fisa

Fundamentals of Information

Systems Auditing



Presented by

Karl H. Heins, CPA, CMA, CISA



University of California

February 25-26, 2002

Introductions

 Name

 Office

 Background in auditing

 Background in IT auditing

 What you would like to take away from

course

Goals of This Session

 To understand basic IT processes

 To understand IT controls

 To understand how to approach IT

auditing

 To know when to bring in an IT

specialist

Course Topics

Through lectures, discussions and exercises

this course will cover:

 IT Audit, IT Control & IT Control Objectives



 Risk Assessment



 IT Audit standards



 Application Controls



 Transaction Life cycle



 Application Processes



 General Controls

Course Topics

 IT Policies

 Logical & Physical Security

 Software Acquisition, Development & Change

Management

 Data Base Systems and Systems Software issues

 Business Contingency Planning

 Networks, Telecommunications & Networks Basics

 Systems Development.

 Computer Assisted Audit Techniques

Information Systems Auditing

 Objectives

 Management risks

 Components of internal control

 Scope

 General

 Application

 Roles of IT auditors

Role of Management Policies

 Management direction

 Staff guidance

 Consistency of application

 Dynamic not static

COBIT Influences

 Framework & background

 Audit objectives

 Audit guidelines

COBIT Control Objectives

 High level

 Planning & organization

 Acquisition & implementation

 Delivery & support

 Monitoring

Planning & Organization

 Define strategic IT plan

 Define information architecture

 Determine IT direction

 Define IT org and relationships

 Managing IT investment

 Communicate mgnt. direction

 Manage human resources

 Ensure external compliance

 Assess risks

 Manage projects

 Manage quality

Acquisition & Implementation

 Identify solutions

 Acquire & maintain application software

 Acquire & maintain IT architecture

 Develop & maintain IT procedures

 Install & accredit systems

 Manage changes

 Define service levels

 Manage third-party services

 Manage performance and capacity

 Ensure continuous service

Delivery and Support

 Ensure systems security

 Identify & attribute costs

 Educate and train users

 Assist & advise IT customers

 Manage the configuration

 Manage problems & incidents

 Manage data

 Manage facilities

Monitoring

 Mange operations

 Monitor the processes

 Assess internal control adequacy

 Obtain independent assurance

 Provide the independent audit

Standards

 AICPA

 IIA

 ISACA

 International

 Government

Standard for Information

Systems Auditing

 Audit charter

 Independence

 Professional ethics and standards

 Competence

 Planning

 Performance of audit work

 Reporting

 Follow-up activities

Statement on Auditing

Standards

 #1 – Independence

 Attitude and appearance

 Organizational relationship

 #2 –Independence

 Involvement in systems development process

 #3 – Performance of work

 Evidence requirement

 #4 – Performance of work

 Due professional care

Statement on Auditing

Standards (cont.)

 #5 – Performance of work

 Risk assessment in audit planning



 #6 – Performance of work

 Audit documentation



 #7 – Reporting

 Audit reports

 #8 – Performance of work

 Audit consideration for irregularities

 #9 – Performance of work

 Use of audit software tools

IS Policies

 IS-1, Computer Center Fiscal Operations

 IS-2, Guidelines for Data Requests to Campuses by

Administrative Units of the Office of the President

 IS-3, Electronic Information Security

 IS-3 Implementing Guidelines

 Electronic Communications Policy

 IS-7, Guidelines for Maintenance of the University Payroll

System

 IS-8, Guidelines for Campus and Office of the President

Acquisitions Involving Computing

 IS-9, Electronic Data Interchange

 IS-9, Electronic Data Interchange

 IS-9, Attachment -- Trading Partner Agreement

 IS-10, Systems Development Standards

Application Controls Review

 Objective?

 Content?

 Who Benefits?

