ICT Audit Planning - TISonline

Document Sample
ICT Audit Planning - TISonline Powered By Docstoc
ICT Auditing

Introduction - limitations and purpose

This document does NOT seek to provide guidance on how to conduct every
type of IT audit assurance activity that may be required in every environment
as it is impractical to do so and many other dedicated sources of guidance
(which are referenced in this document) can assist in that regard.

This document simply aims to provide clarity over the nature and scope of ICT
Audit and Assurance activities and to provide links to appropriate information
sources about most ICT Risk and Assurance Areas.

Content summary

The Basics       Sets out the fundamental tenants for audit and
                 assurance activities that culminate in the Annual
                 Governance Statement.
Core ICT         This section covers the fundamental risks associated
Risks            with ICT:
                  non-compliance – Data Protection Act, Code of
                  confidentiality – access controls and identity
                  integrity – accuracy and completeness of records
                  availability – hardware, project or software failures
                 Summary of the four primary types of ICT audit
Overview of
the Four
Types of ICT      application audits of in house and third party
Audit              business systems
                  ICT service delivery and management issue audits
                  infrastructure audits – networks, servers and
                  CAATS (duplicate payments, gaps in invoice
                   numbers etc)
ICT Audit        Explains how the ICT audit planning methodology for
Planning         both annual plans and individual audits helps to
                 establish appropriate “ICT audit plans” that
                 consolidate, enhance and compliment, rather than
                 duplicate or conflict with, existing assurance activity
ICT Audit        This covers the specific qualifications and skills that
Skills and       an ICT auditor can possess to provide an indication of
Qualifications   their knowledge and experience
Sources of       List of links to sources of other best practice
ICT Auditing     standards and organisations
Multiple        Business Application Audits
Examples of
ICT Audit       ICT Service Delivery and Management Audits
Scope and
Objectives      Infrastructure Audits
                CAATS Data Analysis/Interrogations

The Basics

Internal audit provides an independent assurance on the adequacy
of the management control frameworks established to:

    safeguard and secure assets

    ensure reliability of records

    monitor adherence to policy; and

    promote operational effectiveness.

Overall and departmental risk registers and risk management
arrangements are evaluated each year as part of the audit needs
assessment to help establish the appropriate range of external and
internal audit activities required to address the corporate
governance and assurance needs. The assurance evaluation
activities of internal audit assessments, together with any additional
assurance sources such as health and safety activity reports,
culminate in the Annual Governance Statement which is signed by
the accountable senior governance members and officers.

Audit committees take an ever increasing interest in ICT related
risks and governance practices due to the ever increasing reliance
being placed on ICT solutions. All auditors need to be aware of the
scope of ICT within the organisation they work for and how it is
structured and managed, as ICT is an essential aspect of the
planning and conduct of any audit.

Without access to the information that business systems contain,
managers and auditors alike will be unable to perform their
responsibilities effectively. It is therefore essential that there is clear
accountability for assurances over the primary areas of ICT activities
and the risks by ensuring that auditors seek to establish effective
ICT audit resources and methodologies, such as the use of
Computer Assisted Audit Techniques or even the development of
continuous audit and assurance solutions.

The need to cover IT auditing in the audit plans can be shown in an
analogy with an office building (the business application): one can
gain a level of assurance that unauthorised individuals can’t gain
access to the building because there is a fully working access control
system in place (applications’ authentication controls) which are
administered and monitored as being in line with effective
(management) arrangements and policies. However, without also
verifying the adequacy of controls around the ‘goods-in’ entrance
and fire exits (database and operating system logical access
controls), the process for allowing visitors or contractors access to
the building (application change management process), and the
alarm systems etc (application intrusion detection systems), you
cannot gain full assurance that the building is adequately protected
from unauthorised access.

Auditing solely at a business process/application level will only
provide a partial view of the control environment because
weaknesses in the ICT infrastructure can completely undermine
controls within ICT applications. For example, a weakness within the
database management system supporting an application could easily
enable the bypassing of controls over authentication, authorisation,
integrity and segregation of duties.

Core ICT Risks
The key risks in the delivery of ICT solutions, which now encompass
almost every aspect of public service delivery from email to
payments and management information, are:

Non-compliance risks. These include:
     Data Protection Act – high financial penalties and reputational damage

     Code of Connection – inability to effectively deliver joined up services
     Compute Misuse Act – abuse of computer resources for fraudulent gain

Confidentiality    Identity management, virus detection and access controls help ensure data is
                   adequately secured

Integrity          Data input, processing, interface and output management monitoring controls
                   ensure the accuracy and completeness of records (eg duplicate payments or
                   CRB checks)

Availability       Network resilience, backup/restore arrangements and environmental data
                   centre controls help minimise the probability and impacts of ICT service
                   disruptions such as hardware/software failures or deletion by error or intent

Overview of the Four Types of ICT Audits

ICT audit and assurance activities assess the extent to which the
above risks are mitigated and the basic audit control principles are
applied to:

     safeguard and secure assets
   ensure reliability of records

   monitor adherence to policy; and

   promote operational effectiveness.

The key risks in the delivery of ICT solutions, which now encompass
almost every aspect of public service delivery from email to
payments and management information, are non-compliance,
confidentiality, integrity and availability.

As a result IT audit has to develop and maintain appropriate
assurance assessment plans that address these risks in the four
primary areas that IT audit covers: business applications,
management issues, infrastructure and computer assisted audit
tools and techniques:

   business applications – eg payroll, grants, benefits, AP –
    these audits cover the software system used to deliver business
    functionality and testing includes:

    –    roles and responsibilities

    –    access permissions and security

    –    input, output and processing

    –    system interfaces and audit trails

    –    system maintenance; and

    –    backup and recovery

   ICT service delivery and management – these audits cover
    the control framework and processes established for the
    implementation and delivery of IT services and skills associated
    with good practice and legislative compliance (ie the areas not
    directly looking at hardware or software):

    –    general computer controls

    –    IT strategy, policies, organisation, governance and

    –    project risks

    –    statutory compliance (licensing, data protection and
         freedom of information)

    –    IT security (Code of Connection)

    –    IT service management arrangements (ITIL); and

    –    data quality and integrity
   infrastructure – these audits cover the supporting hardware
    and software generic to the delivery of secure service
    connectivity (eg anti-virus, operating systems and device
    configuration settings):

    –    network operating systems

    –    firewalls and device security

    –    Wi-Fi/remote access (SSL/VPN)

    –    server security (eg UNIX/SQL)

    –    virtual servers and network management

    –    laptops and mobile storage devices

    –    public sector networks and G-Clouds.

   computer assisted audit techniques (CAATs) are IT data
    interrogation techniques to conduct tests on the accuracy and
    completeness of data to help perform assurance and
    compliance audits. (See ISACA Guideline G3 Use of Computer-
    assisted Audit Techniques and the IIA GTAG 16: Data Analysis
    Technologies and GTAG-3: Continuous Auditing: Implications
    for Assurance, Monitoring, and Risk Assessment).

ICT Audit Planning

Annual ICT audit plans

This section sets out the approach for developing computer audit
needs assessments to establish an appropriate ICT audit activity

   Where annual governance statements state that effective risk
    management arrangements exist, IT auditors should use the
    existing corporate and departmental risk registers to determine
    IT audit activities.

   Where risk management arrangements are poor or absent IT
    audit should adopt the Global Technology Audit Guides
    prepared by the Institute of Internal Audit for Developing the IT
    Audit Plan (GTAG 11) and for the Management of IT Auditing
    (GTAG 4).

