Professional Documents
Culture Documents
CIS Modules 1-7 - Gachalian
CIS Modules 1-7 - Gachalian
Technology
Environment
and IT Audit
AUDCIS Module 1
Discuss how technology is constantly evolving and shaping today's
business (IT) environments.
• Refers to the use of the Internet (versus one’s computer’s hard drive) to store
and access data and programs
• Model for enabling ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction
• Considered one of the key trends driving business strategy
• Example of cloud service providers include Microsoft Azure, Amazon Web
Services, Google Cloud Platform, Alibaba Cloud and Digital Ocean.
Concerns with Cloud Computing
Integrate
IT with
Business
Strategies
Capitalize on Get most
technologies value out of
available information
IT Auditing
Information Systems (IS) vs
Information Technology (IT)
• IS components
• People
• Process
• Information Technology
Partner of Senior
Counselor Investigator
Management
• Provision of • Understanding • Ability to capture
guidance organization and document
• Development of requirements computer-generated
information security • Independent information
policy assessment of the • Awareness and use
• Major contribution to effect of IT decisions of CAATs
computer system • Supplying insights to
control computer forensics
IT Auditor Profession
Discuss IT crimes and explain the three main categories of crimes involving computers.
Define cyber attack, and illustrate recent major cyber attacks conducted in the U.S. and the Philippines.
Describe and discuss ethical issues and code of ethics relevant to IT auditors.
IT Crimes and Cyberattacks
• Business e-mail compromise (BEC). Sophisticated scam targeting business working with foreign suppliers
and/or business who regularly perform wire transfer payments.
• Ransomware. A form of malware targeting both human and technical weaknesses in an effort to deny the
availability of critical data and/or systems.
• Tech Support Fraud
• Auto Fraud. Typical automobile fraud scam involves selling a consumer an automobile (listed on a legitimate
Website) with a price significantly below its fair market value. The seller (fraudster) tries to rush the sale by
stating that he/she must sell immediately due to relocation, family issues, need of cash or other personal
reasons. The seller does not allow inspecting the automobile nor meet with the consumer face-to-face. The
seller then asks the consumer to wire payment to a third-party agent, and to fax the payment receipt back to
him or her as proof of payment. The seller keeps the money and never gets to deliver the automobile.
IT Crimes and Cyberattacks
• Government Impersonation E-mail Scam. This type of Internet crime involves posing as government, law
enforcement officials, or simply someone pretending to have certain level of authority in order to persuade unaware
victims to provide their personal information.
• Intimidation/Extortion Scam. This type of crime utilizes demands for money, property, assets, etc. through undue
exercise of authority (i.e., threats of physical harm, criminal prosecution, or public exposure) in order to extort and
intimidate.
• Real Estate Fraud. Similar to Auto Fraud. The seller (fraudster) tries to rush the sale of a house (with a price
significantly below its market rental rates) by stating that he/she must sell immediately due to relocation, new
employment, family issues, need of cash, or other personal reasons. Such significant price reduction is used to
attract potential victims. The seller will then ask the consumer to provide personal identifying information and to wire
payment to a third-party. Upon receiving payment, the seller is never found.
• Confidence Fraud/Romance Scam. This type of crime refers to schemes designed to look for companionship,
friendship, or romance via online resources.
IT Crimes and Cyberattacks
In the Philippines
• Online Libel
• Online Scam
• Photo and Video Voyeurism
• Computer-Related Identity Theft
• Threats
• System Interference or Hacking
• Unjust Vexation
• Illegal Access
• Robbery With Intimidation
• ATM or Credit Card Fraud
Main Categories of Crimes
Involving Computers
• In September 2016, the internet giant announced it had been the victim of the
biggest data breach in history. The company said the attack compromised the
real names, email addresses, dates of birth and telephone numbers of 500
million users. Then a couple of months later, it revealed a different group of
hackers compromised 1 billion accounts. Yahoo, then a publicly traded
company, was acquired by Verizon in 2017 for a little over $4 billion.
• Marriott – Starwood Hotels. On November 30, 2018, the hotel empire revealed
a security breach with its Starwood Hotel brands that may have compromised
the data of as many as 500 million guests.
Cyberattacks
• Adult Friend Finder. In October 2016, the website said hackers were able to
gain access to more than 20 years of data on its six databases that included
names, email addresses and passwords.
• Under Amour – MyFitnessPal. In February 2018, the sports apparel brand
Under Armour disclosed that a hacker gained the access of email addresses
and login information to 150 million users of its food and nutrition website,
MyFitnessPal.
• eBay. In May 2014, eBay announced that hackers got into the company
network using the credentials of three corporate employees and had complete
inside access for 229 days, during which time they were able to collect
personal information of all of its 145 million users.
