopleproblems.Finally,thefieldofcomputersciencecontributes
knowledgeaboutcontrolconcepts,discipline,theory,andtheformalmodelsthatunderliehardwareandsoftwaredesignasa
basisformaintainingdatavalidity,reliability,andintegrity.
ITauditingisanintegralpartoftheauditfunctionbecauseitsupportstheauditor'sjudgmentonthequalityoftheinformation
processedbycomputersystems.Initially,auditorswithITauditskillsareviewedasthetechnologicalresourcefortheauditstaff.
Theauditstaffoftenlookedtothemfortechnicalassistance.Asyouwillseeinthistextbook,therearemanytypesofaudit
needswithinITauditing,suchasorganizationalITaudits(managementcontroloverIT),technicalITaudits(infrastructure,data
centers,datacommunication),applicationITaudit(business/financial/operational),development/implementationITaudits
(specification/requirements,design,development,andpostimplementationphases),andcomplianceITauditsinvolvingnational
orinternationalstandards.TheITauditor'srolehasevolvedtoprovideassurancethatadequateandappropriatecontrolsarein
place.Ofcourse,theresponsibilityforensuringthatadequateinternalcontrolsareinplacerestswiththemanagement.The
audit'sprimaryrole,exceptinareasofmanagementadvisoryservices,istoprovideastatementofassuranceastowhether
adequateandreliableinternalcontrolsareinplaceandareoperatinginanefficientandeffectivemanner.Therefore,whereas
managementistoensure,auditorsaretoassure.
Today,ITauditingisaprofessionwithconduct,aims,andqualitiesthatarecharacterizedbyworldwidetechnicalstandards,an
ethicalsetofrules(InformationSystemsAuditandControlAssociation[ISACA]CodeofEthics),andaprofessionalcertification
program(CertifiedInformationSystemsAuditor[CISA]).Itrequiresspecializedknowledgeandpracticableability,andoftenlong
andintensiveacademicpreparation.Often,whereacademicprogramswereunavailable,significantinhousetrainingand
professionaldevelopmenthadtobeexpendedbyemployers.Mostaccounting,auditing,andITprofessionalsocietiesbelieve
thatimprovementsinresearchandeducationwilldefinitelyprovideanITauditorwithbettertheoreticalandempiricalknowledge
basetotheITauditfunction.Theyfeelthatemphasisshouldbeplacedoneducationobtainedattheuniversitylevel.
ThebreadthanddepthofknowledgerequiredtoauditITsystemsareextensive.Forexample,ITauditinginvolvesthe
Applicationofriskorientedauditapproaches
Useofcomputerassistedaudittoolsandtechniques
Applicationofstandards(nationalorinternational)suchasISO9000/3andISO17799toimproveandimplementquality
systemsinsoftwaredevelopmentandmeetsecuritystandards
Understandingofbusinessrolesandexpectationsintheauditingofsystemsunderdevelopmentaswellasthepurchase
ofsoftwarepackagingandprojectmanagement
Assessmentofinformationsecurityandprivacyissueswhichcanputtheorganizationatrisk
Examinationandverificationoftheorganization'scompliancewithanyITrelatedlegalissuesthatmayjeopardizeorplace
theorganizationatrisk
Evaluationofcomplexsystemsdevelopmentlifecycles(SDLC)ornewdevelopmenttechniquese.g.,prototyping,end
usercomputing,rapidsystems,orapplicationdevelopment
Reportingtomanagementandperformingafollowupreviewtoensureactionstakenatwork
TheauditingofcomplextechnologiesandcommunicationsprotocolsinvolvestheInternet,intranet,extranet,electronicdata
interchange,clientservers,localandwideareanetworks,datacommunications,telecommunications,wirelesstechnology,and
integratedvoice/data/videosystems.
ITTodayandTomorrow
Highspeedinformationprocessinghasbecomeindispensabletoorganizations'activities.Forexample,ControlObjectivesfor
InformationandRelatedTechnology(CoBiT)emphasizesthispointandsubstantiatestheneedtoresearch,develop,publicize,
andpromoteuptodateinternationallyacceptedITcontrolobjectives.TheprimaryemphasisofCoBiTistoensurethat
informationneededbybusinessesisprovidedbytechnologyandtherequiredassurancequalitiesofinformationarebothmet.
CoBiT,fourthedition,hasevolvedandimprovedinitsguidancetoincorporatetheessentialelementsofstrategicmanagement,
valuedelivery,resourcemanagement,riskmanagement,andperformancemanagement.
Fromaworldwideperspective,ITprocessesneedtobecontrolled.Fromahistoricalstandpoint,muchhasbeenpublishedabout
theneedtodevelopskillsinthisfield.Inits1992discussionpaper,"MinimumSkillLevelsinInformationTechnologyfor
ProfessionalAccountants,"andits1993finalreport,"TheImpactofInformationTechnologyontheAccountancyProfession,"the
InternationalFederationofAccountants(IFAC)acknowledgedtheneedforbetteruniversityleveleducationtoaddressgrowingIT
controlconcernsandissues.Fromthis,ithaspublishedmorerecentguidanceandinformation.TheInstituteofInternalAuditors
(IIA)1992document"ModelCurriculumforInformationSystemsAuditing"wasdevelopedtodefinetheknowledgeandskills
requiredbyinternalauditorstobeproficientintheinformationageofthe1990sandbeyond.TheIIAhasdevelopedandproduced
guidanceforitsmembershipascitedinAppendixIII.Aroundtheworld,reportsofwhitecollarcrime,informationtheft,computer
fraud,informationabuse,andotherinformation/technologycontrolconcernsarebeingheardmorefrequently,thankstosurveys
andreportsbySANS(SysAdmin,Audit,Network,Security)Institute,U.S.GovernmentAccountabilityOffice(GAO),Federal
BureauofInvestigation(FBI),FederalTradeCommission(FTC),ComputerSecurityInstitute(CSI),ComputerEmergency
ResponseTeams(CERT),andothers.Organizationsaremoreinformationdependentandconsciousofthepervasivenatureof
technologyacrossthebusinessenterprise.Theincreasedconnectivityandavailabilityofsystemsandopenenvironmentshave
proventobethelifelinesofmostbusinessentities.ITisusedmoreextensivelyinallareasofcommercearoundtheworld.