IT audit plans should ensure that gaps in risk assurance coverage
are identified and prioritised for attention and plans should always
complement, not duplicate, existing assurance activities. For
example, if a project office function exists to provide quality and
compliance checks for ICT programmes and project risks, IT audit
resource should focus on the adequacy of the corporate project
management standards and the results of project office activities,
lessons learnt, and the effective transition of any residual project
risks into the “business as usual” environment.

Individual ICT audit plans

As with all audit and assurance activities a “terms of reference” will
always need to be agreed in advance of each ICT audit. See the
examples section for suggestions on audit scope and objectives.

Every effort should be made to avoid any duplication of audit
resources and maximise the use of specialist IT audit resources.
When general or external audit resources conduct a key business
application audit, the IT audit resources should be assigned to
evaluate specific ICT risks areas that complement the general audit
coverage of “segregation of duties” etc so that the overall assurance
opinion can be formed following comprehensive evaluation of the
control environment.

ICT audit resources are often allocated areas such as evaluation of
backup and recovery solutions, system support and database
administration (DBA) arrangements and work can also include the
use of CAATS data analysis/interrogations to provide the general
audit team colleagues with highly focused potential record exception
reports to vouch such as potential duplicates or gaps in invoices.

All auditors have expertise in risk assessment and internal control,
and there is a need for all auditors to have a level of ICT awareness
and knowledge. This should cover general ICT controls such as
backup and recovery, password access control, data validation
controls etc. They should also have the ability to comfortably use
ICT in conducting audits, such as word processing and computer
assisted audit techniques. Consequently, it is not unreasonable or
uncommon to expect a non-ICT auditor to undertake reviews of
general ICT and automated controls. These may include application
controls around user authentication, authorisation of transactions,
system enforced segregation of duties and disaster recovery plans
for an application.

However, the distinction between ICT and non-ICT auditors arises
because the ICT auditor needs sufficient skills to be able to identify
and evaluate technical risks associated with the use of ICT and the
controls in place to manage those risks. Where appropriate the ICT
auditor needs to provide an effective challenge and/or contribution
to the existing ICT risk assessments.

ICT Audit Skills and Qualifications

Generally, ICT auditors are either auditors trained in ICT, or ICT
staff trained in auditing. There has been much debate around which
is the preferred route/background for an ICT auditor but the
essential criterion remains, as with any auditor, that they must have
the appropriate skill set to be able to undertake the assignments
allocated to them.

It is unreasonable to expect anyone to have full expertise in all
areas of ICT. The area is too large and constantly changing to make
this viable. As such, it is common for ICT auditors to specialise in
specific areas of ICT (eg operating systems, or specific databases, or
else project implementation assurance).

Many organisations, therefore, seek the services of specialist ICT
auditors when the nature of assignments dictates and in-house
resources are unavailable. For this, the services of a specialist
organisation or contractor are commonly used, together with
consortium arrangements or partnerships with other organisations.

There are specific qualifications that an ICT auditor can possess,
which provide an indication of their knowledge and experience.
Primarily these are the:

   Certified Information System Auditor (CISA) qualification
    operated by the Information Systems Audit and Control
    Association (ISACA)

   Certified Information System Security Professional (CISSP) by

   IT Auditing Certificate, which was initiated after the
    Qualification in Computer Audit (QiCA) was withdrawn in 2010
    by the Institute of Internal Auditors UK. The IIA IT Auditing
    Certificate is aimed at qualified internal auditors (holding PIIA,
    CMIIA or CIA designations) who wish to gain skills in IT threats
    and vulnerabilities.

As well as demonstrating knowledge through exams, these
qualifications also require the candidate to demonstrate their
experience before gaining certification and being able to use the
QICA, CISSP and CISA designations. For example to obtain the CISA
designation an ICT auditor is required to demonstrate five years’
practical experience of the following areas:

   IT audit process

   IT governance

   systems and infrastructure lifecycle management

   IT service delivery and support

   protection of information assets

   business continuity and disaster recovery.
Where organisations are too small to justify specific full time ICT
audit resources, consideration should be given to:

    using ICT audit resources of other organisations, including
     external auditors

    maximising impact by identifying areas where audit principles
     may be applied to important ICT areas without the need for an
     in-depth technical understanding

    developing staff while minimising the investment in training

    use of short-term contactors or specialist firms focused upon
     specific audits that need to be conducted to assess specific
     technical risks.

Sources of ICT Auditing Information

Institute of Internal Auditors

Global Technology Audit Guidance Series

PG GTAG-16: Data Analysis Technologies
PG GTAG-15: Information Security Governance
PG GTAG-14: Auditing User-developed Applications
PG GTAG-13: Fraud Prevention and Detection in an Automated World
PG GTAG-12: Auditing IT Projects
PG GTAG-11: Developing the IT Audit Plan
PG GTAG-10: Business Continuity Management
PG GTAG-9:   Identity and Access Management
PG GTAG-8:   Auditing Application Controls
PG GTAG-7:   Information Technology Outsourcing
PG GTAG-6:   Managing and Auditing IT Vulnerabilities
PG GTAG-5:   Managing and Auditing Privacy Risks
PG GTAG-4:   Management of IT Auditing
PG GTAG-3:   Continuous Auditing: Implications for Assurance, Monitoring, and Risk
PG GTAG-2:   Change and Patch Management Controls: Critical for Organizational Success
PG GTAG-1:   Information Technology Controls


Further guidance can also be obtained from the International
Systems Audit and Control Association (ISACA).

ISACA is fully dedicated to the promotion and ongoing maintenance
of ICT audit and security via its comprehensive Control Objective for
Business Objective Information Technology (COBIT) audit and
control standards. This seeks to connect other major frameworks,
standards and resources, including ITIL, ISO, ISF, OECD, AICPA and
NIST, and to integrate other ISACA guidance, including Val IT, Risk
IT, the IT Assurance Framework and the Business Model for
Information Security (BMIS), into one cohesive and comprehensive

IT Governance Institute

The IT Governance Institute is a one-stop-shop for everything to do
with IT governance.

Government Connect

This site includes excellent support and guidance on ICT security
and policy initiatives including the 2009 Local Government Data
Handling Guidelines by Mark Brett of Socitm.


Socitm is the professional Society of IT Management for the public
sector. It includes the Socitm TV facility which provides free-to-view
video content covering key aspects of technology-enabled
improvement and public sector ICT management initiatives.


itSMF UK is the IT Service Management Forum, a community for
leadership in IT service management.


The Information Risk Management and Assurance Group of the
British Computer Society (IRMA) supports and promotes the
awareness and use of computer auditing, control and risk
management techniques. This includes:

    phone hacking and data storage compliance

    top IT management challenges in 2011

    practical mobile business intelligence.

CIPFA's Computer Audit Guidelines: Fully Revised Sixth
Edition 2006

This is an essential key reference publication in this field that is
endorsed by the Institute of Internal Auditors. It covers the
following IT audit activities:

    planning IT audit
   IT audit resources

   security and control

   management controls

   file controls

   PC controls

   network controls

   internet controls

   e-commerce controls

   environmental controls

   business continuity planning

   data protection

   reviewing systems

   project management controls

   application controls

   change control

   post-implementation review

   management issues

   IS/IT strategy

   procurement of IT facilities

   financial management of IT

   outsourcing

   using IT for audit

   data retrieval

   other CAATs

   audit control matrices.