Cyberattacks
• Equifax. In September 2017, one of the largest credit bureaus in the U.S. revealed personal information,
including Social Security numbers, birth dates, addresses, and in some cases drivers’ license numbers were
compromised. In 2020, four Chinese military hackers have been charged with breaking into the computer
networks of the Equifax credit reporting agency and stealing the personal information of tens of millions of
Americans, the Justice Department announced.
• Heartland Payment Systems. In January 2009, Heartland Payment Systems, the sixth-largest payments
processor in the U.S., announced that its processing systems were breached in 2008, exposing more than
134 of customers’ credit card numbers and more than 650 financial services companies.
• Target. In 2013, the retail giant was attacked days before Thanksgiving when hackers gained access
through a third-party HVAC vender to its point-of-sale (POS) payment card readers, which in return collected
data of up to 110 million customers.
Cyberattacks
• Philippines Commission on Elections. In April 2016, after a message was posted on the COMELEC
website by hackers from Anonymous, warning the government not to mess with the elections, the
entire database was stolen and posted online. A total of 55 million records were stolen.
• Bangladesh Central Bank. The Bangladesh Bank robbery, also known colloquially as the Bangladesh
Bank cyber heist, took place in February 2016, when thirty-five fraudulent instructions were issued by
security hackers via the SWIFT network to illegally transfer close to US$ 1 billion from the Federal
Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh.
Five of the thirty-five fraudulent instructions were successful in transferring US$ 101 million, with US$
20 million traced to Sri Lanka and US$ 81 million to the Philippines.
• United Coconut Planters Bank (UCPB). In September 2020, Nigerian hackers were able to steal P167
million from thee bank. Hackers were able to steal through malware, which gave them remote access
functions and allowed them to send and receive cash online.
Legislation
Related to
Information
Technology
Sarbanes-Oxley Act of 2002
• A law the U.S. Congress passed on July 30 of that year to help protect
investors from fraudulent financial reporting by corporations.1
• Also known as the SOX Act of 2002 and the Corporate Responsibility Act of
2002, it mandated strict reforms to existing securities regulations and imposed
tough new penalties on lawbreakers.
• The act created strict new rules for accountants, auditors, and corporate
officers and imposed more stringent recordkeeping requirements.
• The act took its name from its two sponsors—Sen. Paul S. Sarbanes (D-Md.)
and Rep. Michael G. Oxley (R-Ohio).
Understanding SOX
Accounting New
regulation protections
Increased
criminal
punishment
Corporate
responsibility
Major Provisions
• mandates that senior • requires that management • contains the three rules that
corporate officers personally and auditors establish affect recordkeeping.
certify in writing that the internal controls and • destruction and
company's financial reporting methods to ensure falsification of records
statements "comply with the adequacy of those • strictly defines the
SEC disclosure controls. retention period for storing
requirements and fairly records
present in all material
• outlines the specific
aspects the operations and
business records that
financial condition of the
companies need to store,
issuer."
which includes electronic
communications
US Security Legislation
Computer Fraud and Abuse Act of 1984
• The purpose was to prevent terrorist attacks within the United States and to reduce the
vulnerability of the United States to terrorism. It plays a major role in the security of
cyberspace because it enforces many limitations and restrictions to users of the
Internet. For example, one goal of the Act is to establish an Internet-based system that
will only allow authorized persons the access to certain information or services. Owing
to this restriction, the chances for vulnerability and attacks may decrease.
• The impact of this Act will contribute to the security of cyberspace because its primary
function is to protect the people of the United States from any form of attack, including
Internet attacks. The passage of the Homeland Security Act of 2002 and the inclusion
of the Cyber Security Enhancement Act (CSEA) within that Act makes the need to be
aware and practice cybersecurity everyone’s business.
US Security Legislation
Payment Card Industry Data Security Standards of 2004
• In addition to the basic right to privacy that an individual is entitled to under the
U.S. Constitution, the government also enacted the Privacy Act of 1974. The
purpose of this is to provide certain safeguards to an individual against an
invasion of personal privacy. This act places certain requirements on federal
agencies, such as permitting individuals to*:
• determine what personal records are collected and maintained by federal agencies
• prevent personal records that were obtained for a particular purpose from being used
or made available for another purpose without consent
• gain access to their personal information in federal agency records and to correct or
amend them
Privacy Legislation
Electronic Communications Privacy Act of 1986
• The Communication Decency Act (CDA) of 1996 bans the making of “indecent” or
“patently offensive” material available to minors through computer networks. The Act
imposes a fine of up to $250,000 and imprisonment for up to 2 years. The CDA does
specifically exempt from liability any person who provides access or connection to or
form a facility, system, or network that is not under the control of the person violating
the Act.
• The CDA also states that an employer shall not be held liable for the actions of an
employee unless the employee’s conduct is within the scope of his or her employment.
