Presentation is loading. Please wait.

Presentation is loading. Please wait.

Audit Objectives and Procedures in a Computer Operations Context January 27, 2005.

Published byDerrick Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Audit Objectives and Procedures in a Computer Operations Context January 27, 2005."— Presentation transcript:

1 Audit Objectives and Procedures in a Computer Operations Context January 27, 2005

2 2 STRUCTURING THE IT FUNCTION  Centralized data processing  Database administrator  Data processing manager/dept.  Data control  Data preparation/conversion  Computer operations  Data library

3 3  Segregation of incompatible IT functions  Systems development & maintenance  Participants  End users  IS professionals  Auditors  Other stakeholders STRUCTURING THE IT FUNCTION

4 4  Segregation of incompatible IT functions  Objectives:  Segregate transaction authorization from transaction processing  Segregate record keeping from asset custody  Divide transaction processing steps among individuals to force collusion to perpetrate fraud STRUCTURING THE IT FUNCTION

5 5  Segregation of incompatible IT functions  Separating systems development from computer operations STRUCTURING THE IT FUNCTION

6 6  Segregation of incompatible IT functions  Separating DBA from other functions  DBA is responsible for several critical tasks:  Database security  Creating database schema and user views  Assigning database access authority to users  Monitoring database usage  Planning for future changes STRUCTURING THE IT FUNCTION

7 7  Segregation of incompatible IT functions  Alternative 1: segregate systems analysis from programming  Two types of control problems from this approach:  Inadequate documentation  Is a chronic problem. Why?  Not interesting  Lack of documentation provides job security  Assistance: Use of CASE tools  Potential for fraud  Example: Salami slicing, trap doors

8 8  Segregation of incompatible IT functions  Alternative 2: segregate systems development from maintenance Two types of improvements from this approach: 1.Better documentation standards  Necessary for transfer of responsibility 2.Deters fraud  Possibility of being discovered STRUCTURING THE IT FUNCTION

9 9  Segregation of incompatible IT functions  Segregate data library from operations  Physical security of off-line data files  Implications of modern systems on use of data library:  Real-time/online vs. batch processing  Volume of tape files is insufficient to justify full-time librarian  Alternative: rotate on ad hoc basis  Custody of on site data backups  Custody of original commercial software and licenses STRUCTURING THE IT FUNCTION

10 10  Segregation of incompatible IT functions  Audit objectives  Risk assessment  Verify incompatible areas are properly segregated  How would an auditor accomplish this objective?  Verify formal vs. informal relationships exist between incompatible tasks  Why does it matter? STRUCTURING THE IT FUNCTION

11 11  Segregation of incompatible IT functions Audit procedures:  Obtain and review security policy  Verify policy is communicated  Review relevant documentation (org. chart, mission statement, key job descriptions)  Review systems documentation and maintenance records (using a sample)  Verify whether maintenance programmers are also original design programmers  Observe segregation policies in practice  Review operations room access log  Review user rights and privileges STRUCTURING THE IT FUNCTION

12 12  The distributed model  Distributed Data Processing (DDP)  Definition  Alternative A: centralized  Alternative B: decentralized / network STRUCTURING THE IT FUNCTION

13 13  The distributed model  Risks associated with DDP  Inefficient use of resources  Mismanagement of resources by end users  Hardware and software incompatibility  Redundant tasks  Destruction of audit trails  Inadequate segregation of duties  Hiring qualified professionals  Increased potential for errors  Programming errors and system failures  Lack of standards STRUCTURING THE IT FUNCTION

14 14  The distributed model  Advantages of DDP  Cost reduction  End user data entry vs. data control group  Application complexity reduced  Development and maintenance costs reduced  Improved cost control responsibility  IT critical to success then managers must control the technologies  Improved user satisfaction  Increased morale and productivity  Backup flexibility  Excess capacity for DRP STRUCTURING THE IT FUNCTION