CIPFA also produces the following publications:

   Systems Based Auditing Control Matrices including: Systems
    Based Auditing Control Matrices: Series 7 (2008)
   A Guide to Enhanced Systems Based Auditing: The Exeter
    Approach (2009)

   A Risk-based Approach to the Audit of Procurement (2010)

   Systems Based Auditing Control Matrices: Series 8 – IT
    Governance (2010)

   Systems Based Auditing Control Matrices: Series 9 – People
    Management (2011)

   The Excellent Internal Auditor: A Good Practice Guide to Skills
    and Competencies (2011).

Using the CIPFA Systems Based Auditing Control Matrices –
Series 8 IT Governance

The purpose of these matrices is to provide tests for use by general
and specialist IT auditors, as well as those concerned with IT
governance. They are non-sector-specific and so can be used in the
public, the private and the third sector. By undertaking these tests,
a succinct overview will be obtained of the extent that IT
governance standards, etc are being met, and in turn this will enable
a gap analysis to be undertaken so that areas for improvement can
be clearly identified and reported to senior management and the
managing body.

Series 8 consists of a Hazard Identification Document (the purpose
of which is self-evident) and 18 control matrices. The first control
matrix (ITG01 General) covers the overall ‘top-level’ direction and
management, and includes the strategic plan, information
architecture and technological direction. It is therefore suggested
that the ITG01 compliance and assurance tests are undertaken
before any of the other matrices. However, this is not essential – if a
particular area gives concern or is considered high risk, then the
tests contained in the relevant matrix can be undertaken before

A notable difference in this series is that the Internal Control
Questionnaires have been dispensed with (as they were considered
superfluous), and that as well as Compliance Test Papers (CTPs),
there are also now Assurance Test Papers (ATPs). The latter were
introduced by the authors, Exeter City Council’s internal auditors, as
part of the Enhanced Systems Based Auditing (ESBA) and Enterprise
Risk Management Auditing (ERMA) approach they devised to further
incorporate best practice risk management techniques, particularly
those of COSO.

COSO is the abbreviation of the Committee of Sponsoring
organizations of the Treadway Commission, of which the Institute of
Internal Auditors is one of the five sponsors. In September 2004
COSO published the Enterprise Risk Management – Integrated
Framework. One of its key messages is that it is essential for good
corporate governance and effective enterprise risk management that
when organisations, for example:

   establish policies, standards, rules and procedures

   allocate roles and responsibilities,

they actually tell the target audience about them, provide them with
training where appropriate, and regularly remind them. The ATPs
therefore serve as a means of assessing how well, or otherwise, the
organisation has (for example) made its employees aware of what
they are and what they are not allowed to do, and thereby
identifying weaknesses that can be addressed, thus avoiding
potential management problems.

It is suggested that, once the various IT governance control
matrices have been tested, for future audits only selective testing is
undertaken rather than all of the CTPs and ATPs. Selective testing
should only be undertaken for high risk areas (based upon risk
assessments) or vulnerabilities, and for those areas where the
results of previous testing were far from satisfactory. It should also
be borne in mind that if the result of the ATP testing was
satisfactory, and there have been no new staff appointments, there
is no need to retest.

The matrices cover:

   general – strategy, information architecture and technological

   infrastructure

   change management

   configuration management

   system security

   physical and environmental management

   service level management

   operations management

   service desk, incident and problem management

   service continuity management

   cost management

   data management

   performance and capacity management
   procure IT resources

   project management

   acquire, implement and maintain application software

   management of third party services

   education and training of IT users.

Legislation and standards

   Freedom of Information Act 2000

   Data Protection Act 1998

   Computer Misuse Act 1990 and the 2008 Amendments

   Copyright, Design and Patents Act 1988

   Digital Economy Act 2010

   BISO 27001: Information Security Management System

   ISO 20000, the ITIL based international IT Service Management

   ISO 25999, the Business Continuity Standard

   ISO 27033, IT Network Security Standard

   ISO 38500 The IT Corporate Governance Standard.

Supporting guidance and organisations

   Cloud Security Alliance

   Centre for Internet Security

   Department for Business Enterprise and Regulatory Reform
    information security pages

   Federal Financial Institution Examination Council (FFIEC) IT
    Audit Office Guides

   Federation Against Software Theft (FAST)


   Information Commissioner’s Office

   ISO:27000 Information (Department for Business Enterprise
    and Regulatory Reform)
   IT Governance and Audit Guidance 2012

Multiple Examples of ICT Audit Scope and Objectives

The following sections of this document address some of the key
areas for the IT auditor to consider, together with a brief summary
of the main risks associated with the selected area and controls that
should exist to help reduce the organisation’s exposure to the
identified risks.

Business Application Audits

The work of the auditor as regards information systems that have an
ICT base has traditionally been broken down into three main areas
of controls that were identified in the CIPFA Statement on Computer
Audit published in the early 1980s. These are:

   systems procedural controls

   administrative and organisational controls

   controls over the use of resources.

This analysis holds good today for all information systems
irrespective of whether they are manual or ICT based. The three
areas are covered in the following sections.

Reference should be made to:

   CIPFA's Computer Audit Guidelines - Fully Revised Sixth Edition
    for a more detailed analysis of control objectives and desirable

   the IIA GTAG-8: Auditing Application Controls.

Objectives and risks

This area of control is concerned with accuracy and security. The
advantages afforded an organisation by information systems and
technology are unlikely to be fully realised if data is inaccurately
processed or not processed at all.

Organisations are also under a duty imposed by the Data Protection
Act 1998 to ensure that all personal data held on computers is kept
secure. However, public access has been increased as part of the
Freedom of Information Act 2000. Auditors will have to be satisfied
that access controls meet the potentially conflicting requirement of
these Acts and of compliance requirements such as the PCCDSS for
online payment processing.

The objective of auditing this area is to assess the controls in place
to help ensure:
   system access is restricted to appropriately authorised

   system inputs/data captured is processed and validated as
    planned and that any unexpected data is thoroughly
    investigated before being processed

   all data is authorised and processed correctly in accordance
    with the appropriate standards and procedures (eg the Payment
    Card Industry Data Security Standard (PCI DSS) and Data
    Protection Act)

   all outputs are as anticipated and passed to the appropriate
    individuals in a timely manner

   sufficient electronic audit trails are produced.

Information processing: systems procedural controls

The auditor should review systems to ensure that the following
areas are covered:

   user identification and authentication (see IIA GTAG-9:
    Identity and Access Management and the ISACA Guide G38 on
    Access Controls)

   user account management

   user privileges

   configuration management

   event and activity logging and monitoring

   communications, email, and remote access security

   malicious code protection, including viruses, worms, and trojans

   software change management, including patching (see GTAG-
    2: Change and Patch Management Controls: Critical for
    Organizational Success)

   firewalls/vulnerability management – antivirus patching and
    gateway protection (see GTAG-6: Managing and Auditing IT

   data encryption

   backup and recovery

   incident and vulnerability detection and response (see GTAG-
    15: Information Security Governance)
   collaboration with management to specify the technical metrics
    to be reported to management

   accuracy of data input

   proper processing of data

   reasonableness and completeness of outputs

   adequacy of audit trail (see GTAG-3: Continuous Auditing:
    Implications for Assurance, Monitoring, and Risk Assessment).

Input controls

Controls should be built into the system to help ensure that data
input is genuine, complete and accurate. While data is normally
input into a system by keyboard, all methods of data entry should
be reviewed. This could include the electronic submission of data via
removable media such as CD-ROMs and memory sticks, as well as
through interfaces, including electronic data interchange (EDI).

Data input should be by authorised persons whose access to the
system is adequately restricted from unauthorised access. Data
input should be subject to appropriate restrictions and validation.
Data submitted for batch processing should have controls to ensure
input is authorised, and where possible each batch should have
control totals to ensure completeness. Incomplete or erroneous
batches can then be rejected or held in suspense until corrected.
Controls should also exist to prevent duplication of input.