More recent application of this law has been used to protect minor’s use of social
networks and falling prey to predators/stalkers.
Privacy Legislation
Health Insurance Portability and Accountability Act of 1996
• First ever federal privacy standards to protect patients’ medical records and
other health information provided to health plans, doctors, hospitals, and other
healthcare providers took effect on April 14, 2003. Developed by the
Department of Health and Human Services, these new standards provide
patients with access to their medical records and more control over how their
personal health information is used and disclosed. They represent a uniform,
federal floor of privacy protections for consumers across the country. State
laws providing additional protections to consumers are not affected by this new
rule.
Privacy Legislation
The Health Information Technology for
Economic and Clinical Health of 2009
• The purpose of the USA PATRIOT Act of 2001 is to deter and punish terrorist acts in
the United States and around the world, to enhance law enforcement investigatory
tools, and other purposes, some of which include:
• To strengthen U.S. measures to prevent, detect, and prosecute international money laundering
and financing of terrorism
• To subject to special scrutiny foreign jurisdictions, foreign financial institutions, and classes of
international transactions or types of accounts that are susceptible to criminal abuse
• To require all appropriate elements of the financial services industry to report potential money
laundering
• To strengthen measures to prevent use of the U.S. financial system for personal gain by corrupt
foreign officials and facilitate repatriation of stolen assets to the citizens of countries to whom
such assets belong
International Privacy Laws
• The law recognizes the vital role of the youth in nation building and shall
promote and protect their physical, moral, spiritual, intellectual,
emotional, psychological and social well-being. The law discusses that
the State shall:
• Guarantee the fundamental rights of every child from all forms of
neglect, cruelty and other conditions prejudicial to his/her development;
• Protect every child from all forms of exploitation and abuse
Philippine Laws related to Cyber and InfoSec
Anti-Photo and Video Voyeurism Act of 2009
• Republic Act No. 10173, or the Data Privacy Act, protects individuals from unauthorized
processing of personal information that is (1) private, not publicly available; and (2)
identifiable, where the identity of the individual is apparent either through direct attribution
or when put together with other available information. This law entails:
• First, all personal information must be collected for reasons that are specified, legitimate, and
reasonable. In other words, customers must opt in for their data to be used for specific reasons that are
transparent and legal.
• Second, personal information must be handled properly. Information must be kept accurate and
relevant, used only for the stated purposes, and retained only for as long as reasonably needed.
Customers must be active in ensuring that other, unauthorized parties do not have access to their
customers’ information.
• Third, personal information must be discarded in a way that does not make it visible and accessible to
unauthorized third parties.
Philippine Laws related to Cyber and InfoSec
Cybercrime Prevention Act of 2012
• Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, was signed into
law by President Aquino on Sept. 12, 2012. Its original goal was to penalize acts like
cybersex, child pornography, identity theft and unsolicited electronic communication in
the country.
• RA 10175 punishes content-related offenses such as cybersex, child pornography and
libel which may be committed through a computer system. It also penalizes unsolicited
commercial communication or content that advertises or sells products or services.
• The law also penalizes offenses against the confidentiality, integrity and availability of
computer data and system, such as illegal access, illegal interference, data
interference, system interference, misuse of devices, and cybersquatting.
Philippine Laws related to Cyber and InfoSec
Department of Information and Communications Technology
Act of 2015
• Republic Act No. 10844, otherwise known as the “Department of Information and
Communications Technology Act of 2015”, which was signed into law on 23 May 2016.
• In accordance to the law, the Department of Information and Communications Technology
(DICT) shall be the primary policy, planning, coordinating, implementing, and administrative
entity of the Executive Branch of the government that will plan, develop, and promote the
national ICT development agenda.
• The DICT shall strengthen its efforts on the following focus areas:
• Policy and Planning
• Improved Public Access
• Resource-Sharing and Capacity-Building
• Consumer Protection and Industry Development
Code of
Ethics
Six Good Reasons to Develop
Code of Ethical Conduct
• Define acceptable behaviors for relevant parties;
• Promote high standards of practice throughout the
organization;
• Provide a benchmark for organizational members to use for
self-evaluation;
• Establish a framework for professional behavior, obligations,
and responsibilities;
• Offer a vehicle for occupational identity;
• Reflect a mark of occupational maturity.
ISACA Code of Ethics
• Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and
management of enterprise information systems and technology, including: audit, control, security and risk management.
• Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.
• Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their
profession or the Association.
• Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority.
Such information shall not be used for personal benefit or released to inappropriate parties.
• Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the
necessary skills, knowledge and competence.
• Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed,
may distort the reporting of the results.
• Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise
information systems and technology, including: audit, control, security and risk management.
