CHARTERED ACCOUNTANTS

Slides:



Advertisements
Similar presentations
Presented to the Tallahassee ISACA Chapter
Advertisements

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Software Quality Assurance Plan
Overview of IS Controls, Auditing, and Security Fall 2005.
Auditing Concepts.
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.
Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems
Auditing Computer-Based Information Systems
Security Controls – What Works
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Overview of IS Auditing n Need for control and Audit of Computers –Org cost of data loss –cost of incorrect decision –Value of hardware, software, personnel.
Chapter 9 THE ACQUISITION CYCLE— PURCHASING AND RECEIVING
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 9 THE ACQUISITION CYCLE— PURCHASING AND RECEIVING.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
Chapter 13 Auditing Information Technology
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Chapter 22 Systems Design, Implementation, and Operation Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 22-1.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
The Islamic University of Gaza
Information Systems Security Computer System Life Cycle Security.
Update from Business Week Number of Net Fraud Complaints – 2002 – 48,252 – 2004 – 207,449.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS.
Chapter Three IT Risks and Controls.
Security Architecture
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Information Systems Security Operational Control for Information Security.
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
Auditing Information Systems (AIS)
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
 2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood Chapter 10 Electronic Data Processing Systems.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Web Security Introduction to Ethical Hacking, Ethics, and Legality.
Hall, Accounting Information Systems, 8e ©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Chapter 3-Auditing Computer-based Information Systems.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
Auditing Concepts.
Internal Control Principles
Critical Security Controls
Secure Software Confidentiality Integrity Data Security Authentication
Auditing Information Technology
Controlling Computer-Based Information Systems, Part II
The Impact of Information Technology on the Audit Process
The Impact of Information Technology on the Audit Process
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

CHARTERED ACCOUNTANTS IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS

Contents Introduction Guidelines Need for controls Internal Control Framework Security Threats Information Systems Risks IS Audit Process

Introduction “The process of collecting and evaluating evidence to determine whether: Computer system safeguards assets Maintains data integrity, confidentiality and availability Allows organizational goals to be achieved Determines the efficient use of resources” Gain understanding of the organisation Understand Risks and evaluate Controls Test Controls

Guidelines ISACA Guidelines IS Auditing Standards IS Auditing Guidelines IS Auditing Procedures COBIT (Control objectives for information and related technology) ISO 27001 Guidelines by Institute of Internal Auditors

Guidelines COSO’s Internal Control – Integrated Framework (the COSO Framework) published by the Committee of Sponsoring Organisations of the Treadway Commission COCO (Criteria of Control) Framework published by the Canadian Institute of Chartered Accountants

COSO Framework Monitoring Applied to the Internal Control Process

Need for Controls The Organization must protect itself from: Corruption of Data and Database. Poor decision making due to poor quality of MIS. Losses due to abuse of controls. Loss of hardware, software and personnel. Maintenance of Privacy . Malicious Internet Content. Authentication and Privilege attacks

Security Threats Attacks on physical systems USB devices Removable media Internal attack Network monitoring Laptop theft Storage theft Hardware loss Unprotected Endpoints Insecure network points Insecure server rooms Attacks on physical systems

Security Threats Authentication and Privilege Attacks Disgruntled Employees Password High Privileged Accounts Privilege Creep Authentication and Privilege Attacks Inappropriate Password Policies Weak Passwords

Single Point of failure Excess reliance on one person Security Threats Denial of Service Natural Disasters Targeted DOS Single Point of failure Power cuts Connection downtime Bandwidth Exhaustion Vulnerable Servers Excess reliance on one person Lack of documentation

Malicious Internet Content Web Application Attacks Security Threats Malicious Internet Content Social Engineering Phishing Drive – by downloads Malware Web Application Attacks Viruses Trojans Worms

Security Threats Example: Phishing

Example: Drive-by downloads Security Threats Example: Drive-by downloads Unintended Software

Security Threats Example: Virus Scan

Security Threats Example: Trojan Horse

Security Threats Example: Spoofing

Security Threats Example: Spoofing

Risk of unauthorized change to application software Relationship Between General and Application Controls Cash receipts application controls Sales Payroll Other cycle GENERAL CONTROLS Risk of unauthorized change to application software Risk of system crash Risk of unauthorized master file update processing

Information Systems Risks Access controls : Non-detection of Compromised passwords.  Unauthorized users can access systems. Inappropriate access allowing recognised users greater access than necessary.  Unauthorized changes to data in master files. Unauthorized changes to systems or programs.  Denial to access systems, DBMS’s and servers in the event of a system interruption or disaster.