http://www.ittoday.info/Articles/IT_Controls_and_Audit.htm

1/5

7/3/2016

WhyAreInformationTechnologyControlsandAuditImportant?
Owingtotherapiddiffusionofcomputertechnologiesandtheeaseofinformationaccessibility,knowledgeableandwelleducated
ITauditorsareneededtoensurethateffectiveITcontrolsareinplacetomaintaindataintegrityandmanageaccessto
information.Globally,privateindustry,professionalassociations,andorganizationssuchasInternationalFederationof
InformationProcessing(IFIP),AssociationforComputingMachinery(ACM),AssociationofInformationTechnology
Professionals(AITP),InformationSystemsSecurityAssociation(ISSA),andothershaverecognizedtheneedformoreresearch
andguidanceasidentifiedinAppendixIII.ControlorientedorganizationssuchastheAmericanInstituteofCertifiedPublic
Accountants(AICPA),theCanadianInstituteofCharteredAccountants(CICA),IIA,AssociationofCertifiedFraudExaminers
(ACFE),andothershaveissuedguidanceandinstructionsandsupportedstudies/researchinthisarea.Since1996,The
ColloquiumforInformationSystemsSecurityEducators(CISSE)hasbeenaleadingproponentforimplementingthecourseof
Instructionininformationsecurity(InfoSec)andInformationAssuranceineducationTheneedforimprovedcontroloverIThas
beenadvancedovertheyearsinearlierandcontinuingstudiesbytheAICPA'sCommitteeofSponsoringOrganizationsofthe
TreadwayCommission(COSO),InternationalOrganizationforStandardization(ISO)issuanceofISO9000andISO17799and
followonamendments,OECD's"GuidelinesfortheSecurityofISbytheOrganizationforEconomicCooperationand
Development(OECD),"IIA's"SystemsAuditabilityandControl(SAS)Report,"andtheU.S.President'sCouncilonIntegrityand
EfficiencyinComputerAuditTrainingCurriculum.ThemostrecentadditiontothesemajorstudiesistheaforementionedCoBiT
research.Essentially,technologyhasimpactedthreesignificantareasofthebusinessenvironment:
Ithasimpactedwhatcanbedoneinbusinessintermsofinformationandasabusinessenabler.Ithasincreasedthe
abilitytocapture,store,analyze,andprocesstremendousamountsofdataandinformation,whichhasincreasedthe
empowermentofthebusinessdecisionmaker.Technologyhasalsobecomeaprimaryenablertovariousproductionand
serviceprocesses.Ithasbecomeacriticalcomponenttobusinessprocesses.Thereisaresidualeffectinthatthe
increaseduseoftechnologyhasresultedinincreasedbudgets,increasedsuccessesandfailures,andincreased
awarenessoftheneedforcontrol.
Technologyhassignificantlyimpactedthecontrolprocess.Althoughcontrolobjectiveshavegenerallyremainedconstant,
exceptforsomethataretechnologyspecific,technologyhasalteredthewayinwhichsystemsshouldbecontrolled.
Safeguardingassets,asacontrolobjective,remainsthesamewhetheritisdonemanuallyorisautomated.However,the
mannerbywhichthecontrolobjectiveismetiscertainlyimpacted.
Technologyhasimpactedtheauditingprofessionintermsofhowauditsareperformed(informationcaptureandanalysis,
controlconcerns)andtheknowledgerequiredtodrawconclusionsregardingoperationalorsystemeffectiveness,
efficiencyandintegrity,andreportingintegrity.Initially,theimpactwasfocusedondealingwithachangedprocessing
environment.Astheneedforauditorswithspecializedtechnologyskillsgrew,sodidtheITauditingprofession.
InformationIntegrity,Reliability,andValidity:ImportanceinToday'sGlobalBusinessEnvironment
Organizationstodayoperateinadynamicglobalmultienterpriseenvironmentwithteamorientedcollaborationandplacevery
stringentrequirementsonthetelecommunicationsnetwork.Thedesignofsuchsystemsiscomplexandmanagementcanbe
verydifficult.Organizationsarecriticallydependentonthetimelyflowofaccurateinformation.Agoodwaytoviewhowstringent
thenetworkrequirementsareistoanalyzethemintermsofthequalityofthetelecommunicationsservice.Perhaps,two
examplesoftheworld'sdependencyonITcomeasaresultoftworeportedeventsinthepastwhereITfailureimpactedworld
commerceandcommunications.In1998,anAT&Tmajorswitchfailedduetotwosoftwareerrorsandaproceduralerror,causing
communicationsatthatswitchtobecomeoverloadedandmakingcustomersusingcreditcardsunabletoaccesstheirfundsfor
18hours.Inanother1998event,acommunicationsatellitewentintoanuncontrollablerotationcausingpagercommunication
systemsworldwidetobe"useless,"andthosecompaniesusingthistechnologyforEaccounttransactionandverificationwere
unabletoprocesscreditcardinformationfor24hours,thuscausingtheircustomerstopaycashfortheirtransactions.The
disruptionofthepagingservicescausedsevereimpacttoservicesprovidedbybothprivateandgovernmentalorganizationsthat
dependedonthiscommunication.Eventoday,thesetypesofeventsarerepeatedoverandoveragainwhereorganizations
dependentontechnologyencounterfailureanddisruptiontoservicesandbusiness.InAugust2003,thenortheastquadrantand
partofCanadawerestillrecoveringfromamassivepoweroutagetotheareathatshutdownATMsandallelectricalservices
(elevators,phoneservice,streetsignals,subways,etc.).
Mosttelecommunicationexpertsbelievethenetworkmustbeabletoreachanyoneanywhereintheworldandbecapableof
supportingthesharingofawiderangeofinformation,fromsimplevoice,data,andtextmessagestocooperativetransactions
requiringtheinformationupdatingofavarietyofdatabases.Thechiefexecutiveofficer(CEO)andchiefinformationofficer(CIO)
wanttomeetorexceedtheirbusinessobjectivesandattainmaximumprofitabilitythroughanextremelyhighdegreeof
availability,fastresponsetime,extremereliability,andaveryhighlevelofsecurity.