Applications Review Scope

 Transactions  User Operations

 Controls  Audit trails

 Environments

Application Controls

Transaction life cycle

Data origination

Data preparation

Data entry

Data transmission

Data processing

Data output

Application Transaction

Life Cycle

Input Process Output



Data

Preparation

Data Transaction Information

Origination Processing

Data Entry Data Storage

Application Controls

Transaction origination

Source document design and storage

User procedures and manuals

Special purpose forms

Transaction ID codes

Cross reference indices

Alternate documents where applicable

Application Controls

Transaction origination

Authorization

Separation of duties

Written authorizations

Signatures, stamps and other evidence of

approval

Automated authorization/suspense

Application Controls

Transaction origination

Input preparation

Transaction numbering

Batch serial numbering

Balance batches to point of origin

Logs

Transmittal documents

Turnaround documents

Application Controls

Transaction origination

Source document retention

Retention dates on source documents

Filing

Security

Disposal procedures

Application Controls

Transaction origination

Source document error handling

Written procedures

Logging

Notification

Verifying re-entered data

Monitoring corrections

Application Controls

Transaction entry – batch

Transaction data validation

Pre-programmed formats

Key verification

Editing and validation routines

Transaction data cutoff

Application Controls

Transaction entry – batch (cont…)

Batch proof and balancing

Processing schedules

Turnaround documents

Cancellation of source documents

Logging

Batch controls

Batch header records

Application Controls

Transaction entry – batch (cont…)

Transaction entry error handling

Pre-staging input edits

Error messages

Verifying re-entered data

Monitoring corrections

Adjusting control totals if records are removed

or modified

Application Controls

Transaction entry – online

Terminals used for data entry

Based on terminal identification

Terminal location

Based on number of times an application or

transaction is invoked

Application Controls

Transaction entry – online

Security

Passwords

Restrictions based on unsuccessful entry

Terminal time-outs

Secure building wiring and wire closets

Message identification

Security table

Network configuration polling table

Application Controls

Transaction entry – online

User identification/authentication

Passwords

Questions and answers

Keys, cards and tokens

Biometrics such as fingerprint, retina scan,

voice

Application Controls

Transaction entry – online

Authorization to complete a transaction

Terminal ID or location

Application

Transaction

File

Data element

Application Controls

Transaction entry – online

Message completeness

All mandatory fields are complete

Application Controls

Transaction entry – online

Message integrity

Hash totals and check digits

Cycle redundancy checks (crc) totals

Message sequence numbers

Message acknowledgements

Application Controls

Transaction entry - online

Transaction data validation

Interactive editing

Management error monitoring

Reconciliation

Application controls

Computer processing

Control totals

Defaults

Anticipation

Exception handling

Operator instructions

Balancing

Destructive update

Application Controls

Telecommunications

Message integrity

Logins (system, application and network)

Message acknowledgements

Sequencing

Integrity checks

Encryption

Application Controls

Telecommunications

Network availability

Preparation against outages

Communication

Power

Hardware

Software

Application Controls

Data storage and retrieval

File handling

Header labels

Master file changes

Dormant files

Scanning dormant files

Backup procedures/contingency planning

Program change control

Excessive activity

Access control

Restart procedures

Application Controls

DBMS controls

Administration

Views

System logging

Rollback/roll forward capabilities

Application Controls

Output processing

Controlled documents

Negotiable document controls

Sequence number printing

Application Controls

Output processing

Reconciling

Output to input

JCL

System output reports

SMF audit trails

Report distribution

Handling procedures

Copy control

Application Controls

Output processing

User review

Headers & footers

Output reconciliation

Control totals

Confirmations

Api’s

Exception processing activity

Data in decision making

Application Controls

Output processing

Records retention

Waste disposal

Deletion of unused reports

Record retention requirements

Application Controls

Output processing

Output error handling

Aging open items

Error logging by control groups

Responsibility and accountability for error

corrections

Error notification

Edit and verification of re-entered data

Application Controls

Output processing

Output review

Departmental review

Operator activity

Exception processing analysis

Application Processes

Key information

User procedures

Programs and interfaces

Transactions

Data files

Application Environments

Applications in an integrated system

Where is the application?

Where is the data?