Irregular and Illegal Acts
• Professionals should consider defining in the audit charter the responsibilities of management and IS audit
and assurance management with respect to preventing, detecting and reporting irregularities, so that these
are clearly understood for all audit work. Where these responsibilities are already documented in enterprise
policy or a similar document, the audit charter should include a statement to that effect.
• Professionals should understand that control mechanisms cannot completely eliminate the possibility of
irregularities or illegal acts occurring. Professionals are responsible for assessing the risk of irregularities or
illegal acts occurring, evaluating the impact of identified irregularities, and designing and performing tests
that are appropriate for the nature of the audit assignment.
• Professionals are not responsible for the prevention or detection of irregularities or illegal acts. An audit
engagement cannot guarantee that irregularities will be detected. Even when an audit is planned and
performed appropriately, irregularities could go undetected, e.g., if there is collusion between employees,
collusion between employees and outsiders, or management involvement in the irregularities. The aim is to
determine the control is in place, adequate, effective and complied with.
Irregular and Illegal Acts
Overview of IT Auditor’s Responsibilities
Objectives Define IT strategy and discuss the IT strategic plan, and its significance in
aligning business objectives with IT.
Describe the operational governance processes and how they control delivery
of IT projects, while aligning with business objectives.
provides the
structure to
achieve alignment
of the IT activities
and processes
with business
objectives
incorporate IT into
adequate
the enterprise risk
implementation of
IT Governance –
management
internal controls
program
Alignment of IT IT
with Business Governance
Objectives
make certain of
manage the
regulatory
performance of IT
compliance
ensure the
delivery of IT
value
IT
Governance
Frameworks
IT Governance Frameworks
ISO/IEC
ITIL COBIT
27002
ITIL
Continuous
Strategy Design Transition Operation
Improvement
Guidelines or
Guidelines or Best practice best practice
Aims at
best practice processes (or processes put in Constantly looks
managing
processes to requirements) place to maintain for ways to
change, risk, and
map the IT implemented to adequate and improve the
quality
strategy with guide toward a effective IT overall process
assurance during
overall business solution services once and service
the deployment
goals and designed to meet implemented into provision
of an IT service
objectives business needs the production
environment
ITIL
• Assist organizations to manage the security of assets, including, but not limited
to, financial information, intellectual property, employee details or information
entrusted by third parties.
• Purpose is to help organizations select proper security measures by utilizing
available domains of security controls. Each domain specifies control
objectives that provides further guidance on how organizations may attempt to
implement the framework.
• The ISO/IEC 27002 framework should be chosen when IT senior management
(i.e., CIO) targets an information security architecture that provides generic
security measures to comply with federal laws and regulations.
A Joint Framework
• ITIL, COBIT, and the ISO/IEC 27002 are all best-practice IT-related
frameworks to regulatory and corporate governance compliance.
• Challenge is to implement an integrated framework that draws on these
three standards.
• The Joint Framework, put together by the IT Governance Institute
(ITGI) and the OGC, is a significant step leading into such direction.
A Joint Framework
Area to be
measured
must help in
the
1 2 3 4 5 development
of metrics
Measures are
applied to
events and
Identify the critical Develop and Show the results Identify other areas Present results in a process,
metric set implement the initial that can be format that is easy to never to
measurements from measured and understand individuals
the critical metric set provide reports on
these areas
Effective Measures
Reliable and Valid
IT Balanced Scorecard
IT-Generated
Future
Business
Orientation
Value
Operation End-User
Efficiency and Service
Effectiveness Satisfaction
IT Generated Business Value
IT provides value through IT projects deliver business value IT services deliver value by being
delivering successful projects by automatic business processes available for the organization as
and keeping operations running needed
IT Generated Business Value
Sample Metrics
• There may be a perception that IT costs are growing without the recognition that business
costs should be dropping or revenue growing by a greater margin
• Metrics to measure business value may address the functions of the IT department, value
generated by IT projects, management of IT investments, sales made to outsiders or third
parties.
• These metrics may include:
• percentage of resources devoted to strategic projects
• perceived relationship between IT management and senior-level management
• computation of traditional financial evaluation methods (e.g., ROI, payback period)
• actual vs budgeted expenses
• percentages over/under overall IT budget
• revenues from IT-related services and/or products
Future Orientation
Staffing metrics by function (e.g., using utilization/billable ratios, voluntary turnover by performance
level, etc.).
Developing and approving an enterprise architecture plan, and adherence to its standards.
Conducting relevant research on newly-emerging technologies and their suitability for the organization.
Operational Efficiency and Effectiveness
• The end-user, for IT purposes, may be internal personnel or external (e.g., users accessing inter-
organizational IT systems or services, etc.). From an end-user’s perspective, the value of IT will be
based on whether their jobs are completed timely and accurately.