ThismeansthattheproductsforwhichITprovidesconsumerfeedbackwillalsobeofhighquality,richininformationcontent,
andcomepackagedwithavarietyofusefulservicestomeetthechangingbusinessconditionsandcompetition.Flexible
manufacturingandimprovementprogramssuchasJustInTime(JIT)andLeanManufacturing,andTotalQualityManagement
(TQM)willenablelowcostproduction.Flexiblemanufacturingwillpermitproductstobeproducedeconomicallyinarbitrarylot
sizesthroughmodularizationoftheproductionprocess.
Theunpredictabilityofcustomerneedsandtheshortnessofproductlifecycleswillcausethemixofproductioncapabilitiesand
underlyingresourcesrequiredbytheorganizationtochangeconstantly.Organizationsmustbecapableofassemblingits
capabilitiesandresourcesquickly,therebybringingaproducttomarketswiftly.Toachievethehighdegreeoforganizational
flexibilityandvaluechaincoordinationnecessaryforquickmarketresponse,excellentproductquality,andlowcost,the
organizationwillemployanetwork,teamoriented,distributeddecisionmakingorganizationalapproachratherthanamore
traditionalhierarchical,verticallyintegrated,commandandcontrolapproach.
Organizationswillpossessadynamicnetworkorganizationsynthesizingthebestavailabledesign,production,supply,and
distributioncapabilitiesandresourcesfromenterprisesaroundtheworldandlinkingthemandthecustomerstogether.Amulti
enterprisenaturewillenableorganizationstorespondtocompetitiveopportunitiesquicklyandwiththerequisitescale,while,at
thesametime,enablingindividualnetworkparticipant'scostandrisktobereduced.Thenetworkwillbedynamicbecause
participantidentitiesandrelationshipswillchangeascapabilitiesandresourcesrequiredchange.Theglobalscopeofthenetwork
willenableorganizationstocapitalizeonworldwidemarketopportunities.Workwillbeperformedbymultidisciplinary,multi
enterpriseteams,whichwillworkconcurrentlyand,toreduceproductiontime,begrantedsignificantdecisionmakingauthority.
Teammemberswillbeabletoworkcollaborativelyregardlessoflocationandtimezone.Openness,cooperativeness,andtrust
willcharacterizetherelationshipsamongtheorganizationsinthenetworkandtheirpersonnel.
Asidefromreach,range,andserviceresponsiveness,thenetworkmustbehighlyinterconnectivesothatpeople,organizations,
andmachinescancommunicateatanytime,regardlessoflocation.Also,thenetworkmustbeveryflexiblebecausethe
organizationisconstantlychanging.Finally,thenetworkmustbecosteffectivebecauselowcostisoneoftheingredientsinthe
masscustomizationstrategy.Inaddition,acontrolstructure,whichprovidesassurancesofintegrity,reliability,andvalidity,must
bedesigned,developed,andimplemented.
Sohowcanthisbeaccomplished?Theabilitytoreachanyoneanywhereintheworldrequiresglobalareanetworks.Clearly,the
Internetandglobalcarrierserviceswillbecrucial.Also,becausetheintendedreceiverneednotbeintheofficeorevenathome,
wirelessnetworkswillplayamajorpart.Thiswillbetrueonpremise,suchaswiththeuseofwirelessprivatebranchexchanges
(PBXs)orlocalareanetworks(LANs),andoffpremise,withtheuseofcellularnetworks,globalsatellitenetworkssuchas
Iridium,andPersonalCommunicationsNetworks.Tosupportthesharingofawiderangeofvoice,data,andvideoinformation,
bandwidthondemandwillberequiredallthewaytothedesktopaswellasthemobileterminal.Also,variouscollaborative
serviceplatformssuchasLotusNoteswillbenecessary.Finally,perfectservicewillhavetobedesignedintothenetwork.
Speedcanbeachievedthroughbroadbandnetworking:locallyviafastEthernet,gigabit,andAsynchronousTransferMode(ATM)
LANs,andoverawideareaviaswitchedmultimegabitdataservices(SMDS)andATMservices,andreliabilitythroughquality
hardware/softwareandprovenwiredandwirelesssolutionswherepossible.
ControlandAudit:AGlobalConcern
TheeventsofSeptember11,2001,andthecollapseoftrustinthefinancialreportsofprivateindustry(Enron,WorldCom,etc.)
havecausedmuchreflectionandselfassessmentwithinthebusinessworld.Theevolutionoftheeconomicsocietyparallelsthe
evolutionofexchangemechanismsbecauseadvancementinthelatterallowsthefacilitationoftheformer.Societystartedwith
theprimitiveuseofthebartersystem.Inthisway,individualswerebothconsumersandproducersbecausetheybroughtto
marketthatcommoditywhichtheyhadinexcessandexchangeditdirectlyforacommodityforwhichtheywereinneed.Simply,
societyexercisedanexchangeofgoodsforgoods.Owingtoitsnumerousinefficienciesandsocieties'demandsto
accommodatefortheincreasedpopulation,production,communication,andtradingareas,thissystemwassoonreplacedbya
modifiedbarterexchangemechanism.Inthemodifiedbarterexchangesystem,acommonmediumofexchangewasagreed
upon.Thisallowedthetimeandeffortexpendedintryingtofindatradingpartnerwiththeneedforone'sproducttobereduced.In
theearlystagesofeconomicdevelopment,preciousmetalssuchasgoldandsilvergainedwidespreadacceptanceasexchange
media.Preciousmetalscharacterizedacceptability,durability,portability,anddivisibility,butitgraduallyplayedtheroleof
money.Thus,whenemergingcentralgovernmentsbeganmintingorcoinageofthesemetalstobeginthemoneybased
exchangesystem,itsmonetaryrolewasevenmorestrengthened.
Aseconomiesbecamemorecommercialinnature,theinfluentialmercantileclassshapedthenewsociety.Theneedsofthe
mercantilists,whichincludedthepromotionofexchangeandaccumulationofcapital,ledtothedevelopmentofmoney
warehousesthatservedasdepositoriesforthesafekeepingoffunds.Areceiptwouldbeissuedforthosewhoopenedadeposit

