Professional Documents
Culture Documents
Sesi 15 - FinAudit - IT Audit Integration & Security MGT Ver 1
Sesi 15 - FinAudit - IT Audit Integration & Security MGT Ver 1
Risk Services
Session 15
Financial Audit - IT Audit Integration and
Security Management
!@ #
IS Audit Syllabus
1. Introduction of IS Audit
2. IT Environment
3. IT Process
4. General Computer Control Review (1)
5. Kuliah Umum (IT Governance)
6. General Computer Control Review (2)
7. General Computer Control Case Study
8. Mid-semester Exam
9. Application Control Review (1)
10. Application Control Review (2)
11. Financial Audit – IT Audit Integration & Security Management
12. ERP Systems
13. Final Exam
!@ #
Technology and Security
Risk Services
Financial Audit –
IT Audit Integration
!@ #
Module Objectives
!@ #
Relation with Financial Audit
!@ #
Risks and Audit Risk
RISK Definition (International Standard Organization):
The potential that a given threat will exploit vulnerabilities
of an asset or group of assets to cause loss or damage to
the assets
!@ #
Type of Audit Risks
Type of Audit Risk
• Inherent Risk
Reflects
Reflects the
the likelihood
likelihood that
that aa material
material loss
loss or
or account
account misstatement
misstatement exists
exists in
in
some segment of the audit before the reliability of internal control considered
some segment of the audit before the reliability of internal control considered
• Control Risk
Reflects
Reflects the
the likelihood
likelihood that
that internal
internal controls
controls in
in some
some segment
segment will
will not
not prevent,
prevent,
detect
detect or
or correct
correct material
material loss
loss or
or account
account misstatement
misstatement
• Detection Risk
Reflects
Reflects the
the audit
audit procedures
procedures used
used in
in some
some segments
segments of
of the
the audit
audit will
will fail
fail to
to
detect
detect material
material loss
loss or
or account
account misstatement
misstatement
!@ #
Classification of Controls
• Preventive control
–– Prevent
Prevent an
an error,
error, omission
omission or
or malicious
malicious act
act from
from occurring
occurring
–– Deter
Deter problem
problem before
before they
they arise
arise
–– Attempt
Attempt to
to predict
predict potential
potential problem
problem before
before they
they occurred
occurred and
and make
make
adjustments
adjustments (feed-forward
(feed-forward controls)
controls)
• Detective control
Detect an error, omission or malicious act has occurred
and report the occurrence
• Corrective Control
–– Identify
Identify the
the cause
cause of
of the
the problem
problem
–– Correct
Correct errors
errors arising
arising from
from aa problem
problem
–– Remedy
Remedy problems
problems discovered
discovered by by detective
detective controls
controls
–– Modify
Modify the
the processing
processing system
system toto minimize
minimize future
future occurrences
occurrences of
of the
the
problem
problem
–– Minimize
Minimize thethe impact
impact of
of aa threat
threat
!@ #
Audit Strategy
Risk
Risk that
that our
our Nature
Nature of
of the
the Effectiveness
Effectiveness Level
Level of
of
conclusions
conclusions areare Account/
Account/ of
of Clients’
Clients’ Auditing
Auditing We
We
inaccurate
inaccurate and
and Business
Business Controls
Controls Perform
Perform
engagement
engagement
objectives
objectives are
are
not
not met
met
!@ #
How IT Impacts the Audit
Strategy
AUDIT RISK = INHERENT RISK X CONTROL RISK X DETECTION RISK
Nature
Nature of
of the
the Effectiveness
Effectiveness Level
Level of
of
Account/
Account/ of
of Clients’
Clients’ Auditing
Auditing We
We
Business
Business Controls
Controls Perform
Perform
Financial Statement
Accounts
Cl
Specific Business ie n
ls
tC
ro
Processes on
nt
tro
Co
Specific Computing ls
nt
Applications
ie
Cl
General IT Processes
!@ #
Who Determines What?
General IT Processes
!@ #
Flowchart of major steps in an Audit
Preliminary Audit
Work Re-assess
Control Risk
Obtain understanding
of control structure Still No Extended
Rely on Control ?
Substantive Testing
Increase No Limited
Form audit
reliance opinion and
Substantive Testing
Rely on Control ? on control ? issue report
No Yes
!@ #
Type of works in financial audit
GCR (General Computer Controls Review)
– Risks assessment for IT organisation, security, acquisition,
development and maintenance, computer operations
ACR (Application Controls Review)
– Evaluation of controls of computerised business
applications, e.g.: Review of Jakarta Automated Trading
System in Jakarta Stock Exchange
Special review of IT functions
– This will include both general and application. Leading
practice implemented COBIT, the generally accepted IT
Control Principles, which was designed to focus on
processes rather than divisional/unit.
