Information System Auditing

Yu Xiaobing(余小兵) CISA

Nanjing Audit University

Unit 2 – IT Controls

Nanjing Audit University

 Unit 2 - Agenda
• IT controls definition and objectives

• Classifications of IT controls

• Roles and responsibilities related to IT controls

• Risk management and control

• IT control framework – CoBIT

Nanjing Audit University

 Knowledge Quiz
1. What is control?
2. What is IT control?
3. Give some examples of IT controls

Nanjing Audit University

 IT responsibilities within the
organization
Information systems are closely knit with
companies on what, when and how
services are render. Efficient, Accuracy,
Confidential, Integrity, Control and
Timely are depend on the information
systems more than ever and on the
increase.

Nanjing Audit University

 IT responsibilities within the
organization
IT systems are primary artery which allows information
to be shared and used directly or via interfaces
among HR, financial, payroll, legal, public and
investor relationships, credit, collection, account
payable, account receivable, general ledger,
manufacturing, distribution, record retention,
fulfillment, project management, physical and logical
securities, inventory, portals, intranet, extranet,
trading partners, business continuity, disaster
recovery, external banks, pension, 401K, stock option,
firewall, IDS, virus, VPN, telecom, database farm, TMS,
data warehouse and many more.
Nanjing Audit University
 IT responsibilities within the
organization
Primary artery of business units and their support
organization
Primary control points for business activities – audit
trails, historic records of transactions, backup,
access, access privileges, segregation of duties,
physical and logical securities, built-in monitor and
notifications, what, why, when, where, and how to
record and store business transactions and how
long
Basis of business decisions – business decisions are
made and approved/rejected based on the
information produced by information systems.
Nanjing Audit University
 Manage Risks
 Inadequate protection of assets (both physical and information)
 Interruption of the business activities and cycles
 Loss of revenue
 Loss of productivity
 Loss of privacy, confidentiality
 Loss of competitive edge
 Lack of data integrity
 Loss of company reputation
 Non compliance of regulation or legal requirements
 Inaccurate reporting
 No audit trails
 Business decisions made based on incorrect/inaccurate
information – the sin of all sins

Nanjing Audit University

 Mitigate Security Risks
• 70% of IT risks are related to security risks
• You can NOT eliminate risks – minimize (with cost
in mind)
• Physical security – absence of the following,
security policy, fire alarm, fire extinguisher
(including the expired ones), sign in and sign out
control, raise floor in the data center, environment
control, power balance, auxiliary power unit (APU -
generator), emergency power unit (batteries),
locations of primary and secondary data center,
data media, location of media storage and its
policy.

Nanjing Audit University

 Mitigate Security Risks
• Logical security – Security policy, access and its
privileges to application programs, procedure to
enter information, distribution of paper and
electronic output, periodic review/monitor by
management, application platforms and its OS,
outdated or non-supported platforms and
technologies selected and used.
• Policies – Password, create, approve, and remove
of a user, logon process, idle/inactive users,
generic system users,
Nanjing Audit University
 Risk Management
Assess

Manage
Measure Response
Risk

Identify

Nanjing Audit University

Risk Management and Control

Assess

• Mitigate

Manage • Avoid
Measure Response
Risk
• Share

• Ignore

Identify

Nanjing Audit University

• Avoid

The organization can give up some

business, or give up some IT, so it can
avoid the related risks, but this is a negative
way.

Nanjing Audit University

• Share
Risk sharing, or transfer risk, is the
company can transfer the risks to other
company or partner. Fox example , a
company can buy insurance, and the risk
transferred to the insurance company, a
company can sign a contract with the
software developer, the application risks
can be transferred to the program
developer.
Nanjing Audit University
• Ignore
When the company believes that the risk is
relatively small, or does not affect the
business objectives, it can ignore the risk,
or accept the risk.

Nanjing Audit University

 Risk Management and Control

Evaluate

• Mitigate Controls

Manage • Avoid
Assess Response
Risk
• Share

• Ignore

Measure

Nanjing Audit University

 Control Definition
Control - Any action taken by management, the
board, and other parties to manage risk and
increase the likelihood that established objectives
and goals will be achieved. Management plans,
organizes, and directs the performance of
sufficient actions to provide reasonable
assurance that objectives and goals will be
achieved.