http://www.ittoday.info/Articles/IT_Controls_and_Audit.htm

2/5

7/3/2016

WhyAreInformationTechnologyControlsandAuditImportant?
account,anduponpresentationofthereceipt,thewarehousewouldreturnthespecifiedamounttothedepositor.These
warehousesrepresentedanelementarybankingsystembecause,likebanksoftoday,theycollectedfeestocovertheircostsas
wellasearnedprofitsfortheirowners.Soonthewarehousesbeganissuingbillsofexchangeortheirowndraftsbecauseofthe
ideathatnotalldepositorswouldwithdrawtheirfundsatthesametime.Thiscreatedthefractionalreservebankingsystemin
whichbanksusedthedepositsnotonlytobackupthereceiptsthattheyissuedbutalsotoextendcredit.
Thecoin,currency,anddemanddepositpaymentmechanismflourishedformanydecadesbecauseofitsconvenience,safety,
efficiency,andwidespreadacceptancebythepublic.However,anothermajorchangeisnowathandforpaymentmechanisms:
electronicfundstransfers(EFTs).
ECommerceandElectronicFundsTransfer
Electroniccommerce(Ecommerce)andEFTopenthenextchapterforpaymentsystems.Theyhavebeenaroundsincethe
1960s.Thebankingindustryisconsideredtobeoneoftheforerunnersintheuseofcomputers.Theindustrystartedwith
mechanizingbookkeepingandaccountingtasks,automatingtransactionflows,implementingmagneticinkcharacterrecognition
(MICR)technology,andfinally,utilizingonlineterminalstoupdatedepositor'saccountandrecordreceiptordisbursementof
cash.TheadvancementofbothcomputerandcommunicationtechnologieshasspurredthephenomenalgrowthofEFTsystems
inthepast20years.Asmoreconsumersbecomefamiliarandtrustelectronicfinancialtransactions,EFTswillcontinuetobe
morewidelyused.Today,EFTshavealreadygonebeyondthebankingindustryandcanbeseeninalmostallretail
establishmentssuchassupermarkets,clothingstores,gasstations,andevenamusementparks.EFTsallowtheconvenienceof
payingforgoodsandserviceswithouthavingtousechecksorcurrency.Intoday'ssocietyofevermorecomputerliterate
individuals,atransitionisbeingwitnessedfromthetraditionalcashandchecksystemtoelectronicpaymentsystems.
FutureofElectronicPaymentSystems
TheincreasedusedoftheInternethasbroughtwithitanewformofexchange:virtualcommerce.Thecashlesssocietythat
futuristshavelongforecastisfinallyathand,anditwillreplacetoday'spapermoney,checks,andevencreditcards.Virtual
commerceinvolvesanewworldofelectroniccash(Ecash).Virtualtransactionsworkverymuchlikephysicalcashbutwithout
thephysicalsymbols.
AlthoughtheuseofEcashhasitspositiveaspectssuchasmoreconvenience,flexibility,speed,costsavings,andgreater
privacythanusingcreditcardsorchecksontheInternet,italsohasnegativeramifications.UncontrolledgrowthofEcash
systemscouldthreatenbankandgovernmentcontrolledpaymentsystems,whichwouldfuelthegrowthofconfusingand
inefficientsystems.Also,currenttechnologyhasnotyetdeemedEcashtobemoresecurethanbankmoneybecausemoney
storedinapersonalcomputer(PC)couldbelostforeverifthesystemcrashes.Inaddition,Ecashcouldpermitcriminalactivity
suchasmoneylaunderingandtaxevasiontohidebehindcyberdollars.CounterfeiterscouldalsodesigntheirownmintsofE
cashthatwouldbedifficulttodifferentiatefromrealmoney.Finally,criminalssuchascomputerhackerscouldinstantaneously
pilferthewealthofthousandsofelectronicconsumers.
Therefore,manycompanieshavebeencompelledtodevelopelectronicpaymentsystemsthatwillsolvetheseconsumer
concerns.In2000,itrepresentedabout40percentoftheonlinepopulation.Thisgrewto63percentby2006.Thereisadefinite
needforthesecurityandprivacyofpaymentsmadeovertheInternet,asmillionsoftransactionsoccurdailyandwillbe
increasingatarapidpaceinthefuture.WiththisincreaseofEcommerce,thelikelihoodoffraudincreasesaswell.Ecommerce
dependsonsecurityandprivacybecause,withoutthem,neitherconsumersnorbusinesseswouldhaveanadequatelevelof
comfortindigitaltransmissionoftransactionandpersonaldata.Inthenewlyrevolutionizedeconomy,itisanecessityfor
companiestoconductbusinessonlineandreachouttocustomersthroughtheInternet.TheprimaryareasofconcernwithE
commerceareconfidentiality,integrity,nonrepudiation,andauthentication.Theseareasareaddressedthroughseveralways
suchasencryption,cryptography,andtheuseofthirdparties.