!@ #
Old vs. New: The Big Picture
Status quo: Future state vision:
IT Environment
IT Environ-
ment
IT General Controls
Application Controls
Application
Controls
IT General Controls
!@ #
Two Parts of IT-Related Work: The Big
Picture
1. The IT Environment
Value Observation
• Impact on internal control at entity level
• Regulatory requirements
2. Application and IT General Controls
• Focus on controls (including IT-dependent
manual controls) that deal with control risk for
each relevant assertion relating to the
significant accounts
!@ #
First Part: IT Environment
IT Environ-
ment
Application Controls
IT General Controls
!@ #
Second Part – Application and IT General
Controls
• Top-down approach
– We always have to understand RISK in
an automated process
IT Environ-
ment
– Limitation of IT General Control (ITGC)
work to the relevant controls that relate
to the effectiveness of application
Application Controls
controls
– If we test application controls, we need
IT General Controls to test the related ITGC
– If we chose not to test the application
controls, we only walkthrough IT
general controls
!@ #
Classification of Controls
Automated
Manual Controls
Controls
Assure Functioning
IT General Controls
!@ #
Flowchart of steps in an
Identify &
Walkthrough
IT Audit AppCon
Effective? NO
YES
Evaluate IT
YES GenCon NO
Test Application
Controls
!@ #
Technology and Security
Risk Services
!@ #
Technology and Security
Risk Services
Security Management
Practice
!@ #
Topics to be covered
• Change control
• Data classification
• Employment policies & practices
• InfoSec policies
• Risk management
• Roles and responsibilities
• Security awareness training
• Security management planning
Page 22
!@ #
Change control & management
• Why is change control & change management a
security issue?
– Many businesses live or die on data integrity
– Changes can break a security model
– Modifying system breaks warranty
– Gartner Group analyst recently stated that a rogue Y2K
programmer can cause $1B in potential losses
• Needed since change requester does not
understand the security implications of their request
• Security administrator must analyze and assess
carefully the impact to the system
Page 23
!@ #
Change control & management
• For change control & management to work,
you must have:
– Copies of the software, for comparison use or
database generation
– Secure infrastructure. Software must be securely
stored on physically protected media. If an intruder
can get root, and change the golden copies, then the
change control tools will be ineffective.
Page 24
!@ #
Change control & management
• Hardware
– Disks, peripherals
– Device drivers
– BIOS
• Application and operating systems software
– Upgrades
– Service packs, patches, fixes
– Changes to the firewall rulebase/proxies
– NLM’s
– Router software
Page 25
!@ #
Change control & management
Page 26
!@ #
Data classification
• Classification is part of a mandatory access control model
to ensure that sensitive data is properly controlled and
secured
• Multi-level security policy has 4 classifications:
–– Top
Top Secret
Secret
–– Secret
Secret
–– Confidential
Confidential
–– Unclassified
Unclassified
• Other levels in use are:
–– Eyes
Eyes only
only
–– Officers
Officers only
only
–– Company
Company confidential
confidential
–– Public
Public
Page 27
!@ #
Data classification benefits
• Data confidentiality, integrity & availability are
improved since appropriate controls are used
throughout the enterprise
• Protection mechanisms are maximized
• A process exists to review the values of
company business data
• Decision quality is increased since the quality
of the data upon which the decision is being
made has been improved
Page 28
!@ #
Data classification
• Top Secret - applies to the most sensitive business information which
is intended strictly for use within the organization. Unauthorized
disclosure could seriously and adversely impact the company,
stockholders, business partners, and/or its customers
• Secret - Applies to less sensitive business information which is
intended for use within a company. Unauthorized disclosure could
adversely impact the company, its stockholders, its business partners,
and/or its customers
• Confidential - Applies to personal information which is intended for
use within the company. Unauthorized disclosure could adversely
impact the company and/or its employees
• Unclassified - Applies to all other information which does not clearly
fit into any of the above three classifications. Unauthorized disclosure
isn’t expected to seriously or adversely impact the company
Page 29
!@ #
Misc. data classification issues
• In a commercial setting, responsibility for assigning data
classification labels is on the person who created or updated
the information
• With the exception of general business correspondence, all
externally-provided information which is not public in nature
must have a data classification system label.