15 15  Controlling the DDP environment  Need for careful analysis  Implement a corporate IT function  Central systems development  Acquisition, testing, and implementation of commercial software and hardware  User services  Help desk: technical support, FAQs, chat room, etc.  Standard-setting body  Personnel review  IT staff STRUCTURING THE IT FUNCTION

16 16  Controlling the DDP environment  Audit objectives:  Conduct a risk assessment  Verify the distributed IT units employ entity- wide standards of performance that promotes compatibility among hardware, operating software, applications, and data STRUCTURING THE IT FUNCTION

17 17  Controlling the DDP environment  Audit procedures:  Verify corporate policies and standards are communicated  Review current organization chart, mission statement, key job descriptions to determine if any incompatible duties exist  Verify compensating controls are in place where incompatible duties do exist  Review systems documentation  Verify access controls are properly established STRUCTURING THE IT FUNCTION

18 18  Computer center controls  Physical location  Avoid human-made and natural hazards  Example: Chicago Board of Trade  Construction  Ideally: single-story, underground utilities, windowless, use of filters  If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement)  Access  Physical: Locked doors, cameras  Manual: Access log of visitors THE COMPUTER CENTER

19 19  Computer center controls THE COMPUTER CENTER  Air conditioning  Especially mainframes  Amount of heat even from a group of PCs  Fire suppression  Automatic: usually sprinklers  Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there  Sprinklers and certain chemicals can destroy the computers and equipment  Manual methods  Power supply  Need for clean power, at a acceptable level  Uninterrupted power supply

20 20  Computer center controls  Audit objectives  Verify physical security controls are reasonable  Verify insurance coverage is adequate  Verify operator documentation is adequate in case of failure  Audit procedures  Tests of physical construction  Tests of fire detection  Tests of access control  Tests of backup power supply  Tests for insurance coverage  Tests of operator documentation controls THE COMPUTER CENTER

21 21  Controlling access privileges  Audit objectives  Verify that access privileges are granted in a manner consistent with the need to separate incompatible functions and is in accordance with organizational policy  Audit procedures  Review polices for separating incompatible functions  Review privileges for groups to determine if access rights are appropriate for jobs. “need to know”  Do privileged employees undergo security clearance?  Do employee records indicate that employees acknowledge their responsibility to maintain confidentiality?  Review users’ permitted logon times SYSTEM-WIDE CONTROLS

22 22  Password control  Common forms of contra-security behavior  Reusable passwords  One-time passwords  Password policy  Audit objectives  Ensure that the organization has an adequate and effective password policy  Audit procedures  Verify that users are required to have passwords  Verify that new users are properly trained in password use  Determine if procedures are in place to identify weak passwords  Assess the adequacy of password standards such a length and expiration interval  Review the account lockout policy and procedure SYSTEM-WIDE CONTROLS

23 23 Password Policy Proper Dissemination – Promote it, use it during employee training or orientation, and find ways to continue to raise awareness within the organization. Proper Length: Use at least 8 characters. The more characters, the more difficult to guess or crack. Eight characters is an effective length to prevent guessing, if combined with below. Proper Strength: Use alphabet (letters), numbers (at least 1), and special characters (at least 1). The more non-alpha, the harder to guess or crack. Make them case sensitive and mix upper and lower case. A “Strong” password for any critical access or key user. Password CANNOT contain a real word in the content. Proper Access Levels or Complexity: Use multiple levels of access requiring multiple passwords. Use a password matrix of data to grant read-only, read/write, or no access per data field per user. Use biometrics {such as fingerprints, voice prints}. Use supplemental access devices, such as smart cards, or beeper passwords in conjunction with remote logins. Use user-defined procedures. Proper Timely Changes: At regular intervals, make employees change their passwords. Proper Protection: Prohibit the sharing of passwords or “post-its” with passwords located near one’s computer. Proper Deletion: Require the immediate deletion of accounts for terminated employees, to prevent an employee from being able to perpetrate adverse activities.