Inaddition,thecreditcardindustryhasbeenmotivatedtofindsecuretechnologyforEcommerce.TheNationalInstituteof
StandardsandTechnology(NIST)hasdonesomeextensiveworkinthisareaunderitsInformationTechnologyLaboratory,
devotinganemphasistoSmartCardStandardsandResearchathttp://smartcard.nist.gov.Organizationsliketheseareonlya
fractionofthemassiveexperimentsthatwilltransformthewaypeoplethinkaboutmoney.Thisisaworldwidecommerce
movement,andnotjustaU.S.movement.Ecashisthenextinevitablepaymentsystemforanincreasinglywiredworld.
Economichistoryhasonceagainreachedanothercrossroads.Justasthemercantileclasstransformedthemoneyexchange
systemtooneofmoneywarehouses,Ecommerce(tradeontheInternet)willbearevolutionaryopportunityforglobalsocietyto
transformtoday'straditionalsystemofexchangeintoasystemofelectronicpayments.Thus,theneedforauditability,security,
andcontrolofIThasbecomeaworldwideissue.
LegalIssuesImpactingIT
ThefinancialscandalsinvolvingEnronandArthurAndersenLLP,andothersgeneratedademandforthenewlegislationto
prevent,detect,andcorrectsuchaberrations.Inadditiontothis,theadvancementsinnetworkenvironmentstechnologieshave
resultedinbringingtotheforefrontissuesofsecurityandprivacythatwereonceonlyofinteresttothelegalandtechnicalexpert
butwhichtodayaretopicsthataffectvirtuallyeveryuseroftheinformationsuperhighway.TheInternethasgrownexponentially
fromasimplelinkageofarelativefewgovernmentandeducationalcomputerstoacomplexworldwidenetworkthatisutilizedby
almosteveryonefromtheterroristwhohascomputerskillstothenoviceuserandeveryoneinbetween.Commonusesforthe
Internetincludeeverythingfrommarketing,sales,andentertainmentpurposestoemail,research,commerce,andvirtuallyany
othertypeofinformationsharing.
Unfortunately,aswithanybreakthroughintechnology,advancementshavealsogivenrisetovariousnewproblemsthatmustbe
addressed,suchassecurityandprivacy.TheseproblemsareoftenbeingbroughttotheattentionofITauditandcontrol
specialistsduetotheirimpactonpublicandprivateorganizations.Currentlegislationandgovernmentplanswilleffecttheonline
communityand,alongwiththegovernment'sroleinthenetworkedsociety,willhavealastingimpactinfuturebusiness
practices.
FederalFinancialIntegrityLegislation
TheEnronArthurAndersenLLPfinancialscandalcontinuestoplaguetoday'sfinancialmarketasthetrustoftheconsumer,the
investor,andthegovernmenttoallowtheindustrytoselfregulatehaveallbeenviolated.TheSarbanesOxleyActof2002willbe
avividreminderoftheimportanceofdueprofessionalcare.TheSarbanesOxleyActprohibitsallregisteredpublicaccounting
firmsfromprovidingauditclients,contemporaneouslywiththeaudit,certainnonauditservicesincludinginternalaudit
outsourcing,financialinformationsystemdesignandimplementationservices,andexpertservices.Thesescopeofservice
restrictionsgobeyondexistingSecurityandExchangeCommission(SEC)independenceregulations.Allotherservices,
includingtaxservices,arepermissibleonlyifpreapprovedbytheissuer'sauditcommitteeandallsuchpreapprovalsmustbe
disclosedintheissuer'speriodicreportstotheSEC.
Theactrequiresauditor(notauditfirm)rotation.Therefore,theleadauditpartnerandtheconcurringreviewpartnermustrotate
offtheengagementifheorshehasperformedauditservicesfortheissuerineachofthefivepreviousfiscalyears.Theact
providesnodistinctionregardingthecapacityinwhichtheauditorconcurringpartnerprovidedsuchauditservices.Anyservices
providedasamanagerorinsomeothercapacityappeartocounttowardthefiveyearperiod.Theprovisionstartsassoonasthe
firmisregistered,therefore,absentguidancetothecontrary,theauditandconcurringpartnermustcountbackfiveyearsstarting
withthedateinwhichPublicCompanyAccountingOversightBoardregistrationoccurs.Thisprovisionhasadefiniteimpacton
smallaccountingfirms.TheSECiscurrentlyconsideringwhetherornottoaccommodatesmallfirmsinthisareacurrently,there
isnosmallfirmexemptionfromthisprovision.
ThisactisamajorreformpackagemandatingthemostfarreachingchangesCongresshasimposedonthebusinessworldsince
theForeignCorruptPracticesActof1977andtheSECActofthe1930s.Itseekstothwartfuturescandalsandrestoreinvestor
confidenceby,amongotherthings,creatingapubliccompanyaccountingoversightboard,revisingauditorindependencerules,
revisingcorporategovernancestandards,andsignificantlyincreasingthecriminalpenaltiesforviolationsofsecuritieslaws.
FederalSecurityLegislation
TheITauditorshouldrecognizethattheU.S.federalgovernmenthaspassedanumberoflawstodealwithissuesofcomputer
crimeandsecurityandprivacyofIS.Privateindustryhasinthepastbeenreluctanttoimplementtheselawsbecauseofthefear
ofthenegativeimpactitcouldbringtoacompany'scurrentandfutureearningsandimagetothepublic.Thepassageofthe
HomelandSecurityActof2002andtheinclusionoftheCyberSecurityEnhancementActwillhaveasubstantialimpacton
privateindustry.Anexampleofanumberofpastlawsinplaceisasfollows.
TheComputerFraudandAbuseAct
TheComputerFraudandAbuseAct(CFAA)wasfirstdraftedin1984asaresponsetocomputercrime.Thegovernment's
responsetonetworksecurityandnetworkrelatedcrimeswastorevisetheactin1994undertheComputerAbuseAmendments
Acttocovercrimessuchastrespassing(unauthorizedentry)intoanonlinesystem,exceedingauthorizedaccess,and
exchanginginformationonhowtogainunauthorizedaccess.Althoughtheactwasintendedtoprotectagainstattacksina