• A mission for this perspective would be to deliver value-adding products and services to end-users.
Related objectives would include maintaining acceptable levels of customer satisfaction, partnerships
between IT and business, application development performance, and service-level performance.
• Metrics used to measure the objectives should focus on three areas:
• being the preferred supplier for applications and operations
• establishing and maintaining relationship with the user community
• satisfying end-user needs
• It would be necessary for IT personnel to establish and maintain positive relationships with the user
community in order to understand and anticipate their needs.
Have both senior management and IT management on board from the
start; make them aware with the concept of the IBS.
IT Balanced Develop a preliminary IBS based on the defined objectives and goals of
the organization and the data outlined in the previous steps.
IT Steering
Reviewing Providing business Monitoring status,
Committee development and
implementation plans
decisions on major
design issues for all
schedule, and
milestones for all
Tasks for all major projects. major projects. major projects.
Monitoring business
benefits during and
after implementation
of major projects.
Communication
Financial management
• A demand management process can help ensure that resources are devoted to projects
that have a strong business case and also approved by senior management.
• The demand management process helps ensure that senior management is on board, and
has provided conceptual approval to the project to proceed through the initial requirements
definition and conceptual design phases of the development life cycle.
• A demand management process ensures that a project has business justification, a
business and IT sponsor, and a consistent approach for approving projects.
• A demand management process also ensures alignment of application and infrastructure
groups; that all project costs are identified to improve decision making; that there are
means to “weed out” nonessential projects; and that means are identified to control IT
capacity and spending.
Project Initiation
• Once a project with a strong business case has been approved, it should
undergo an initiation process that determines its total cost and benefit. This is
usually done by defining high-level business requirements and a conceptual
solution.
• Building a project estimate takes time and resources. It takes time from
business users to develop requirements and a business case. It also takes
time from software developers to develop a solution and cost estimates.
• After a project has conceptual approval, business users and software
programmers can work together to develop detailed requirements and project
estimates that will be used in the final business case and form the basis for the
project budget.
Technical Review
Alternative technologies
Technical Architecture
Review
Assessment In-house skill compatibility
Existing environments/replacements
• In the financial management governance process, potential investments, services, and asset
portfolios are evaluated so that they get incorporated in cost/benefit analyses and ultimately within the
budget. IT budgeting, for instance, considers existing IT products, resources, and services in order to
assist the planning of IT operations.
• Budgeting is a strategic planning tool (typically expressed in quantitative terms) which aids in the
monitoring of specific activities and events.
• Budgeting also provides forecasts and projections of income and expenses which are used
strategically for measuring financial activities and events.
• Budgets are useful to management when determining whether specific revenues/costs activities are
being controlled (i.e., revenues being higher than budget estimates or costs being lower than
estimated budget amounts).
• Budgets lead how organizations might perform financially, operationally, etc. should certain strategies
and/or events take place.
Conclusion
Access Control System’s security is Users possess privileges that are not User access privileges are
Management of Data are appropriately managed Financial reporting information and Backups are archived off-site to
Data Center, to provide reasonable assurance accounting data cannot be recovered minimize risk that data are lost
Network and that financial data remain in the event of system failure,
Support complete, accurate, and valid impacting the entity’s ability to report
throughout the update and financial information according to
storage process. established reporting requirements.
COBIT
4. 6. End-to-
2. Holistic Governance end
Approach Distinct from Governance
Management System
Risk
Assessment
Risk Assessment
• Foundation of the audit function
• improve the quality, quantity, and accessibility of planning
data, such as risk areas, past audits and results, and budget
information
• examine potential audit projects in the audit universe and
choose those that have the greatest risk exposure to be
performed first; and
• provide a framework for allocating audit resources to achieve
maximum benefits.
Effective Risk Assessment
1. Have a process in place to identify or characterize assets (e.g., financial applications, etc.).
2. Define vulnerabilities on those assets and the threat-sources that can trigger them.
3. Determine the likelihood or probability levels (e.g., very high, high, medium, etc.) that vulnerabilities may be
exercised. For example, probabilities of very high = 1.00, high = 0.75, medium = 0.50, low = 0.25, and very
low = 0.10 may be assigned for each vulnerability based on the organization’s estimate of their likelihood
level.
4. Assign a magnitude of impact to determine how sensitive the asset may be against successfully exercised
threats. Magnitudes of impact and impact level values are typically assigned by management for every
successful threat that may exercise a vulnerability.
5. Associate assets with correspondent IT and/or business risks.
6. Compute risk rating by multiplying the probability assigned from Step 3 above (e.g., 1.00, 0.75, etc.) times the
impact level value assigned in Step 4.