Where data enters a system from an interface, controls should exist
to help ensure the integrity of the data between leaving its source to
entering the receiving system. This may include reconciliation
controls such as record counts, hash totals and control totals.
Suitable processes and procedures should also exist to manage any
data completeness or integrity issues encountered.

Processing controls

Processing controls within a computer system should ensure that the
correct data and program files are used, that all data is processed in
a secure manner, accounted for and written to the appropriate file,
and that data conforms to predetermined standards or falls within
specified parameter values.

When the data is processed, the auditor should be satisfied that only
the latest authorised version of the program is run. Many
applications are now run as suites of programs controlled through
the operating software. Procedures should be in place to ensure that
the latest version is being used, and the auditor should be satisfied
that appropriate controls are in place. The correct data files should
be accessed both by ensuring that naming conventions are always
used and, ideally, by the renaming or deleting of processed data
files within the process itself. Input logs should be kept and be
available for audit.

All processing should be performed in such a way that only
authorised users of the data can have access to the data files and
programs used, although it may be necessary for technical or
development staff to have access if program errors occur. In such
circumstances, clearly defined procedures should be laid down and
files and programs should be kept secure at all times.

Output controls

All programs should be properly documented and a list of any
expected output from a process kept in the ICT control section of
the organisation (usually within the ICT department). The actual
output from the system should always be checked against that list
for completeness and reasonableness.

Confidentiality is as vital with output as it is with input and only
authorised officers of the appropriate user department should be
allowed to receive the output of the system. A separate person from
the one receiving the output should validate control total data.

User departments should also be made aware of the need to dispose
of sensitive output appropriately, in order not to contravene the
Data Protection Act 1998.

Audit trail

As a fundamental of good governance and accountability for system
processing arrangements it is the responsibility of management to
establish and maintain system and procedure logs to record all
input, including changes to data, to establish who did what and
when they did it. This is known as a management audit trail.

For example, if a fraudulent payment was initiated by online input at
a particular terminal, the log should show who initiated the payment
and who authorised it.

Such controls are crucially dependent on strong controls over
accountability arrangements for the creation of user accounts and
the means of authenticating user identity (eg strong passwords and

In this way computer audit is no different from any other form of
audit in that the system should ensure that all actions are
sufficiently documented. Logs should be stored off-site, as should
any manual control records. Management should also ensure that
discrete logins are used, which identify users. Sharing logins or
leaving a PC logged on should be discouraged.
As with all data sets management must determine and automate
appropriate timescales for the retention of audit logs, as they take
up storage space and data protection regulations may be breached if
logs contain personal data and are kept for longer than necessary.
Management should also ensure that system and user passwords
are changed frequently to protect access and help ensure security of
data. System controls should also be reviewed by management and
audit to ensure that there is an appropriate division of duties.

Information processing: administrative and organisational

This area of control concerns the way in which departments are
organised. In small departments it is more difficult to establish and
apply adequate segregation of duties control principles. However, as
a minimum detective system activity alert and reporting controls
should exist to act as a deterrent against potential misuse of access
rights. In addition, controls in this area can also include other
centrally managed controls such as those in place to act as
safeguards against infection by computer viruses.

Objectives and risks

The auditor should appraise departmental organisation and
procedures to establish that:

   there are documented standards of operation for all aspects of
    the work of the department

   access to and retention of data/information, whether in the
    form of computerised or manual records, is limited to
    authorised personnel only and to comply with the requirements
    of the Data Protection Act 1998

   adequate physical safeguards exist for the continued operation
    of computers

   logical safeguards exist to comply with appropriate standards to
    preserve software and data from corruption and viral infection
    (eg the Payment Card Industry Data Security Standard (PCI

For risks, see the Data entry section below.

Key control areas

Key control areas may include:

   clearly documented procedure and operation manuals. For ICT
    based systems these would include systems techniques,
    program specification and programming standards, testing
    techniques and documentation standards. For both ICT based
    and manual systems the auditor should expect up to date user
    manuals and procedure notes to be maintained

   control of access to data, through mechanisms within the
    operating system in the case of ICT based systems, and by
    physical security measures for manual systems

   management of appropriate arrangements for dealing with
    disasters, including procedures for taking backups of data and
    storing them securely

   security of installations against potential catastrophe. The
    auditor should look for controls designed to prevent or mitigate
    the risk of disasters and those designed to minimise the effects
    of a loss of the installation, eg membership of disaster consortia
    and storage of key data at remote sites. For data stored in
    manual systems, sprinkler installations may be considered more

   protection from theft of PCs, especially laptops. In particular
    information contained within PCs and laptops may need to be
    protected from unauthorised access by methods such as

   protection of software and data from corruption by means of
    virus checkers, protocols for the transfer of information
    between PCs, and firewalls between internet connections and
    live systems. In addition, data can be protected from loss
    through hacking via the use of vulnerability management, for
    example adoption of Intrusion Detection System (IDS) or
    Intrusion Protection System (IPS).

Information processing: use of resources

ICT resources are particularly valuable and auditors need to be
aware that spare capacity inevitably exists on all computer
environments. This is because they are purchased in anticipation of
the future system capacity requirements that are in the process of
being developed.

The auditor should take steps to ensure that appropriate key
performance indicators exist to demonstrate the efficient use of ICT
resources as advocated by ITIL, the best practice IT Service
Management Framework, and ISO 38500 the ICT Governance

Applying risk management techniques, including disaster recovery
and business continuity planning, can highlight the key areas of
concern and ensure that controls are in place to help reduce
exposure to risk. See GTAG-10: Business Continuity Management.
Objectives and risks

The auditor should appraise the organisation’s procedures to ensure

   resources are not used for unauthorised purposes

   resource requirements are clearly established and the most
    efficient use is made of existing resources

   the costs of maintaining systems are regularly reported to both
    the managers of the central computer department and user
    department managers.

For risks, see the Data Capture and Data Entry section below.

Key control areas

Key control areas may include:

   the adequate recording and monitoring of all use of ICT

   regular reviews of calculations of resource requirements to
    establish that they are adequately monitored

   documented standards and procedures exist which help ensure
    that effective and efficient data processing requirements are
    defined and monitored for achievement

   management review of the work done by individuals on a
    regular basis

   regular reporting of the true cost of systems to all levels of

   accurate and prompt recharging where appropriate.

ICT Service Delivery and Management Audits

ICT strategy

Objectives and risks

The primary objective of the ICT strategic plan is to set out, in a
clear and concise manner, the way in which ICT will be used within
the organisation to effectively enable the achievement of the wider
business objectives. A clear strategic plan is required covering the
development, maintenance and enhancement of information
systems. Ideally these will be encompassed within an ICT strategy
   aligns with the organisation’s statement of aims and objectives,
    business plans, corporate plans or mission statement

   sets out the risk management and governance assurance
    frameworks and standards in use for the effective management
    of IT resources and mitigation of known vulnerabilities, threats
    and risks

   reviews and considers existing information systems to ensure
    they best serve the organisation in times of change, and
    continue to integrate to other (new) systems

   sets out the control around the development design and
    transition of new information systems into the organisation;

   is reviewed and updated on a regular basis.

Therefore, failure to have an up to date ICT strategy that is aligned
with the current corporate plans could prevent corporate aims and
objectives from being met, or being met in the most efficient and
effective manner.

See also the ICT Strategy section for further information.