http://www.ittoday.info/Articles/IT_Controls_and_Audit.htm

3/5

7/3/2016

WhyAreInformationTechnologyControlsandAuditImportant?
networkenvironment,itdoesalsohaveitsfairshareoffaults.TheITauditormustbeawareofitsignificance.
Underthisact,penaltiesareobviouslylessseverefor"recklessdestructivetrespass"thanfor"intentionaldestructivetrespass."
Thereasoningbehindthisisthatrecklessattackersmaynotnecessarilyintendtocausedamage,butmuststillbepunishedfor
gainingaccesstoplacesthattheyshouldnothaveaccessto.However,theimpactofsuchterminologyappearstopossibly
createsomeconfusioninprosecutingthetrespasserbecauseitresidesinsucha"grayarea."InMorrisv.UnitedStates,itwas
determinedthat"intent"appliedtoaccessandnottodamages.Theimplicationherewouldbethatifthe"intentional"partofthe
violationwasappliedtoaccessandnotthedamage,thentheculpritcouldpossiblybeprosecutedunderthelessersentence.
Forexample,ifanindividualintentionallyintendedtoreleaseavirusoveranetwork,itwouldseemdifficultforprosecutorsto
provethemotivefortheviolation.Whatiftheindividualstatedthatheorshewasconductingsometypeofsecuritytest(as
Morriscontested)and"accidentally"setoffaprocedurethatreleasedavirusoverthenetwork?Intentionalcouldrefertoaccess
toasystembutitmaynotapplytodamage.Inthiscase,thelesserpenaltyof"recklessdestructivetrespass"maybeapplied.
Withinthecourts,thisisamatterthatmustbecontemplatedonacasebycasebasis,observingthefactsofeachindividual
case.Insomeinstances,however,itwouldappearthateven"intentional"trespasscouldbedefendedbyclaimsthattheviolation
wasduetonegligenceandthereforefallsunderthelesssevereofthetwocircumstances.
Thislegislationhasbeenhelpfulasalegaltoolforprosecutingcrimesinvolvingsomeoftheaforementionedintrudersand
violatorsofsystemsecurity,butitalsoseemstohavealoopholeincertaincases.Unfortunately,thisloopholemaybelarge
enoughforaseriousviolatoroftheacttoslipthroughandbeprosecutedunderalesserpenaltybyvirtueofhavingtoprove
intent.Allstateshaveclosedaportionofthatloopholethroughstatutesprohibitingharassmentorstalking,including"email."
Thisacthasbeenamendedseveraltimessince1984tokeepitcurrent.
TheComputerSecurityActof1987
AnotheractofimportanceistheComputerSecurityActof1987,whichwasdraftedduetocongressionalconcernsandpublic
awarenessoncomputersecurityrelatedissuesandbecauseofdisputesonthecontrolofunclassifiedinformation.Thegeneral
purposeoftheactwasadeclarationfromthegovernmentthatimprovingthesecurityandprivacyofsensitiveinformationin
federalcomputersystemsisinthepublicinterest.Theactestablishedafederalgovernmentcomputersecurityprogramthat
wouldprotectsensitiveinformationinfederalgovernmentcomputersystems.Itwouldalsodevelopstandardsandguidelinesfor
unclassifiedfederalcomputersystemsandfacilitatesuchprotection.
TheComputerSecurityActalsoassignedresponsibilityfordevelopinggovernmentwidecomputersystemsecuritystandards,
guidelines,andsecuritytrainingprogramstotheNationalBureauofStandards.ItfurtherestablishedaComputerSystem
SecurityandPrivacyAdvisoryBoardwithintheCommerceDepartment,andrequiredfederalagenciestoidentifycomputer
systemscontainingsensitiveinformationanddevelopsecurityplansforthosesystems.Finally,itprovidedperiodictrainingin
computersecurityforallfederalemployeesandcontractorswhomanaged,used,oroperatedfederalcomputersystems.
TheComputerSecurityActisparticularlyimportantbecauseitisfundamentaltothedevelopmentoffederalstandardsof
safeguardingunclassifiedinformationandestablishingabalancebetweennationalsecurityandothernonclassifiedissuesin
implementingsecurityandprivacypolicieswithinthefederalgovernment.Itisalsoimportantinaddressingissuesconcerning
governmentcontrolofcryptography,whichhasrecentlybecomeahotlycontestedtopic.
PrivacyontheInformationSuperhighway
Nowthatsomeissuesassociatedwithcomputersecurityhavebeenreviewed,howtheissueofprivacyisimpactedwhen
computersecurityisbreachedwillbeexamined.Asiswellknown,thereisatremendousamountofinformationthatcompanies
andagenciesareabletoretrieveonanyindividual.People,corporations,andgovernmentareactiveintradingpersonal
informationfortheirowngain.InVirginia,aresidentfiledsuitinthestatecourtagainstU.S.News&WorldReport,challenging
therightofthemagazinetosellorrenthisnametoanotherpublicationwithouthisexpresswrittenconsent.Itisknownthat
individualsshareprivateinformationonadailybasis,buthowhasitaffectedthenetworkworldandtheInternet?Thisissuewill
beanalyzedinthefollowingsection.
ThelargenumberofusersontheInternethasresultedintheavailabilityofanenormousamountofprivateinformationonthe
network.Thisinformationunfortunatelyseemstobeavailableforthetakingbyanyonewhomightbeinterested.Aperson'sbank
balance,SocialSecuritynumber,politicalleanings,medicalrecord,andmuchmoreisthereforanyonewhomaywantit.
Informationidentitythefthasbeenoneofthefastestgrowingcrimes,anduseoftheIShighwayhasbeenakeycomponentof