• All tape reels, floppy disks and other computer storage media
containing secret, confidential, or private information must be
externally labelled with the appropriate sensitivity
classification
• Holders of sensitive information must take appropriate steps
to ensure that these materials are not available to
unauthorized persons.
Page 30
!@ #
Employment policies & practices
• Background checks/security clearances
• Checking public records provides critical
information needed to make the best hiring
decision.
• Conducting these often simple checks
verifies the information provided on the
application is current and true, and gives the
employer an immediate measurement of an
applicant’s integrity.
Page 31
!@ #
Background checks
What does a background check prevent
potentially prevent against:
– lawsuits from terminated employees
– lawsuits from 3rd-parties or customers for negligent hiring
– unqualified employees
– lost business and profits
– time wasted recruiting, hiring and training
– theft, embezzlement or property damage
– money lost (to recruiters fees, signing bonus)
– negligent hiring lawsuit
– decrease in employee moral
– workplace violence, or sexual harassment suits
Page 32
!@ #
Background checks
• What can be checked for an applicant:
– Credit Report
– Workers Compensation Reports
– Criminal Records
– Motor Vehicle Report
– Education Verification & Credential Confirmation
– Reference Checks
– Prior Employer Verification
Page 33
!@ #
Employment agreement
• Non-compete
• Non-disclosure
• Restrictions on dissemination of corporate
information, i.e., press, analysts, law
enforcement
Page 34
!@ #
Separation of duties
• The principle of separating of duties is that an
organization should carefully separate duties,
so that people involved in checking for
inappropriate use are not also capable of
make such inappropriate use
• No person should be responsible for
completing a task involving sensitive,
valuable or critical information from beginning
to end. Likewise, a single person must not
be responsible for approving their own work
Page 35
!@ #
Separation of duties
• Separate:
– development/production
– security/audit
– accounts payable/accounts receivable
– encryption key management/changing of keys
Page 36
!@ #
Information security policies
Page 37
!@ #
Information security policies
• Benefits:
– Ensure systems are utilized in the manner intended for
– Ensure users understand their roles & responsibilities
– Control legal liability
Page 38
!@ #
Information security policies
• Components of an effective policy/what should
be included in an effective policy:
– Title
– Purpose
– Authorizing individual
– Author/sponsor
– Reference to other policies
– Scope
– Measurement expectations
– Exception process
– Accountability
– Effective/expiration dates
– Definitions
Page 39
!@ #
Information security policies
• How to ensure that policies are understood:
–– Jargon
Jargon free/non-technical
free/non-technical language
language
–– Rather
Rather then,
then, “when
“when creating
creating software
software authentication
authentication codes,
codes, users
users
must
must endeavor
endeavor toto use
use codes
codes that
that do
do not
not facilitate
facilitate nor
nor submit
submit the
the
company
company to to vulnerabilities
vulnerabilities in
in the
the event
event that
that external
external operatives
operatives
break
break such
such codes”,
codes”, use
use “passwords
“passwords thatthat are
are guessable
guessable should
should not
not
be
be used”.
used”.
• Responsibility for compliance
–– Users
Users must
must understand
understand the
the magnitude
magnitude && significance
significance of
of the
the policy.
policy.
“I
“I thought
thought this
this policy
policy didn’t
didn’t apply
apply to
to me”
me” should
should never
never be
be heard.
heard.
Page 40
!@ #
Information security policies
Page 41
!@ #
Risk management
Page 42
!@ #
Risk assessment
• Since you can’t protect yourself if you do not know what
you are protecting against, a risk assessment must be
performed
• A risk assessment answers 3 fundamental questions:
–– Identify
Identify assets
assets -- What
What II am
am trying
trying to
to protect?
protect?
–– Identify
Identify threats
threats -- What
What do
do II need
need to
to protect
protect against?
against?
–– Calculating
Calculating risks
risks -- How
How much
much time,
time, effort
effort &
& money
money amam II willing
willing to
to
expend
expend toto obtain
obtain adequate
adequate protection?
protection?
• After risks are determined, you can then develop the
policies & procedures needed to reduce the risks
Page 43
!@ #
Security awareness
Page 44
!@ #
Security management planning
Identify costs
– Initial investment
– ongoing costs
Identify benefits
– Help Desk reduction
– Common data locations
– Reduced Remote Access costs
– Improve Business Partner access
– Enhanced public perception
– Ernst & Young Cyberprocess Certification
Page 45
!@ #
Security management planning
Page 46
!@ #
Technology and Security
Risk Services
!@ #
Technology and Security
Risk Services
Thank You
!@ #