Key control areas

The key control is the existence of a clearly stated ICT strategy. The
auditor should investigate the strategy to establish that:

   the strategy includes a written statement setting out clearly and
    unambiguously what senior management have approved,
    together with when the strategy was formally issued and

   senior management have been briefed and received sufficient
    training in information systems and technology to be capable of
    authorising the strategy in an informed manner

   there will be regular reviews to take account of new
    developments in both information requirements and technology

   the strategy takes a comprehensive and forward-looking
    approach. In this area more than any other, it is vital that not
    only current technology and thinking is reflected in the
    document but also that potential developments in technology
    and future information requirements are considered

   alternative ways of providing an information systems service
    have been considered during the drawing up of the strategy,
    ranging from non-ICT solutions to facilities management by
    external contractors
   IT strategy monitoring compliance responsibility is clearly
    assigned and operated.

ICT asset management

The ICT asset management function is the primary point of
accountability for the life-cycle management of information
technology assets throughout the organisation.

Included in this responsibility are development and maintenance of
policies, standards, processes, systems and measurements that
enable the organisation to manage the IT asset portfolio with
respect to risk, cost, control, IT governance, compliance eg
ISO:38500 and business performance objectives as established by
the business.

Audit should be aware of the difference between tangible and non-
tangible assets in terms of IFRS and that IFRS also affects hardware
bought by a supplier for an organisation’s IT service, which may
need to be recognised as an asset.

ICT business continuity/disaster recovery plan

The more the business relies on its IT systems, the more it needs to
consider how unexpected disruptions might affect the business.
These disruptions could come in many forms, from fire and floods to
theft or malicious attacks on systems, such as viruses or hacking.

The main benefit from business continuity planning is to improve a
business’s ability to react to such disruptions. It describes how the
business will restart its operations in order to meet its business-
critical requirements.

The main risk the auditor should consider is the risk exposure of IT
failure and the business impact that this may have.

Key areas for the auditor to consider are:

   is an IT business continuity plan in place

   does the plan meet standards eg BS25999 (business continuity)
    or BS25777 (IT continuity)

   has the IT plan been communicated to appropriate staff

   has the IT business continuity plan developed in line and in
    conjunction with other businesses/departments

   are the systems ranked in terms of business critical

   has the plan been tested; and

   has the plan been updated as a result of the test.
ICT procurement and disposals

Objectives and risks

ICT procurement generally involves the procurement of hardware,
software and ICT related services. Specific ICT considerations

   hardware – has future demand been taken into account when
    determining the specifications of the hardware being
    purchased? Has consideration been given to associated costs
    and procurement implications such as ongoing support, backup
    and recovery arrangements, peripherals etc?

   software – generally an organisation will not own the software
    purchased, and it should have a valid a licence to use the
    software. There are many different types of software licence
    arrangement such as per user, concurrent usage, site or
    enterprise agreements. It is important that the organisation
    obtains the most appropriate licence for its purposes. Software
    support agreements are also a consideration. It may be
    appropriate to insist that the supplier lodge a copy of the source
    code with a trusted third party so that another developer can
    support the system in the event of the supplier’s business

   ICT related services – see the following paragraphs and the
    Outsourcing section below for some important considerations
    when procuring ICT services, which are covered in GTAG 7
    Information Technology Outsourcing of the series of IIA Global
    Technology Audit Guides

   ICT disposals – organisations and their employees have a
    responsibility under several EU Directives, including Data
    Protection directives, the Landfill Directive, the Waste Electronic
    & Electrical Equipment Directive (WEEE) and the Hazardous
    Waste Directive, to ensure that final disposal of all waste
    electronic and electrical equipment is responsible and traceable.
    In order to meet this obligation, it is the responsibility of an
    organisation to follow the procedures when purchasing
    electronic equipment and when disposing of such items. All ICT
    equipment containing data should be securely erased and/or
    destroyed beyond recovery.

Further general details on procurement can be found in the
Procurement information stream.

The primary objective of ICT procurement is to ensure that the
procurement of computer hardware, software and ICT services is
aligned with the ICT strategy and takes place in accordance with the
organisation’s procurement rules and EU tendering legislation.
Therefore ICT procurement should:

   align with ICT strategies and policies (including capital/revenue
    budget provision)

   be authorised following an objective assessment of alternative

   be based upon a clear specification of requirements of what is

   appraise alternative suppliers and alternative products within an
    invitation to tender (ITT) process

   include the installation of the product and testing prior to

   note the use of “vanilla” off the shelf solutions rather than
    bespoke IT makes any software upgrading straightforward

   involve both pre- and post-implementation reviews.

Weaknesses within this area can result in the procurement of
hardware and software solutions that are ineffective and inefficient
in meeting the organisation’s aims and objectives. This can be due
to incorrect specifications or lack of interoperability with other areas
of ICT. Failure to follow procurement policy standards can also result
in poor value for money and non-compliance with legislation.

Key control areas

The key control is that appropriate procurement arrangements are in
place, and followed. As part of this, this auditor should ensure that:

   ICT facilities management or cloud hosting services and
    hardware procured are fit for purpose, specifically in terms of
    its specification, strategic fit within the ICT strategy, and
    ongoing support and maintenance, with best prices being

   software procured meets the business need, is aligned with the
    ICT strategy, appropriately licensed for the organisation,
    adequately supported, and best prices are obtained

   any movements to external provision of the services accord
    with the ICT strategy

   any arrangements made with third parties for the delivery of
    ICT services are adequately specified and contain sufficient
    safeguards for the organisation

   the organisation is obtaining value for money
   post-implementation support and security are in place

   best value is being obtained and can be demonstrated

   there is a formal contract with the supplier that includes
    elements such as:

    –    performance monitoring is in place, with action taken
         where the contract requirements are not being met (this
         also includes service levels agreements – SLAs)

    –    security, backup and data retrieval procedures have been
         tested and operate with minimal disruption

    –    there is both formal and informal communications with the
         supplier, and that problems are rectified

    –    managers are proactively reviewing current practices in
         line with the best practice ITIL framework and looking to
         provide enhanced performance either during the
         outsourcing or when the contract is renegotiated

    –    there are appropriate insurance and exit strategy
         termination arrangements in place

    –    there is a clearly agreed tariff for system upgrades and
         support; and

    –    there is a right of access for internal audit to the systems
         operated or provided by third parties.

ICT outsourcing

Objectives and risks

Outsourcing of the whole ICT function is rare but increasing and
most organisations have some degree of outsourcing. Auditors are,
however, familiar with auditing procurement in general and third
party work in particular, and the same general principles can be

The primary objective of auditing within this area is to ensure that
appropriate actions have been identified and implemented to reduce
the organisation’s exposure to risk.