Where are the transactions entered?

Where are the exposures?

Application Audit Trails

Method to track transactional data

Persons initiation transactions

Programs initiating transactions

Result of the transactions

All documented

Systems Development - IS10

 Methodologies

 Traditional

 Prototyping

 Vendor Package Purchase

Audit involvement?

 Participatory

 Independent

Systems Development - IS10

 Roles and  Prototyping

Responsibilities *  Requirements

 Planning and Definition

Management *  Request for Proposal

 Project Proposal  Feasibility Study

 Request for  Vendor Contract and

Information Plan

 System Definition  General design

Systems Development - cont.

 Detail Design  Post Implementation

 Programming and Review *

Unit Testing  Data Retention *

 System Testing *  Privacy *

 Implementation *  Maintenance *

 Documentation

Standards * * Apply to all

development tracks

Today’s Development

Environment

 Dynamic

 Need

 Technology

 Interactive

 Economic pressures

 Resource availability

Audit Service

 Expertise

 Selective participation

 Management representation

 Realistic independence

 Audit methodology and project

Review of General Controls

 Objective

 Content

 Who benefits

 Affect on audit planning

General Controls

 Management  Logical Security

 Hardware  Operations

 Software  Continuity

 System Support  Physical Security

 Database  Systems

 Networking development

General Controls -

Management

 Organization

 Planning

 Training

 Security

 Resource management

 Facilities

 Operations

General Controls

Hardware

 Hardware Interaction

 Processors

 Mainframes

 Desktops

 Laptops

 Input devices

 Tape

 Cartridge

 Output devices

General Controls

Software

 Systems interactions

 Operating systems

 Applications

 Integrated systems

 Utilities

Software Functions

Application Processing



Data Processor Online

Management Communications Transaction

Control



Access Control



Operating System Function

Software Implementation

and Maintenance

 Compiling and linking

 Change management

Compiling and Linking

 Source

 Compiler – Source list & error list

 Object

 Linker – Source list & error list

 Executable

Software Maintenance

Change process

Management User Change Approval

Dissatisfaction Request







Programming Copy to test Coding Testing Approval









Operations To production Approval

General Controls Program

Integrity

 Program integrity

 Testing

 Access

 Maintenance

General Controls

System Support

 Primary objective

 Control environment

 Central vs. Decentralized

 Control requirements

General Controls

Database

 Defined

 Logical view

 Physical view

 Products

 How they work

Information Network

General Controls - Networking

 Basics of networking

 Topologies

 Protocols

 Components

 Internal Connectivity

 Performance

General Controls

Network Configurations

 Centralized

 Decentralized

 Distributed

 Client-Server

General Controls

Networking

 Internet, intranet, extranet technologies

 Services

 External connectivity

 Objectives

 Protection steps

 Firewall configuration

 Website issues

 Distributed executables

 “Cookies”

General Controls

Physical Security

 Physical protections

 Practices

 Facilities

General Controls

Logical Security

 Policies – IS 3

 Passwords

 Practices

General Controls

Operations

 Data center operations

 Scheduling

 Media management

 Production environment

General Controls

Programming

 System programming

 Critical functions

 Controlling functions

 Make the system programmer your friend

 Application programming

 Program maintenance

 Roles of the programmer

General Controls

Continuity Planning

 Proper planning

 Scenarios

 Sufficient resources and commitment

 Human side

 Media management

 Inventory Processes

 Onsite and offsite verification

General Controls

Continuity Planning

 Analysis of threats

 Analysis of processes

 Consideration of alternatives

 Selection and development of a plan

 Documentation to support the plan

 Test of the Plan

CAATs -- Computer Assisted

Audit Techniques

 Audit tools

 ACL

 Hummingbird

 Focus

 Traditional

 Non-traditional

Why use CAATs

 Electronic data

 Validate processing

 Audit requirement for testing

Usage of CAATs

 Functional

 Real time data capture

 Data analysis

 Confirmation of data

CAATs techniques

 Program simulation

 Itf

 Embedded audit module