24 24  E-mail risks  Spoofing  Spamming  Chain letters  Urban legends  Hoax virus warnings  Flaming  Malicious attachments (e.g., viruses) SYSTEM-WIDE CONTROLS

25 25  Malicious objects risk  Virus  Worm  Logic bomb  Back door / trap door  Trojan horse  Potential control procedures  Audit Objective  Verify that effective management policies and procedures are in place to prevent the introduction and spread of destructive objects  Audit Procedures  Through interviews with personnel, determine if they have been educated regarding risky computing practices  Review procedures to determine if disks or CDs that could contain viruses are routinely transferred between workgroups  Verify that system administrators routinely scan workstations, file servers, and email servers for viruses  Verify that new software is tested on standalone workstations prior to being implemented on the host or network server  Verify that antivirus software is updated at regular intervals and downloaded to individual workstations SYSTEM-WIDE CONTROLS

26 26  Controlling electronic audit trails  Keystroke monitoring (keystroke log)  Event monitoring (key events log)  Audit trail objectives  Detecting unauthorized access  Reconstructing events  Personal accountability  Implementing an audit trail SYSTEM-WIDE CONTROLS

27 27  Controlling electronic audit trails  Audit objective  Verify adequate audit trails and logs  Audit procedures  O/S audit log viewer  ACL extraction of log data (see list)  Sample organizational security group’s records SYSTEM-WIDE CONTROLS

28 28  Disaster recovery planning  Types of disaster  Natural: fire, flood, tornado  Human-Made: sabotage, error  System failure: power outage, drive failure, crash SYSTEM-WIDE CONTROLS

29 29  Disaster recovery planning  Critical applications identified and ranked  Create a disaster recovery team with responsibilities SYSTEM-WIDE CONTROLS

30 30  Disaster recovery planning  Site backup  “Hot site” – Recovery Operations Center  “Cold site” – empty shell  Mutual aid pact  Internally provided backup  Other options SYSTEM-WIDE CONTROLS

31 31  Disaster recovery planning  Hardware backup (if NOT a hot site)  Software backup: operating system (if NOT a hot site)  Software backup: application software (based on critical application step) SYSTEM-WIDE CONTROLS

32 32  Disaster recovery planning  Data backup  Supplies (on site)  Documentation (on site)  User manuals  System and software technical manuals  Test! SYSTEM-WIDE CONTROLS

33 33 Disaster Recovery Plan 1.Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible. 2.Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what. 3.Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed. 4.Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers). 5.System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site. 6.Application Software Backup – Make sure copies of critical applications are available at the backup site 7.Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis. 8.Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly. 9.Documentation – An adequate set of copies of user and system documentation. 10.TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year).

34 34  Disaster recovery planning  Audit objectives  Verify management’s DRP is adequate  Audit procedures  Verify a second-site backup is adequate  Review the critical application list for completeness  Verify backups of application software are stored off- site  Verify that critical data files are backed up and readily accessible to DRP team  Verify resources of supplies, documents, and documentation are backed up and stored off-site  Verify that members listed on the team roster are current employees and that they are aware of their responsibilities SYSTEM-WIDE CONTROLS

35 35  Fault tolerance  Definition  44% of time IS unavailable is due to system failures!  Controls  Redundant systems or parts  RAID  UPS  Multiprocessors  Audit objective  To ensure the organization is employing an appropriate level of fault tolerance  Audit procedures  Verify proper level of RAID devices  Review procedures for recovery from system failure  Verify boot disks are secured SYSTEM-WIDE CONTROLS

Download ppt "Audit Objectives and Procedures in a Computer Operations Context January 27, 2005."

Similar presentations

IT Controls Part I: Sarbanes-Oxley & IT Governance

IT Controls Part I: Sarbanes-Oxley & IT Governance
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Auditing Computer Systems

Auditing Computer Systems
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Chapter 2: Computer Operations

Chapter 2: Computer Operations
Auditing IT Governance Controls

Auditing IT Governance Controls
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Policies and Standards

Information Security Policies and Standards
1 Pertemuan 7 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 7 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Processing Integrity and Availability Controls

Processing Integrity and Availability Controls
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Auditing Electronic Data Interchange

Auditing Electronic Data Interchange

Similar presentations

Ads by Google