Information Systems Risks Controls to Mitigate Risks arising from unauthorized Accesses : Authentication (identification) controls need to be strong. Roles and privileges should be granted on need-to-know basis only to authorized users. Job scheduling procedures and stored procedures need to be secure. An alternate method to identify and register users needs to be tested and made available when needed.

Information Systems Risks Input Controls Unauthorized data received for computer processing.  Loss of data or duplication of data. Automated segregation of duties and access rights. Automated authorization approval Incorrect output due to wrong input (GIGO)

Information Systems Risks Mitigating Risks arising from Input Controls: Review access rights that set and amend configurable approval and authorization limits. Accesses with super user rights. Maker Checker Controls Range check Completeness check Duplicate check

Information Systems Risks Process Controls Wrong Validation of data Risks arising out of Editing Procedures Incorrect processing of data Absence of Data File Control Procedures

Information Systems Risks Mitigating Risks arising from Process Controls: Parity checking Transaction logs Version Usage File updating and maintenance authorization Sequence check Reasonableness check Table lookups Existence check Key verification Logical Relationship check Limit check

Information Systems Risks Output Controls Non-integrity of output Untimely distribution of output Availability of output to unauthorized users Data processing results are unreliable

Checklist for mitigating Risk Information Systems Risks Mitigating Risks arising from Output Controls: Checklist for mitigating Risk

Statistics

Issues Involved

Preliminary Steps Understanding of the Organisational Structure to identify CIO, CISO, etc. Understanding of the System Architecture. Understanding components of the systems (number of servers, routers, users, desk users, on/offsite users) Reviewing the IS Security Policy Performing systems walk - throughs. Assessment of the risks and understanding of the related controls.

IS Audit Process

Procedures Interviews. Interviews are a useful audit tool to gather information about internal system controls and risks. Employees involved in the day - to - day operations of a functional area possess the best knowledge of that area. They are in a position to identify the weak internal system controls and risks.

Procedures Preparation of Checklist & Questionnaire A detailed checklist should be prepared after having an understanding of the architecture of the system. Checklist should be comprehensive.

Access Controls testing- Procedures Verifying access rights allotted vis-à-vis organizational policy for need to know Implementation of Password controls Process of review of logs of super users, database administrator Logs of active users vis-à-vis HR records for exit, leave, etc. License control processes Virus control procedures

Access controls testing- Procedures Vulnerability testing through internal resources Internal Security Vulnerability Assessment (ISVA) is a comprehensive analysis of all of the workstations and servers on your network. The ISVA detects and identifies Trojan horses, hacker tools, DDoS (Distributed Denial-of-Service) agents, and spyware through code analysis and signature matching, in much the same way as anti-virus. It also identifies specific vulnerabilities such as configuration problems in FTP servers, exploits in Microsoft IIS or problems in NT security policy configuration.

Access controls testing- Procedures Vulnerability testing through external resources One of the most common vulnerability assessment activities for companies of all sizes is an external penetration testing scan, typically targeting internet-facing websites. Once you set yourself outside of the company, you immediately are given an untrusted status. The systems and resources available to you externally are usually very limited.

VIDEO CLIP

Input Controls -Procedures Verification by entering invalid data Verification by entering incomplete data Testing Arithmetic Accuracy

Integrated Test Facility (ITF) Approach Processing Controls -Procedures Integrated Test Facility (ITF) Approach Parallel Simulation

Integrated Test Facility (ITF) Approach Processing Controls -Procedures Integrated Test Facility (ITF) Approach A dummy ITF center is created for the auditors. Creation of transactions to test the controls. Creation of Working papers showing expected results from manually processed information. Running of Auditor transactions with actual transactions. Comparing of ITF results to working papers.

Processing Controls -Procedures Parallel Simulation Processing of real client data on an audit program similar to the client’s program. Comparison of results of processing with the results of the processing done by the client’s program.

Parallel Simulation- Flowchart Processing Controls -Procedures Parallel Simulation- Flowchart Computer Operations Auditors Actual Transactions Computer Application System Auditor’s Simulation Program Actual Client Report Auditor Auditor Compares

Application Controls -Procedures Black Box Testing Black box testing Method of software testing  Examines the functionality of an application (e.g. what the software does) without peering into its internal structures or workings. Can be applied to virtually every level of software testing: unit, integration, system and acceptance. Typically comprises most if not all higher level testing, but can also dominate unit testing as well.

Application Controls -Procedures White Box Testing White-box testing  Also known as clear box testing, glass box testing, transparent box testing, and structural testing. Method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). Internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. 

Output Controls -Procedures Checking whether output contain key control information necessary to validate the accuracy and completeness of the information contained in the report such as last document reference period, etc.? If the data has to be transferred from one process to another process, verify if no manual intervention is possible and no unauthorized modification to data can be made. Verify physical controls over hardcopy printouts.

Format of IS Audit Report