Nanjing Audit University

 IT Controls Definition

• IT control is a process that provides

assurance for information and information
services, and helps to mitigate risks
associated with the use of technology.

• Two components
– Automation of business controls
（Application Controls）
– Control of IT（General Controls）
Nanjing Audit University
 IT Controls Definition

• Two Key Concepts

– Assurance must be provided by the IT controls
within the whole system of internal control and
must be continuous and produce a reliable and
continuous trail of evidence.

– The auditor’s assurance is an independent and

objective assessment of the first assurance

Nanjing Audit University

 IT Control Objectives

• Availability
• Integrity
• Confidentiality
• Effectiveness
• Efficiency
• Reliability
• Compliance

Nanjing Audit University

Control Classifications

Nanjing Audit University

 Control Classifications
• Classification
– General Controls
– Application Controls

• Classification
– Preventative
– Detective
– Corrective

• Classification
– Governance controls
– Management controls
– Technical controls

Nanjing Audit University

 General controls
• General controls (also known as
infrastructure controls) apply to all systems
components, processes, and data for a given
organization or systems environment. General
controls include, but are not limited to:
– logical access
– change management
– systems development and acquisition
– physical access
– data backup and recovery.
Nanjing Audit University
 Application controls
• Application controls pertain to the scope of
individual business processes or application
systems. They include such controls:
– data edits
– transaction logging
– error reporting
– input
– Processing
– Output
– data integrity
– audit trail
Nanjing Audit University
 IT and Business
Business Processes
HR IT support Finance … R&D

purchase Production Operation Marketing Sales … Services

Applications Application
IT General Controls
Controls Application A Application B Application C
•Systems Development • Authorization
•Change Management • Integrity
•Physical controls • Availability
•Service & Support IT Infrastructure • Confidentiality
•Backup & Restore • Segregation of duties
•…. Database

Operating System

Network/Physical

Nanjing Audit University

 IT General Controls Application Controls

•Systems Development • Authorization

•Change Management • Integrity
•Physical controls • Availability
•Service & Support • Confidentiality
•Backup & Restore • Segregation of duties
•…… • ……

Nanjing Audit University

 Control Classifications
• Classification
– General Controls
– Application Controls

• Classification
– Preventive
– Detective
– Corrective

• Classification
– Governance controls
– Management controls
– Technical controls

Nanjing Audit University

 Preventive controls
• Preventive controls prevent errors, omissions,
or security incidents from occurring.
• Examples:
– data-entry edits
– access controls
– antivirus software
– Firewalls
– intrusion prevention systems

Nanjing Audit University

 Control Classifications
Class Preventive
Function • Detect problems before they arise.
• Monitor both operation and inputs.
• Attempt to predict potential problems before they occur and
make adjustments.
• Prevent an error omission or malicious act from occurring.
Examples • Employ only qualified personnel.
• Segregate duties (deterrent factor).
• Control access to physical facilities.
• Use well-designed documents(prevent error).
• Establish suitable procedures for authorization of transactions.
• Complete programmed edit checks.
• Use access control software that allows only authorized
personnel to access sensitive files
• Use encryption software to prevent unauthorized disclosure of
data.

Nanjing Audit University

 Detective controls
• Detective controls detect errors or incidents
that elude preventive controls.
• For example, a detective control may identify:
– account numbers of inactive accounts or accounts
that have been flagged for monitoring of suspicious
activities
– monitoring and analysis
– account flagging
– identity authentication

Nanjing Audit University

 Control Classifications
Class Detective
Function • Use controls that detect and report the occurrence of an error
omission or malicious act.

Examples • Hash totals

• Check points in production jobs
• Echo controls in telecommunications
• Error messages over tape labels
• Duplicate checking of calculations
• Periodic performance reporting with variances
• Past-due account reports
• Internal audit functions
• Review of activity logs to detect unauthorized access attempts

Nanjing Audit University

 Corrective controls
• Corrective controls correct errors, omissions,
or incidents once they have been detected.