suchcrimes.In2003,itwasrevealedthatahackerpenetratedtheStateofCaliforniaPayrollsystemandgainedaccessto
personalinformation.Thisinformationpotentiallycouldbeputupforsaletoanyonewhomightbeinterestedinit.Someonehas
beencollectinginformationandmakingitavailableforuse,andalargenumberoftheseindividualsseemtoberefusingtofollow
anysortoffairinformationpractice.Inanother2003incident,allittookwasaphonecallforanInternethijackerstosteal65,000
WebaddressesbelongingtotheCountyofLosAngeles.Theaddresseswerethensoldandusedtosendpornographicmaterial
andjunkemailandtotrytohackintoothercomputers.
Fortunately,theFTChasbeenveryactiveinprovidingthepublicalertstothevariousongoingscams,andbyvisitingitsWeb
siteatwww.ftc.gov,peoplecanbehelpedbytheinformationitcanprovideiftheybecomevictims.Thisactivityisacauseof
alarmforeveryoneandthequestionisaskedIsitentitledtoone'sinformation?Whatisthegovernment'spolicyregardingprivacy
ofanindividualandkeepingastrongsecuritypolicy?Ideally,citizenswouldliketolimittheamountofmonitoringthatthe
governmentisallowedtodoonthem,butisthegovernmentinapositiontomonitorcommunicationsontheinformation
superhighway?Howwillthisaffectone'srighttoprivacyasguaranteedbytheU.S.Constitution?Thefocusofthefollowing
sectionwillthenbetoaddresstheseissues,payingespeciallycloseattentiontothesecuritybasedmeasuresthathaveaffected
theidealofindividualrighttoprivacy.
PrivacyLegislationandtheFederalGovernmentPrivacyAct
InadditiontothebasicrighttoprivacythatanindividualisentitledtoundertheU.S.Constitution,thegovernmentalsoenacted
thePrivacyActof1974.Thepurposeofthisistoprovidecertainsafeguardstoanindividualagainstaninvasionofpersonal
privacy.Thisactplacescertainrequirementsonfederalagencies,whichincludethefollowing:
Permitsanindividualtodeterminewhatrecordspertainingtohimorherarecollectedandmaintainedbyfederalagencies
Permitsanindividualtopreventrecordspertainingtohimorherthatwereobtainedforaparticularpurposefrombeing
usedormadeavailableforanotherpurposewithoutconsentPermitsanindividualtogainaccesstoinformationpertaining
tohimorherinfederalagencyrecordsandtocorrectoramendthem
Requiresfederalagenciestocollect,maintain,anduseanypersonalinformationinamannerthatassuresthatsuchaction
isforanecessaryandlawfulpurpose,thattheinformationiscurrentandaccurate,andthatsafeguardsareprovidedto
preventmisuseoftheinformation
AlthoughthePrivacyActisanimportantpartofsafeguardingindividualprivacyrights,itisimportantfortheITauditorto
recognizethattherearemanyexemptionsunderwhichitmaybelawfulforcertaininformationtobedisclosed.Thiscould,in
somecases,forvariousagencies,bothfederalandnonfederal,allowthemeansbywhichtheycanobtainanddisclose
informationonanyindividualssimplybecausetheymayfallunderoneofthemanyexemptionsthatthePrivacyActallows.For
example,thesubsequentFreedomofInformationActprovidesthefederalgovernmentawaytoreleasehistoricalinformationto
thepublicinacontrolledfashion.ThePrivacyActhasalsobeenupdatedovertimethroughtheamendmentprocess.
ElectronicCommunicationsPrivacyAct
Intheareaofcomputernetworking,theElectronicCommunicationsPrivacyActisoneoftheleadingearlypiecesoflegislation
againstviolationofprivateinformationasapplicabletoonlinesystems.Beforeanalyzingsomeoftheimplicationsthattheact
hashadonthenetworkcommunity,letusbrieflyanalyzesomeoftheprovisionsdefinedbytheact,asitseemstobequite
complicatedingivingprivacyprotectioninsomeinstancesandnotothers.
CommunicationsDecencyActof1995
TheCommunicationDecencyAct(CDA)bansthemakingof"indecent"or"patentlyoffensive"materialavailabletominors
throughcomputernetworks.Theactimposesafineofupto$250,000andimprisonmentforuptotwoyears.TheCDAdoes
specificallyexemptfromliabilityanypersonwhoprovidesaccessorconnectiontoorformafacility,system,ornetworkthatis
notunderthecontrolofthepersonviolatingtheact.Also,theCDAspecificallystatesthatanemployershallnotbeheldliablefor
theactionsofanemployeeunlesstheemployee'sconductiswithinthescopeofhisorheremployment.
HealthInsurancePortabilityandAccountabilityActof1996
OnAugust21,1996,PresidentClintonsignedtheHealthInsurancePortabilityandAccountabilityAct(HIPAA)intolaw.The
originalpurposeofthelawwastomakeiteasierforAmericanstomaintaintheirhealthinsurancewhentheyswitchjobsand
restricttheabilityofinsurerstorejectthembasedonpreexistinghealthconditions.Unfortunately,thedigitalageaddedthe
provisionof"administrativesimplifications"tothelaw.AccordingtotheU.S.DepartmentofHealth,
The"administrativesimplifications"provisionsrequiretheadaptationofnationalstandardsforelectronichealthcare
transactions.Byensuringconsistencythroughouttheindustry,thesenationalstandardswillmakeiteasierfor
healthplans,doctors,hospitals,andotherhealthcareproviderstoprocessclaimsandothertransactions
electronically.Thelawalsorequiredsecurityandprivacystandardsinordertoprotectpersonalinformation.

