IS Audit Training

Day 1 IS Audit Scope (General Control Review)

Objective
Getting familiar with Information System audit areas and associated
risk and controls

2006 Veda Praxis Control Advisory Page 2

Outline
IS Audit Scope
General Control Review
Application Control Review
IT General Controls vs. Application Controls

2006 Veda Praxis Control Advisory Page 3

 IS Audit Scope

Executive
Management
Company Level Controls
Company-level controls over the IT

Business Process

Business Process

Business Process
Business Process
Control Environment set the tone for

Manufacturing
the organization.

Finance

Logistic
Examples include:

Etc..
Operating Style
Enterprise policies
Governance
Collaboration
Application Controls
Controls embedded in business
Information Sharing
process applications, such as large
IT Services
ERP system and smaller best-of-
OS/Data/Telecom/Networks/Continuity
breed systems, are commonly
referred to as application controls.
Examples include:
Completeness
General Controls Accuracy
Controls embedded in IT Services form Validity
General Controls. Authorization
Examples include: Segregation of Duties
Program Development
Program Changes
Computer Operations
Access to Programs and Data

2006 Veda Praxis Control Advisory Page 4

General Controls Review
General Controls Review
Planning and Organization
Change Management
Logical Access Controls
Physical Access and Environmental Controls
Backup, Recovery and Continuity

2006 Veda Praxis Control Advisory Page 6

General Controls Review

Definition
Risk assessment of the risks related to the IT organization, security,
acquisition, development and maintenance, computer operations.

Objectives
To provide a comprehensive framework of internal controls for IT
activities and to provide a certain level of assurance that the
overall internal control objectives can be achieved.

According to Indonesian Auditing Standards (PSA No. 60 / SA Seksi 314)

2006 Veda Praxis Control Advisory Page 7

Planning and Organization
Planning and Organization

Planning and Organizational controls ensure the

Definition alignment of IT facilities with the business needs
and the proper management of these facilities.
IT does not support business needs
Loss of efficiency, untimely problem solving, unsatisfied staff, no improvements
Key
Unwanted combination of functions
risks Untimely management reporting
High dependence on one/few persons

Planning and budgeting

Quality and quantity of staff
Key
Segregation of duties or close supervision
controls Efficient use of IT
Procedures and documentation

2006 Veda Praxis Control Advisory Page 9

Emerging issues
Position of IT department in organization
Alignment of IT plan with Business plan
Centralization or decentralization of tasks
Cost center, Profit center, Investment center and Hybrid center
Policies and Procedures
IT Outsourcing

2006 Veda Praxis Control Advisory Page 10

Type of IT Plan
Strategic Plan (3-5 years)
o Current information assessment
o Strategic directions
o Development strategy

Operational Plan (1-3 years)

o Progress reports
o Initiative to be undertaken
o Implementation schedule

2006 Veda Praxis Control Advisory Page 11

IT Plan Review
Auditors evaluate whether top management has formulated a high-
quality information systems plan appropriate to the needs of their
organization.

Example of risks caused by poor planning: declining efficiency and

effectiveness of IT functions, insufficient resources to provide the
required IT functions / availability, going concern issues and lack of
competitive advantages.

2006 Veda Praxis Control Advisory Page 12

Change Management
Change management

Change management procedures ensure that changes

Definition in the IT hardware and software do not negatively
affect the general and application controls.

Loss of effectiveness of IT controls

Key
Loss of valuable hardware during changes
risks
IT no longer meets the business needs

Use of a development and programming standards

Key Proper testing by the users
controls Up-to-date hard- and software documentation
User involvement in initiating and approving changes

2006 Veda Praxis Control Advisory Page 14

Software Change Process

Read, write and Use access rights

Use access rights
delete access rights for developers
for users
for developers and users

Test and
Development Production
acceptance

Software library
Read access for librarian

2006 Veda Praxis Control Advisory Page 15

Emerging Issues
Unauthorized changes may lead to fraud
Data conversion on new system implementation
How was control exercised over test data and the acceptance testing
process?
Was the test plan is sufficient?

2006 Veda Praxis Control Advisory Page 16

Logical Access Control
Logical Access Controls

Definition
Logical Access Security covers the controls to restrict access
to information systems and data to authorized users.