Failure to adequately control risks within this area can have a
significant negative operational impact on the organisation. See
GTAG 7 Information Technology Outsourcing of the series of IIA
Global Technology Audit Guides.
Key control areas

The auditor should appraise the quality and standard of an
outsourced ICT function, or part of it, by ensuring that:

   a management framework is in place and performance is
    monitored against contract requirements, with action taken
    when the supplier fails to meet contract requirements

   there is a formal contract with the supplier, drawn up in
    accordance with the organisation’s contract procedures, that
    includes areas such as:

    –    service levels and incentives

    –    supplier personnel

    –    data protection, privacy and intellectual property

    –    price protections

    –    management of subcontractors

    –    ownership of existing and new assets

    –    conflicts among different legal systems

    –    contingency management and change planning

    –    notice of adverse material impacts

    –    right to audit

    –    termination.

   there is both formal and informal communications with the
    supplier, and that problems are rectified

   security arrangements are tested to ensure adequate backup
    and retrieval of the organisation’s data, and that disruption to
    the organisation is minimised

   there is daily, and local where necessary, support (possibly
    including out of hours) to ensure that disruption to the
    organisation is minimised

   managers are reviewing current practices proactively and
    looking to provide enhanced performance either during the
    outsourcing or when the contract is renegotiated

   there are appropriate insurance arrangements in place

   comparisons are made with other organisations/providers, to
    ensure that costs and service provision are comparable; and
   the supplier agrees to comply with the organisation’s security

Information systems architecture

An information systems architecture is a formal definition of the
business processes and rules, systems structure, technical
framework, and product technologies for a business or
organisational information system. Information systems are complex
artefacts, and therefore they have to be developed very carefully.
There are five main elements:

   1. business architecture – business processes and the object
    classes that play a role considered from the perspective of the
    information system

   2. functional architecture – the logical decomposition of the
    system into (logical) components and the assignment of
    processes and object classes to these components

   3. software architecture – software components that realize
    the functional architecture, eg the database management
    system, the workflow engine and the connectivity software

   4. network architecture – a computer and communications
    network together with their operating systems

   5. data architecture – the organisational model for business
    data storage and integration.

Some benefits of information systems architecture are:

   business processes are streamlined

   systems information complexity is reduced

   enterprise-wide integration is enabled through data sharing and

   rapid evolution to new technologies is enabled.

The auditor should be expected to cover risks relating to:

   ISA not aligned with business objectives

   inappropriate data storage

   utilisation of data

   maintenance costs

   data disposal.
Systems development

Objectives and risks

ICT is one of the fastest developing areas of most organisations.
This is partially fuelled by the ever improving speed and capacity of
computers, and the continual stream of similarly enhanced programs
and operating systems. Therefore, the auditor needs to ensure that
developments are managed and are in line with the strategic plan.
See the IIA GTAG-12: Auditing IT Projects.

There are a number of different ways in which new systems can be
obtained, including bespoke developments, off-the-shelf systems,
and customised solutions. Each brings with it a different set of risks
and challenges. The organisation must take the most appropriate
route to develop a new system, taking into account factors such as
requirements, cost, time to develop, inherent risk of the solution
and ongoing support and maintenance.

In addition the organisation needs to ensure that sufficient
resources, especially suitably trained personnel, are on hand to
enable strategies and plans to be carried out.

The key risks of inadequate control within this area include the
development and implementation of procedures and/or systems that
do not meet organisational or user requirement. At best this will
lead to inefficient use of resources and it could also adversely affect
the operation of the organisation.

However, most organisations now use and apply project
management techniques, for example PRINCE 2, to ensure systems
developed is managed and implemented to the correct standard.

Key control areas

To ensure that exposure to risk is minimised during the
development of procedures and systems, the auditor should
establish that:

   off-the-shelf solutions adequately meet the organisation’s
    requirements, with compromise only on those requirements
    where this is deemed acceptable

   ongoing support and maintenance is available once the system
    is operational, with an appropriate level of knowledge and
    expertise being retained. This is especially true for tailored or
    customised solutions and where external resources are used in
    any development

   developments are following appropriate project management
    and system development lifecycle methodologies
   only systems included in the approved information systems
    strategy and/or development plan are being developed and
    they are supported by appropriately approved business cases
    that clearly set out the justification for change and measurable
    business benefits

   developments are programmed in an organised and prioritised
    manner to make optimum use of available resources

   the programming of systems development work ensures that
    only authorised projects are being developed

   there is adequate user involvement and representation at all
    stages of the development of systems

   system specifications are clearly documented so that
    development staff are aware of the requirements of users and
    that systems are not over-specified with facilities that will not
    be used (ie essential developments should be considered and
    actioned before desirable ones). As an example, in purchasing
    mobile phones would one that simply makes and receives calls
    be sufficient or is a more technically advanced phone required
    with a sophisticated operating system allowing ‘push’ email,
    diary synchronisation, internet access, java applications etc?

   the auditor’s views are sought on the controls to be
    incorporated into any system

   all developments are adequately tested including system and
    user documentation

   systems are reviewed once they are in place to establish that
    they meet the objectives originally envisaged

   users are trained at an appropriate time to make the best
    possible use of the system and retain the knowledge once they
    need to use the system

   there is a method of costing and recharging or where

Infrastructure Audits

Networks and communication

Objectives and risks

Networks are key for information flow and communication, linking
users and computers in different locations across the globe.
Networks can be regarded as the technological infrastructure that
facilitates communication between users and systems. Therefore,
managers and auditors need to understand the use and impact of
networks within the organisation, including those such as the
internet, to enable them to ensure they meet the needs of the
organisation and are properly managed and secure.

Protecting networks is a complex task, requiring a clear
understanding of business needs and the nature of the
organisation’s systems that use networks, as well as a sound
technical understanding of network technologies and controls. This is
an important area for the auditor as weaknesses can adversely
impact upon many areas of the organisation.

When auditing networks, the auditor should consider the following

   a network strategy exists and standards and policies are in
    place to support its delivery

   connections and access to the network are approved and secure

   unauthorised access to data transmitted over the network is

   management commission independent penetration testing
    whenever external links are changed

   the risk and impacts of network failure are minimised.

For risks, see the Data Capture and Data Entry section below.

Key control areas

Key controls areas for the auditor to focus on in this area include
ensuring that:

   a strategy exists for the continued effective, efficient and
    secure use of network facilities

   responsibilities for the management and operation of the
    network is clearly defined

   network users and administrators are trained appropriately

   technical standards and configuration information are clearly

   network activity is monitored for security breaches and to
    ensure performance is optimised

   commercial and service arrangements for the network are fully
    documented, supported, monitored, and agreed by all parties

   all relevant procedures are clearly documented
   only authorised users and devices are able to make network
    connections and the network is monitored for unauthorised

   encryption is used to help prevent unauthorised access to data
    transmitted over the network

   data and programs are safeguarded from loss, misuse, theft,
    damage, and accidental or deliberate corruption or denial of
    service attacks

   hardware and communication media are protected against
    damage, malfunction and misuse

   arrangements exist for the maintenance and insurance of
    hardware, communications infrastructure, network
    management software and consequential loss

   recovery and business continuity arrangements exist in the
    event of failure of communication lines or network components.

G-Cloud solutions to prevent staff violating corporate policy

Objectives and risks

On 27 October 2011, the government published four strategies
covering G-Cloud, end user devices, ICT capability and greening
government ICT. These provide the environment and approaches to
radically transform the ICT landscape to create a more productive,
flexible workforce that delivers digital public services in a much
more cost effective way.

The government strategy aims to “deliver better public services for
less cost”. This is because the government views ICT as the enabler
to release savings and increase public sector productivity to reduce
the structural deficit and continue to fund front-line services.

The government ICT strategy will enable the building of a common
infrastructure underpinned by a set of common standards and
government will work to accelerate the strategy as part of its drive
to cut down costs and improve current capabilities.

Specifically the strategy will build on the ICT moratorium, project
review and contract renegotiations which have allowed the
government to appraise and take control of spending and ensure
that projects demonstrate value for money and effectiveness. It will
further underline the government’s commitment to increasing
governance and transparency.

In preparation for the G-Cloud the compliance and assurance
requirements for the ICT Code of Connection (Co-Co) Security
Standards of the Government Secure eXtranet will be increasingly
important to protect sensitive enterprise data, intellectual property
and financial information security.