• Examples:
– correction of data-entry errors
– removing unauthorized users
– recovery from incidents, disruptions, or disasters

Nanjing Audit University

 Control Classifications
Class Corrective
Function • Minimize the impact of a threat.
• Remedy problems discovered by detective controls.
• Identify the cause of a problem.
• Correct errors arising from a problem.
• Modify the processing system(s) to minimize future occurrences
of the problem.
Examples • Contingency planning
• Backup procedures
• Return procedures

Nanjing Audit University

 Control Classifications
• Classification
– General Controls
– Application Controls

• Classification
– Preventative
– Detective
– Corrective

• Classification
– Governance controls
– Management controls
– Technical controls

Nanjing Audit University

 Governance Controls
• Governance Controls
The primary responsibility for internal control resides
with the board of directors in its role as keeper of the
governance framework.

IT control at the governance level involves:

– ensuring effective information management and
security principles, policies, and processes are in place
– performance and compliance metrics demonstrate
ongoing support for that framework.

Nanjing Audit University

 Management Controls

• Management responsibility for internal controls

typically involves reaching into all areas of the
organization with special attention to critical
assets, sensitive information, and operational
functions.

Nanjing Audit University

 Management Controls
• Management must make sure the IT controls
needed to achieve the organization’s established
objectives are applied and ensure reliable and
continuous processing. These controls are
deployed as a result of deliberate actions by
management to:
– Recognize risks to the organization, its processes, and
assets.
– Enact mechanisms and processes to mitigate and
manage risks (protect, monitor, and measure results).

Nanjing Audit University

 Technical Controls
• Technical controls form the foundation that
ensures the reliability of virtually every other
control in the organization.
• For example:
– by protecting against unauthorized access and intrusion,
they provide the basis for reliance on the integrity of
information — including evidence of all changes and
their authenticity.

Nanjing Audit University

Control Classifications
By understanding these classifications,
the control analyst and auditor are
better able to establish their position in
the control framework and answer key
questions such as:
• Are the detective controls
adequate to identify errors that
get past the preventive controls?
• Are corrective controls sufficient
to fix the errors once detected?

Nanjing Audit University

 Roles and Responsibilities
• Board of Directors /Governing Body
• Management – define, approve, implement IT controls or
understand the use of IT controls
– IT Operation
– IT Development
– IT Security
– Process Owners
• Auditors
– Internal Auditors: assurance
– External Auditors: periodical auditing

Nanjing Audit University

 Roles and Responsibilities

• Board
One important role of the full board of
directors is to determine and approve
strategies, set objectives, and ensure the
objectives are being met to support the
strategies.

Nanjing Audit University

 Roles and Responsibilities

• Audit Committee - take IT controls as

strong elements in oversight of financial
issues, internal control assessment, risk
management, and ethics.

Nanjing Audit University

 Roles and Responsibilities
• Management
• Several specific roles have emerged in large
organizations in relation to IT risk and
control.
• Define, approve, implement IT controls or
understand the use of IT controls.
– IT Operation
– IT Development
– IT Security
– Process Owners

Nanjing Audit University

 Risk Management and Control

Evaluate

• Mitigate Controls

Manage • Avoid
Assess Response
Risk
• Share

• Ignore

Measure

Nanjing Audit University

 Addressing Risks though
Internal Control
The COSO study provided a uniform definition of control for an
organization:

Internal control is a process, affected by an entity’s board of

directors, management, and other personnel, designed to
provide reasonable assurance regarding the achievement of
objectives in the following categories:

 Effectiveness and efficient of operations

 Reliability of financial reporting
 Compliance with applicable laws and regulations
 Safeguarding asset

Nanjing Audit University

 Group Exercise
Identifying IT Controls

• Work within your groups to identify IT controls that

are present in your organization and arrange them in
the classifications of IT general controls and
application controls, pervasive, detective and
corrective controls. Refer to the definitions of these
categories discussed earlier in this unit. List controls
that you believe should be in place to manage the
risks you identified in the previous exercise.

40 minutes
Nanjing Audit University
 Reference

• IIA GTAG 1 – Information Technology Controls

• ISACA COBIT 5 Framework
• ISACA COBIT 2019

Nanjing Audit University