Key Potential for fraud and misuse of systems and data

risks Loss of information confidentiality

Up-to-date user access list

Use of unique user-id and password
Key
Periodic review of list by management
controls
Regular change of passwords
Clean desk

2006 Veda Praxis Control Advisory Page 18

 Logical Security Review Pieces of a Process

User ID Logical Security System Configurations

Maintenance Groups & Profiles
System Settings Super Users
Maintenance Procedures Configurations Password Settings
Monitoring Segregation of
Duties
Logical Security
Policies Path

Security Policy
Confidentially Policy
Data Definition Policy
Policy Awareness Programs
Etc

2006 Veda Praxis Control Advisory Page 19

Emerging Issues
Information Security
Information Security policies and procedures enforcement
Outsourcing (Vendor Audit)
Rapid technology changes
BS7799/ISO17799
Hackers

2006 Veda Praxis Control Advisory Page 20

Physical Access and Environment Control
Physical Access and Environmental Controls

Physical security of computer hardware covers all controls to

Definition prevent damage to or loss of
valuable assets and data on systems.
Loss of valuable hardware
Key Tampering or damage to hardware
risks Damage by external influences (fire, water)
Disturbances caused by power fluctuations

Locked and dedicated computer room

Availability of back-up power supply
Key
Fire and water detector
controls
No potentially dangerous situations (sprinklers, computer room
on ground floor, etc.)

2006 Veda Praxis Control Advisory Page 22

Control mitigating the threats
Fire; smoke and fire detectors, reliable fire-extinguishing tools
Water; water detectors, facilities must be designed and sited to mitigate losses
from water damage
Energy variations; Voltage regularities, circuit breakers and UPS
Structural Damage; Facilities must be designed to withstand structural damage
Pollution; Regular cleaning of facilities and equipment should occur

2006 Veda Praxis Control Advisory Page 23

Control mitigating the threats (contd)
Viruses and worms; Up-to-date virus scanning software, prevent use of virus-
infected programs and to close security loopholes that allow worms to propagate.
Theft; labeling and locking.

2006 Veda Praxis Control Advisory Page 24

Emerging Issues
Co-location/sharing
Outsourcing
Demonstration/riot
Viruses/worms

2006 Veda Praxis Control Advisory Page 25

Backup, Recovery and Continuity
Backup, Recovery and Continuity

Back up controls and business continuity planning cover

Definition all procedures to ensure
the availability of computer systems and data.
Data cannot be recovered (in time) after system failure
Key Back up tapes are damaged or lost or cannot be used
risks Loss of valuable business information
Business cannot be continued after disaster (fire, etc.)

Regular back ups, preferably daily

Key Safe storage of tapes, preferably in fireproof vault and externally
controls Periodically testing of restore of back up tapes
Preparation of Business Continuity Plan (not limited to IT!)

2006 Veda Praxis Control Advisory Page 27

Backup strategy for the critical IT resources
Personnel;
o Training and rotation of duties among information systems staff so they can
take the place of others. Arrangements with another company for provision of
staff
Hardware;
o Arrangements with another company for provision of hardware
Facilities;
o Arrangements with another company for provision of facilities
Documentation;
o Inventory of documentation stored securely on site and offsite

2006 Veda Praxis Control Advisory Page 28

Backup strategy for the critical IT resources
Supplies;
o Inventory of critical supplies stored securely on site and off site
Data / Information;
o Inventory of files stored securely on site and off site
Applications software;
o Inventory of application software stored securely on site and off site
System Software;
o Inventory of systems software stored securely on site and off site

2006 Veda Praxis Control Advisory Page 29

BCP
A Process which ...
o Safeguards vital corporate assets
o Ensures continued availability of Critical Services
o Minimizes the effect of a disaster
o Considers the entire business including IT

2006 Veda Praxis Control Advisory Page 30

DRP
IT Disaster Recovery Plan forms one part of the overall BCP
Focuses on how to recover IT services at the soonest

2006 Veda Praxis Control Advisory Page 31

Emerging Issues
Available resources
On-site vs. off-site contingency planning
Hot- or cold standby
Outsourcing
Insurances
Organized crime

2006 Veda Praxis Control Advisory Page 32

Data back-up lost
January ,2006 - A computer tape from a Connecticut bank containing
personal data on 90,000 customers was lost in transit
January, 2006 - loss of a computer backup tape from Bank of
America Corp. containing information on 1.2 million customers
May, 2005 - Citigroup has admitted that a backup tape containing
personal information on almost 4 million customers in the US has
gone missing
July, 2005 - City National Bank has disclosed earlier that two tapes
containing customer data, including Social Security and account
numbers, were lost in April during transport to a secure storage
facility.

2006 Veda Praxis Control Advisory Page 33

 2006 Veda Praxis Control Advisory Page 34