In a perfect world, all employees would take the guiding security
principles to heart and carefully abide by all policies and procedures.
Instead of a perfect world, we are living in a threat-conscious one in
which hacking attempts and breaches are daily news items – and
those are just the ones that are successful. Other attempts are
thwarted before any damage occurs, thanks to companies that
enforce good security policies – ones that align with business
realities and the need to protect sensitive enterprise data.

Employees present the biggest risk to the cloud security challenges.
Employees will violate the security policy either by error or intent for
any of the following reasons:

   they don’t understand the risk or think the threats are far less
    severe than they are told

   they don’t care about the risk

   they are rushed and feel abiding by security policies is too time

   security policies impede their ability to perform their duties

   they think IT can stop outside threats and will cover for any
    security policy violations.

Key control areas

A May 2010 study by the Aberdeen Group indicated that
organisations using cloud-delivered security (see Cloud Security
Alliance) saw a significant improvement in malware incidents,
website compromises, data loss and exposure, security related
downtime and audit deficiencies. Adopting the cloud risk mitigation
policies below helps to ensure that its data is adequately protected.

   Deliver security protocols. This enables the enterprise to control
    and ensure that security measures like password protocols,
    firewalls and security patches are current and adhered to,
    rather than leaving the decision making to sometimes-fickle

   Enable deletion of data from endpoint devices in the event that
    they are lost or stolen.

   Deliver news items regarding the latest security threats.
    Keeping employees abreast of security breaches, phishing
    attempts and trick email ploys will help heighten their
    awareness about the issue.
   Provide layered authorisation. This lets the company control
    server access depending on who is trying to use it: customers,
    employees or managers. For example, customers may need to
    access servers to buy products, while financial managers will
    need to access the firm’s internal financial data.

   Use the cloud to route all network requests such as email and
    server access through a centralised, protected connection such
    as message labs that stays up to date with the latest security
    protocols. This way any threats are blocked before they get to
    the network. Once there, they are extremely difficult and
    expensive to eradicate.

   Deliver new applications to employees and managers via the
    cloud. This ensures they use business, accounting, word
    processing and other solutions that include the same updated
    security protocols used throughout the network.

   Provide social networking solutions via the cloud to leverage the
    growing popularity of social networking while at the same time
    ensuring applications adhere to corporate security protocols.

Taking steps towards the above controls in advance of the G-Cloud
requirements being mandated can help proactively protect
enterprise data from the known and burgeoning threats while still
fulfilling the needs of employees, managers, business partners and

Voice communication networks

Objectives and risks

The voice network is also an important communication channel for
organisations. Traditionally this facility was provided via a private
branch exchange (PBX), which is a telephone system owned and
operated by an organisation to switch calls between users within the
organisation and the telephone network.

More recently organisations are moving to voice over internet
protocol (VoIP) technology for their voice communications. This
technology routes voice conversations over the internet or through
an internal internet protocol (IP) based network alongside data

Key risks associated with voice networks include theft of service,
denial of service, unauthorised disclosure of information, data
modification, unauthorised access, and traffic analysis.

When auditing voice communication networks, the auditor should
consider the following objectives:
   the telecommunications organisation is effectively structured
    and has sufficient policies, strategies, resources and training

   monthly usage is reviewed and challenged by management for
    controlling costs

   telecommunications assets and facilities are effectively

   physical security controls are in place for the
    telecommunications facilities

   logical and system security controls are in place to protect the
    system from abuse

   controls are in place for making changes to configurations,
    software and users

   controls are in place to protect the system when problems are

   emergency and business continuity procedures are in place and

   adequate controls are in place to ensure the system meets
    business requirements.

For risks, see the Data Capture and Data Entry section below.

Key control areas

Key control areas for the auditor to focus on in this area include
ensuring that:

   call patterns, capacity and errors are monitored

   network class of service is used to manage user profiles and
    restrict numbers that can be dialled and the times of day when
    calls can be made

   equipment is physically secured

   long distance calls are protected

   call forwarding and dial through are restricted

   remote maintenance is protected

   changes follow formal change control procedures.

Objectives and risks

Management need to be confident that the organisation’s
information systems are working efficiently and effectively and that
information systems strategies and development plans are
produced. This should help to ensure that any potential problems
are identified and rectified at the earliest opportunity to minimise
disruption, and that the organisation’s changing needs are identified
and plans put in place to reflect those changing requirements.

Weaknesses within this area can lead to problems with ICT not being
identified in a timely manner, not being anticipated sufficiently early
enough to be avoided, or ICT not meeting changing business needs,
and thereby being unable to support business requirements.

For risks, see the Data Capture and Data Entry section below.

Key control areas

Key controls areas for the auditor to focus on in this area include
ensuring that:

   policies and plans are reviewed on a regular basis

   information systems are adequately reviewed by management

   regular reviews take place of performance against the
    information systems strategy and development plan and
    reporting to senior management

   regular management reviews of systems usage and storage
    capacity take place.

Security of Electronic Data

Objectives and risks

A good background to data security, including relevant legislation,
can be found within the ICT Security section.

The coverage here is not designed to give a detailed understanding
of data security, but rather an overview of the subject and the risk
areas for consideration. This overview will look at a number of risks
to the security of electronic data (although a number of these risks
are equally applicable to non-electronic data). It will then look at
possible controls to mitigate these risks. See GTAG-15: Information
Security Governance and the seventh principle of the Data
Protection Act.
It must be borne in mind that developments in IT move at a great
pace and therefore the list of risks and controls may not be
comprehensive, however, the categories of risk will remain
appropriate and with a little application and understanding the
auditor can determine if the controls in place are appropriate.

Data capture


   The wrong data is collected, for example through poor form
    design or ambiguous questions.

   Data is captured by inappropriate methods, for example could
    barcodes and barcode readers be used as more accurate data
    capture methods than manual data input?

   The organisation collects data which it is not entitled to, for
    example personal data is collected for a use for which is not
    covered within a data protection registration.

Potential controls

   Ensure all appropriate stakeholders are involved in developing
    and reviewing the requirements of new systems and ensure
    post-implementation reviews of “new systems”/“system
    changes” (to ascertain views of system users) are carried out.
    See GTAG-2: Change and Patch Management Controls: Critical
    for Organizational Success.

   There should be a mechanism for all “new systems”/“systems
    changes” to be reported to the data protection officer. Positive
    confirmation is needed that data protection issues have been

Data entry


   Data is entered into the system incorrectly.

   Key data is not entered into the system.

   Data entered is unreasonable, for example the age of a child at
    school is greater than that which could be possible.

   Data is duplicated.

   Data is missing or not entered.

   Data entry processes are unavailable.
Potential controls

   Validation and verification routines are embedded within the
    system to detect data entry errors.

   Key fields are made mandatory and require an entry in order to
    progress with data entry.

   Wherever possible, the data entered is restricted to predefined
    values, usually by the use of selection lists.

   Data is derived using other data where possible. For example,
    addresses are automatically derived from just entering a post
    code and house number, or an age is generated automatically
    from a date of birth.

   Exception reports are produced and subject to review to ensure
    data entry errors are resolved.

   Continuity plans are in place covering data entry mechanisms.

User access management


   Data can be accessed by unauthorised individuals.

   An inappropriate level of access is allowed to applications and

   Remote access to applications and data is not secure.

Potential controls

   Access to applications, where appropriate, is via a menu and/or
    appropriate levels of user password and identification.

   Appropriate levels of passwords and user identity controls are
    used to grant and to limit, as appropriate, access to various
    levels of information by various classes of user or individual

   Firewall network protection programs including virus detection
    software are used. Software is used to regulate the use of the
    internet, possibly with a dial back procedure for external log-on.