http://www.ittoday.info/Articles/IT_Controls_and_Audit.htm

4/5

7/3/2016

WhyAreInformationTechnologyControlsandAuditImportant?
Theprovisionsforadministrativesimplificationcame"Atthetimewhenhospitalsandinsurersusedmorethan400different
softwareformatstotransmithealthcaredata.Thesecoveredeverythingfromtheheadersoninsuranceformstothecodes
describingdiseasesandmedication."Manyinthehealthcareindustryhaveviewedthe"administrativesimplification"component
ofthelawstobethemostexpensiveandmostdifficulttoimplement.Partofthereasonforthedifficultyinimplementation
involvestheissueofprivacy.AccordingtoInfoWorld,"Medicalorganizationswillneedtoinvestinsomeofthenewtechnologies
currentlyavailableinotherindustries.Technologieslikedigitalcertificates,authentication,andbiometricstandardsareneededto
ensurethatthoseauthorizedtoviewsomethingaretheonlyonesthathaveaccess."Thecostanddifficultyofimplementing
thesenewtechnologiestomeettherequirementsofHIPAAcanbebothtimeconsumingandexpensive,especiallyforsmaller
hospitalsandclinicswithlittleornoITsupport.ThisisachallengeforinternalandexternalauditorsoftheU.S.healthcare
industry.Noncompliancebyorganizationscanfacestifffinesandpenalties.RecentguidanceissuedbyNISTandsupportof
professionalassociationssuchasISSA,IIA,ISACA,andAssociationofHealthInternalAuditorshavehelpedtomakeinternal
controlimprovementstothisarea.
Security,Privacy,andAudit
Insummary,itappearsthattraditionalaswellasnewsecuritymethodsandtechniquesaresimplynotworking.Althoughmany
productsarequiteefficientinsecuringthemajorityofattacksonanetwork,nosingleproductseemstobeabletoprotecta
systemfromeverypossibleintruder.Currentsecuritylegislation,althoughaddressingtheissuesofunwantedentryintoa
network,mayalsoallowforwaysbywhichsomecriminalscanescapethemostseverepenaltiesforviolatingauthorizedaccess
toacomputersystem.Moreover,somelegislation,ineffect,doesnotrequireperiodicreview,thusallowingforvariouspolicies
andprocedurestogetoutdated.Thecomputernetworkingindustryiscontinuallychanging.Becauseofthis,laws,policies,
procedures,andguidelinesmustconstantlychangewithitotherwise,theywillhaveatendencytobecomeoutdated,ineffective,
andobsolete.
Onthesubjectofprivacy,ithasbeenseenthatintheonlineworld,privateinformationcanbeaccessedbycriminals.Someof
thelegislationpassedinrecentyearsdoesprotecttheuseragainstinvasionofprivacy.However,someofthelawsobserved
containfartoomanyexceptionsandexclusionstothepointthattheirefficacysuffers.Inaddition,thegovernmentcontinuesto
utilizestateofthearttechniquesforthepurposeofaccessinginformationforthesakeof"nationalsecurity"justifiedcurrently
undertheHomelandSecurityAct.Newbillsandlegislationcontinuetoattempttofindaresolutiontotheseproblems,butnew
guidelines,policies,andproceduresneedtobeestablished,andlawsneedtobeenforcedtotheirfullextentifcitizensareto
enjoytheirrighttoprivacyasguaranteedundertheconstitution.
Thus,ifsecurityproductsarenotsafefromeveryattack,andifcurrentlawsmaynotalwaysbeefficientinaddressingthe
problemcorrectly,isthereanythingausermightbeabletodo?Althoughthereisnothingatthistimethatwillguaranteea
system'ssecurity,agoodstartingpointmightbetheestablishmentandimplementationofagoodcomputersecuritypolicy.A
goodpolicycaninclude
Specifyingrequiredsecurityfeatures
Defining"reasonableexpectations"ofprivacyregardingsuchissuesasmonitoringpeople'sactivities
Definingaccessrightsandprivilegesandprotectingassetsfromlosses,disclosures,ordamagesbyspecifying
acceptableuseguidelinesforusersandalso,providingguidelinesforexternalcommunications(networks)
Definingresponsibilitiesofallusers
Establishingtrustthroughaneffectivepasswordpolicy
Specifyingrecoveryprocedures
Requiringviolationstoberecorded
Providinguserswithsupportinformation
Agoodcomputersecuritypolicywilldifferforeachorganization,corporation,orindividualdependingonsecurityneeds,although
suchapolicywillnotguaranteeasystem'ssecurityormakethenetworkcompletelysafefrompossibleattacksfrom
cyberspace.Withtheimplementationofsuchapolicy,helpedbygoodsecurityproductsandaplanforrecovery,perhapsthe
lossescanbetargetedforalevelthatisconsidered"acceptable"andtheleakingofprivateinformationcanbeminimized.
Conclusion
BecauseITandinformationsecurityareintegralpartsoftheIT'sinternalcontrols,wehavediscussedearliertheInternalControl
IntegratedFrameworkpublicationbyCOSOin1997,whichspecificallyincludesITcontrols.AlsoaddressedaretheIIA'sSAC
andISACA'sCoBiT,whicharebothdirectlyrelatedtotheframeworksidentifiedbyCOSOintheirreports.Thesearestandardsof
practice,mentionedearlier,tohelpguidebusinessinitsITstrategicplanningprocess.Thischapterhasprovidedguidanceand
examplesofhowcriticalthesecomponentsareinsettingthedirectionforwhatwillfollow.
Thecomputerischangingtheworld.Businessoperationsarealsochanging,sometimesveryrapidly,becauseofthefast
continuingimprovementoftechnology.EventssuchasSeptember11,2001,andfinancialupheavalsfromcorporatescandals
suchasEnronandGlobalCrossinghaveresultedinincreasedawareness.Yes,ITcontrolsareveryimportant.Today,peopleare
shoppingaroundathomethroughnetworks.Peopleuse"numbers"oraccountstobuywhattheywantviashoppingcomputers.
These"numbers"are"digitalmoney,"themoderncurrencyintheworld.Digitalmoneywillbringusbenefitsaswellasproblems.
Onemajorbenefitofdigitalmoneyisitsincreasedefficiency.However,itwillalsocreateanotherproblemforus."Security"is
perhapsthebiggestfactorforindividualsinterestedinmakingonlinepurchasesbyusingdigitalmoney.Also,itmustbe
rememberedthatvigilanceneedstobemaintainedoverthosewhousetheInternetforillegalactivities,includingthosewhoare
nowusingitforscams,crime,andcovertactivitiesthatcouldpotentiallycauselossoflifeandharmtoothers.ITcontroland
securityiseveryone'sbusiness.
Mostpeoplefeargivingtheircreditcardnumbers,phonenumbers,orotherpersonalinformationtostrangers.Theyareafraidthat
peoplewillbeabletousethesetoretrievetheirprivateorothervaluableinformationwithouttheirconsent.Withidentitytheftand
fraudontherise,muchcareisneededintheprotection,security,andcontrolofsuchinformation.Security,indeed,isthebiggest
riskinusingdigitalmoneyontheInternet.Besidestheproblemofsecurity,privacyisasignificantfactorinsomeelectronic
paymentsystems.Toencouragepeopletousedigitalmoney,theseelectronicpaymentsystemsshouldensurethatpersonaland
unrelatedinformationisnotunnecessarilydisclosed.
FortheITauditor,theneedforaudit,security,andcontrolwillbecriticalintheareasofITandwillbethechallengeofthis
millennium.Therearemanychallengesaheadeveryonemustworktogethertodesign,implement,andsafeguardtheintegration
ofthesetechnologiesintheworkplace.
AbouttheAuthor

FromInformationTechnologyControlandAudit,FourthEditionbySandraSenft,Frederick
Gallegos,andAleksandraDavisISBN9781439893203AuerbachPublications,2012.

Copyright20092014AuerbachPublications

http://www.ittoday.info/Articles/IT_Controls_and_Audit.htm

5/5