7. Recommend the controls that are needed to mitigate the risks according to their priority or ranking.
Risk Assessment Process Example
Vulnerability: IS
Operations/
FA1 information
There is no
cannot be
offsite storage
recovered in
for data Backups of
the event of
backups to FA1
system failure,
provide financial
Likelihood: impacting the
reasonable Magnitude: Risk Rating: data are Action
Medium Company’s
FA#1 assurance of High 37.5 archived off- Priority:
Probability: ability to report
availability in the Value: 75 (0.5 x 75) site to Medium
0.5/50% financial
event of a minimize
information
disaster risk that
according to
Threat Source: data are lost
established
Hurricanes,
reporting
system failures,
requirements.
unexpected
shutdowns
Audit Plan
Audit Plan
• Ideally, the audit budget should be created after the audit schedule is determined.
However, most organizations have budget and resource constraints.
• After determining the audit priorities, audit management will determine the
number of available hours to decide how many audits they can complete in a
year.
• The scope should clearly identify the critical business process supported by the
selected financial application. This association typically justifies the relevance of
the application and, hence, its inclusion as part of the audit. The scope should
further state the general control areas, control objectives, and control activities
that would undergo review.
Audit Team, Tasks, and Deadlines
• The audit plan must include a section listing the members of the audit,
their titles and positions, and the general tasks they will have. For
instance, a typical audit involves staff members, seniors, managers, or
senior managers, and a partner, principal, or director (PPD) who will be
overseeing the entire audit.
• Deadlines are a critical component of an audit plan.
• An audit planning memo (“planning memo”) is part of the auditor working
papers and documents the sections just described.
Audit
Process
Audit Process
• Policies and procedures that the organization implements and the IT infrastructure and application software that
it uses to support business operations and achieve business strategies.
• Narratives or overview flowcharts of the financial applications, including server names, make and model,
supporting operating systems, databases, and physical locations, among others.
• Whether the financial applications are in-house developed, purchased with little or no customization, purchased
with significant customization, or proprietary provided by a service organization.
• Whether service organizations host financial applications and if so, what are these applications and which
relevant services they perform.
• Controls in place supporting the area of information systems operations, such as those supporting job
scheduling, data and restoration, backups, and offsite storage.
• Controls in place supporting the area of information security, such as those supporting
• authentication techniques (i.e., passwords), new access or termination procedures, use of firewalls and how are
they configured, physical security, etc.
• Controls in place supporting the area of change control management, such as those supporting the
implementation of changes into applications, operating systems, and databases; testing whether access of
programmers is adequate; etc.
Design Audit Procedures
• Prepare an audit program for the areas being audited, select control objectives
applicable to each area, and identify procedures or activities to assess such
objectives.
• An audit program differs from an internal control questionnaire (ICQ) in that an
ICQ involves questions to evaluate the design of the internal control system.
• An audit program is a formal plan for reviewing and testing each significant audit
subject area disclosed during fact gathering. The auditor should select subject
areas for testing that have a significant impact on the control of the application
and those that are within the scope defined by the audit objectives.
Provisions that Must be Ensured
• An adequate audit trail so that transactions can be traced forward and backward through the financial application
• The documentation and existence of controls over the accounting for all data (e.g., transactions, etc.) entered into the
application and controls to ensure the integrity of those transactions throughout the computerized segment of the application
• Handling exceptions to, and rejections from, the financial application
• Unit and integrated testing, with controls in place to determine whether the applications perform as stated
• Controls over changes to the application to determine whether the proper authorization has been given and documented
• Authorization procedures for application system overrides and documentation of those processes
• Determining whether organization and government policies and procedures are adhered to in system implementation
• Training user personnel in the operation of the financial application
• Developing detailed evaluation criteria so that it is possible to determine whether the implemented application has met
predetermined specifications
• Adequate controls between interconnected application systems
• Adequate security procedures to protect the user’s data
• Backup and recovery procedures for the operation of the application and assurance of business continuity
• Ensuring technology provided by different vendors (i.e., operational platforms) is compatible and controlled
• Adequately designed and controlled databases to ensure that common definitions of data are used throughout the organization,
redundancy is eliminated or controlled, and data existing in multiple databases is updated concurrently
Test Controls
• Where controls are determined not to be effective, substantive testing may be required to
determine whether there is a material issue with the resulting financial information.
• Used to determine the accuracy and completeness of information being generated by a
process or application.
• Substantive audit tests are designed and conducted to verify the functional accuracy,
efficiency, and control of the audit subject.
• CAATs, for example, use auditor-supplied specifications to generate a program that
performs audit functions, such as evaluating application controls, selecting and analyzing
computerized data for substantive audit tests, etc. In essence, CAATs automate and
simplify the audit process.
Document Results
• Audit Findings
• The terms finding, exception, deficiency, deviation, problem, and issue are
basically synonymous in the audit world, and mean the auditor identified a
situation where controls, procedures, or efficiencies can be improved.
• Findings identify and describe inaccurate, inefficient, or inadequately controlled
audit subjects.
• An example of an IT audit finding would be a change implemented into a financial
application that did not include proper management authorization.
• Another example would include the IT auditor discovering that the organization’s
procedures manual does not require management’s permission before implementing
changes into applications.
Audit Findings
• Name of the IT environment (operating system hosting the relevant financial application(s)) evaluated
• IT area affected (IS operations, information security, change control management)
• Working paper test reference where the finding was identified
• General control objective(s) and activity(ies) that failed
• Brief description of the finding
• Where is the finding formally communicated to management (this should reference the Management Letter
within the Auditor Report)
• The individual classification of the finding per audit standard AU 325, Communications About Control
Deficiencies in an Audit of Financial Statements, as either a deficiency, significant deficiency, or a material
weakness*
• Evaluation of the finding, specifically whether it was identified at the design level (i.e., there is no general control
in place) or at the operational level (i.e., the general control was in place, but did not test effectively)
• Whether the finding represents or not a pervasive or entity-level risk
• Whether the finding can be mitigated by other compensating general controls, and if so, include reference to
where these controls have been tested successfully
Conclusions and Recommendations
1 2 3 4 5 6
Define auditor Describe techniques Explain what Describe the various Differentiate Describe computer
productivity tools and used to document Computer-Assisted CAATs used for between “Auditing forensics and
describe how they application systems, Audit Techniques reviewing Around the sources to evaluate
assist the audit such as flowcharting, (CAATs) are and applications, Computer” and computer forensic
process. and how these describe the role particularly, the audit “Auditing Through tools and
techniques are they play in the command language the Computer.” techniques.
developed to assist performance of audit (ACL) audit software.
the audit process. work.
Tools and techniques used in IT audits
• Sources and source document(s), by title and identification number, with copies of the forms attached
• Point of origin for each source document
• Each operating unit or office through which data are processed
• Destination of each copy of the source document(s)
• Actions taken by each unit or office in which the data are processed (e.g., prepared, recorded,
posted, filed, etc.)
• Controls over the transfer of source documents between units or offices to assure that no documents
are lost, added, or changed (e.g., verifications, approvals, record counts, control totals, arithmetic
totals of important data, etc.)
• Recipients of computer outputs
Defining Data Elements
• The audit staff should review key or major outputs (e.g., edit listings,
error listings, control of hour listings, etc.) of the financial application
system and determine if the outputs are accurate, complete, and useful
as intended.
• The auditor should confirm the accuracy, completeness, and usefulness
of the generated reports by interviewing appropriate users.
Computer-Assisted Audit Techniques
(CAATs)
• The auditor can use the computer to select items of interest, such as
material items, unusual items, or statistical samples of items by, for
instance, stipulating specific criteria for the selection of sample items, or
by stating relative criteria and let the computer do the selection.
Audit Mathematics
• Some of the key controls that minimize the risks in spreadsheet development and use
include:
• Understanding the requirements before building the spreadsheet
• Source of data. Assurances that data being used are valid, reliable, and can be authenticated to
originating source
• Design review. Reviews performed by peers or system professionals.
• Formulas, macro commands, and any changes to the spreadsheet should be documented
externally and within the spreadsheet
• Verification of logic. Reasonableness checks and comparisons with known outputs
• Extent of training. Formal training in spreadsheet design, testing, and implementation
• Extent of audit. Informal design reviews or formal audit procedures
• Support commitment. Ongoing application maintenance and support from IT personnel
CAATs for Auditing Application Controls
Database Controls
• Parallel simulation involves the separate maintenance of two presumably identical sets
of programs. The original set of programs is the production copy used in the
application under examination. The second set could be a copy secured by auditors at
the same time that the original version was placed into production. As changes or
modifications are made to the production programs, the auditors make the same
updates to their copies. If no unauthorized alteration has taken place, using the same
inputs, comparing the results from each set of programs should yield the same results.
Another way is for the auditor to develop pseudocode using higher-level languages
(Vbasic, SQL, JAVA, etc.) from the base documentation following the process logic and
requirements. For audit purposes, both software applications (test versus actual)
would utilize same inputs and generate independent results that can be compared to
validate the internal processing steps.
Embedded Audit Module
Discuss risks to
Discuss common risks systems exchanging
Discuss common risks
associated with end- business information
associated with
user development and describe common
application systems.
application systems. standards for their audit
assessments.
Explain application
Describe Web
controls and how they Discuss the IT auditor’s
applications, including
are used to safeguard involvement in an
best secure coding
the input, processing, examination of
practices and common
and output of application systems.
risks.
information.
Application System Risks – ERP Risks
Unauthorized
Weak
access to Unauthorized Inaccurate
information
programs or remote access information
security
data
Incomplete,
Erroneous or Inaccurate or
duplicate, and Communications
falsified data incomplete
untimely system failure
input output
processing
Insufficient
documentation
Unauthorized Remote Access
Higher
Incompatible Redundant Ineffective
organizational
systems systems implementations
costs
Absence of Unauthorized
Incomplete Copyright
segregation of access to data
system analysis violations
duties or programs
Destruction of
Lack of back-up
information by
and recovery
computer
options
viruses
Destruction of information by computer
viruses
• Viruses can also spread among computers connected within a network (local, Internet,
etc.). They can spread when infected files or programs are downloaded from a public
computer through attachments to e-mails, hidden code within hyperlinks, and so on.
Viruses can cause a variety of problems such as:
• Destroying or altering data
• Destroying hardware
• Displaying unwanted messages
• Causing keyboards to lock and become inactive
• Slowing down a network by performing many tasks that are really just a continuous loop
with no end or resolution
• Producing spamming
• Launching denial-of-service attacks
Risks to Systems Exchanging Electronic
Business Information - Risks
Loss of
Loss of business Increased
confidentiality of Manipulation of
continuity/ going Interdependence exposure to
sensitive payment
concern problem fraud
information
Errors in
Loss of information and Concentration of Application
Loss of audit trail
transactions communication control failure
systems
Potential loss of transaction audit trail, thereby making it difficult or impossible to reconcile, reconstruct,
and review records. This could possibly be a breach of legislation and result in prosecution and fines.
•Increased exposure to ransom, blackmail, or fraud through potential disruption of services or increased
opportunities to alter computer records in an organization and its trading partners’ IS.
•Disruption of cash flows when payment transactions are generated in error or diverted or manipulated.
•Loss of profitability occurring through increased interest charges or orders going to a competitor due to
lack of receipt of EDI messages.
•Damage to reputation through loss of major customers, especially if EDI problems are widely publicized.
Web Application Risks
Input validation
Output encoding
Authentication and password management
Session management
Access control
Cryptographic practices
Error handling and logging
Data protection
Communication security
System configuration
Database security
File management
Memory management
General coding practices
Web Application Risks –
Top Critical Security Risks
Injection
Broken authentication and session management
Cross-site scripting
Broken access control
Security misconfiguration
Sensitive data exposure
Insufficient attack protection
Cross-site request forgery
Using components with known vulnerabilities
Under protected application program interfaces
Application Controls
Application Controls
• Authenticity
• Accuracy
• Edit and Validation Controls
• Field Check
• Sign Check
• Limit or Range Check
• Size Check
• Completeness Check
• Validity Check
• Reasonableness Check
• Check digit verification
• Completeness
Application Controls – Processing Controls
• Data matching. Matches two or more items before executing a particular command or action (e.g.,
matching invoice to purchase order and receiving report before making the payment, etc.).
• File labels. Ensure that the correct and most updated file is being used.
• Cross-footing. Compares two alternative ways of calculating the same total in order to verify for
accuracy (e.g., adding by rows and by columns in a spreadsheet, etc.)
• Zero-balance tests. Check that a particular account (e.g., payroll clearing account, etc.) maintains a
balance of zero. This test assists organizations in eliminating excess balances in separate accounts
and maintaining greater control over disbursements.
• Write-protection mechanisms. Safeguard against overwriting or erasing data.
• Concurrent update controls. Prevent errors of two or more users updating the same record at the
same time.
Application Controls – Output Controls
01 02 03 04 05 06 07 08 09
Discuss recent
technologies Describe audit
Describe the that involvement in
importance of revolutionize an information
information organizations’ Discuss security
security to IT information Describe Discuss roles Explain what control
organizations environments security relevant and responsi- information Describe the examination
and how and the threats and information Explain what bilities of security significance of and provide
information significance of risks, and how security an information various controls are, selecting, reference
represents a implementing they represent standards and security policy information and their implementing, information on
critical asset in adequate a constant guidelines is and system groups importance in and testing tools and best
today’s security to challenge to available for illustrate within safeguarding information practices to
business protect the information organizations examples of information the security assist such
organizations information. systems. and auditors. its content. security. information. controls. audits.
Information Security
Denial-of- Distributed
service denial-of- Viruses Trojan horse
attack service
Criminal groups
Hackers
Hacktivists
Disgruntled insiders
Terrorists
Information Security Standards
Others
COBIT ISO/IEC 27002 NIST • ITIL
• PCI-DSS
• CSA
Information Security Policy
Information Information
Owner Custodian
Responsibilities Responsibilities
User Third-Party
Responsibilities Responsibilities
Information Security Controls
• Vulnerabilities
• Weaknesses or exposures in IT assets or processes that may lead to a business
risk or a security risk