   Encrypted data transfer is used.
Equipment security


   Inappropriate access is granted to the hardware where data is

   Equipment including data is removed off site.

Potential controls

   Appropriate levels of physical access security, appropriate
    operating procedures/performance monitoring for equipment,
    and appropriate recovery and restart procedures are

Storage of data


   Data is inappropriately stored (eg stored off site; stored locally
    on PC hard disks or memory sticks).

   Data is not properly backed up.

   Data retention does not comply with the Data Protection Act

   Data is not stored in compliance with information governance

Potential controls

   The hard disk is disabled and dumb terminals are used with
    USB ports disabled or restricted to authorised users and
    encrypted devices.

   Reviews of compliance with the data security policy are carried

   Data encryption is used.

   Backup policy and procedures are in place, including backup
    copies subject to appropriate security (off site backup).

   Backup integrity checks are carried out (regular testing of the
    ability to restore data from backups).

   Backups for servers are automated.
Communication of data


   The data is intercepted and corrupted.

   Data is lost or corrupted during transfer.

Potential controls

   Data encryption is used.

   Control totals are used.

   Network software has inbuilt completeness and integrity checks.

   Dedicated communication lines are used.

Inappropriate disclosure of data


   The organisation fails to comply with the Data Protection Act

   The organisation fails to comply with Caldicott requirements
    within the NHS.

   Reputational damage is caused by disclosure of sensitive data.

   The organisation is sued for loss suffered by an individual due
    to inappropriate disclosure.

Potential controls

   Reviews of compliance with the data security policy are carried

Payments/transactions data

Payment being made or received over the internet is becoming
increasingly common within the public sector, and therefore,
security on payments is the primary security risk with electronic
transactions. The organisation must comply with payment card
security standards where credit or debit card payments are
accepted. Three of the best known options for the encryption and
security of personal and card details are:

   Public Key Software Infrastructure (PKI)

   Secure Electronic Transaction (SET)
   Secure Socket Layer (SSL).

In addition, the government has initiated the set up of the Public
Services Network (PSN) to create a “network of networks” for the
public sector from the existing commercial network providers in
compliance with the Government Connect Secure Extranet (GCSX)
requirements. This is a secure, private, wide area network (WAN)
which enables secure interactions between connected local
authorities and other GSi connected organisations.

GCSX is connected to the Government Secure Intranet (GSi), thus
enabling secure interactions between local authorities and central
government departments and national bodies. It also provides
secure access from connected local authorities to many other secure
networks such as the NHS.

There are many benefits to local authorities from achieving the
standard, uniform and high level security Code of Connection
(CoCo), including compliance with the Data Protection Act and with
both central government policy and the local government data
handling guidelines. GCSX now provides a foundation upon which to
build shared services and secure multi-agency joint working

Data quality, security and sharing

Information in both electronic and paper formats is vital to the
operation of an organisation’s business activities and the volume of
information held is increasing rapidly. Before sharing personal data,
the following should be considered to ensure the risk of loss or
unauthorised access is minimised:

   the sharing is lawful and necessary

   the recipient is verified

   the proposed method of sharing the personal data is
    appropriate and secure ie encrypted

   remote access to data is via a secure link such as a such as a
    virtual private network connection

   a risk assessment is carried out and documented before sharing
    any data either electronically or otherwise.

Further information on this subject can be found in the Data Security
and Transfer section.

CAATS Data Analysis/Interrogations

Computer Assisted Audit Techniques (CAATs) are data interrogation
techniques that are increasingly used by auditors to help perform
assurance and compliance audits by testing the accuracy and
completeness of data. See ISACA Guideline G3 Use of Computer-
assisted Audit Techniques, IIA GTAG 16: Data Analysis
Technologies and GTAG-3: Continuous Auditing: Implications for
Assurance, Monitoring, and Risk Assessment.

It is the volume of records examined via CAATs that makes an
enormous difference in audit reports and this volume of testing adds
real value to the quality of the assurance opinion provided. For
example, which looks better in an audit report:

   “Audit tested 50 transactions and noted one transaction that
    was processed incorrectly” or

   “Audit used CAATS to test every payment made last year and
    found X exception records amounting to £n in value”.

The value of CAATs driven audit reviews is limited by the quality of
the business application data saved in files and the extent to which
data is stored in accordance with a systematic pattern. Much data is
not documented in a specific structure or else the saved data is
poorly classified and contains deficiencies that make it integrity

So, for now CAATs can complement audit activities in certain audits
but can’t be used at all in some while in others the value of the audit
opinion can be challenged unless CAATs have been used.

“CAATs” can refer to any computer program used to improve the
audit process. Generally, however, the term is used to refer to any
data extraction and analysis software. This would include programs
such as spreadsheets (eg Excel), databases (eg Access), statistical
analysis (eg SAS), business intelligence (eg Crystal Reports and
Business Objects), etc. There are, however, companies that have
developed dedicated data analytic software specifically for auditors.

Benefits of audit software include the following.

   The software is independent of the system being audited and
    will use a read-only copy of the file to avoid any corruption of
    an organisation’s data.

   Many audit-specific routines are used such as sampling.

   Many provide documentation of each test performed in the
    software that can be used as documentation in the auditor’s
    work papers.

   Automation of multiple tests is possible including:

    –    data queries

    –    data stratification
    –    sample extractions

    –    missing sequence identification

    –    statistical analysis

    –    calculations

    –    duplicate inquires

    –    pivot tables and cross tabulation.

Some advantages of using specialist computer audit software tools,
rather than standard PC software reporting tools such as SQL query,
MS Access and MS Excel, are:

   ability to scrutinise huge data volumes in a fraction of the time

   ability to help identify erroneous or exceptional items eg
    duplicate payments

   user friendly

   maintains a log of the tests undertaken

   ability to develop and run macros and automated test scripts.

Some disadvantages of using software are:

   cost of software

   staff training learning development and retention

   obtaining access to data

   understanding the data obtained.

ACL and IDEA dominate the proprietary market for CAATs but the
open source alternative solution Picalo ( represents
a valid zero cost alternative.

The Picalo software, which reads any Open DataBase Connectivity
(ODBC) source files and any open source Python programming data,
was designed with fraud detection in mind so while it does not
include sampling it does include Benford's law and calculated
columns. Picalo scripts are written in Python so sampling can easily
be added and the documentation is very good.

CAATs provide auditors with fraud detection tools that can identify
unexpected or unexplained patterns in data that may indicate fraud.
Whether the CAATs are simple or complex, data analysis provides
many benefits in the prevention and detection of fraud.
CAATs form the basis of the annual National Fraud Initiative (NFI),
which was initiated in the London boroughs by the Audit Commission
and the London Audit Group, and now covers the national data
matching and analysis of both public and private sector records. The
NAO may take the NFI activities when the Audit Commission is

CAATs can also provide audit and management with a continuous
monitoring and assurance capability to implement an ongoing
process for acquiring, analysing, and reporting on business data to
identify and respond to operational business risks. See the IIA
GTAG 16: Data Analysis Technologies and GTAG-3: Continuous
Auditing: Implications for Assurance, Monitoring, and Risk

CAATs links




Conclusion on the use of CAATs

CAATs data analysis is a complex area that can provide real value in
assessing the level of controls being applied but it is always
necessary to understand the organisational policies and procedures
and how they impact on the specific area under review.

Data integrity and security is likely to be an audit consideration in a
number of individual audit reviews and specialists may be required
in order to undertake more detailed work in certain areas of data
analysis, as they are in other technical ICT audit areas such as data
security, network security, server security, intrusion detection
systems, firewalls, routers and the cloud.

Shared By: