Audit Objectives and Procedures in a Computer Operations Context January 27, 2005.

Audit Objectives and Procedures in a

Computer Operations Context

January 27, 2005

2

STRUCTURING THE IT FUNCTION

Centralized data processing Database administrator Data processing manager/dept.

Data control Data preparation/conversion Computer operations Data library

3

Segregation of incompatible IT functions Systems development & maintenance

Participants End users IS professionals Auditors Other stakeholders


4

Segregation of incompatible IT functions Objectives:

Segregate transaction authorization from transaction processing

Segregate record keeping from asset custody Divide transaction processing steps among

individuals to force collusion to perpetrate fraud


5

Segregation of incompatible IT functions

Separating systems development from computer operations


6

Segregation of incompatible IT functions Separating DBA from other functions

DBA is responsible for several critical tasks: Database security Creating database schema and

user views Assigning database access authority to users Monitoring database usage Planning for future changes


7


Segregation of incompatible IT functions Alternative 1: segregate systems analysis

from programming Two types of control problems from this approach:

Inadequate documentation Is a chronic problem. Why? Not interesting Lack of documentation provides job security Assistance: Use of CASE tools

Potential for fraud Example: Salami slicing, trap doors

8

Segregation of incompatible IT functions Alternative 2: segregate systems

development from maintenance Two types of improvements from

this approach:1. Better documentation standards

Necessary for transfer of responsibility2. Deters fraud

Possibility of being discovered


9

Segregation of incompatible IT functions Segregate data library from operations

Physical security of off-line data files Implications of modern systems on use of data

library: Real-time/online vs. batch processing Volume of tape files is insufficient to justify full-time

librarian Alternative: rotate on ad hoc basis

Custody of on site data backups Custody of original commercial software and licenses


10

Segregation of incompatible IT functions Audit objectives

Risk assessment Verify incompatible areas are properly

segregated How would an auditor accomplish this objective?

Verify formal vs. informal relationships exist between incompatible tasks Why does it matter?


11

Segregation of incompatible IT functions Audit procedures: Obtain and review security policy Verify policy is communicated Review relevant documentation (org. chart, mission

statement, key job descriptions) Review systems documentation and maintenance

records (using a sample) Verify whether maintenance programmers are also

original design programmers Observe segregation policies in practice Review operations room access log Review user rights and privileges


12

The distributed model Distributed Data Processing (DDP)

Definition Alternative A: centralized Alternative B: decentralized / network


13

The distributed model Risks associated with DDP

Inefficient use of resources Mismanagement of resources by end users Hardware and software incompatibility Redundant tasks

Destruction of audit trails Inadequate segregation of duties Hiring qualified professionals

Increased potential for errors Programming errors and system failures

Lack of standards


14

The distributed model Advantages of DDP

Cost reduction End user data entry vs. data control group Application complexity reduced Development and maintenance costs reduced

Improved cost control responsibility IT critical to success then managers must

control the technologies Improved user satisfaction

Increased morale and productivity Backup flexibility

Excess capacity for DRP


15

Controlling the DDP environment Need for careful analysis Implement a corporate IT function

Central systems development Acquisition, testing, and implementation of

commercial software and hardware User services

Help desk: technical support, FAQs, chat room, etc.

Standard-setting body Personnel review

IT staff


16

Controlling the DDP environment Audit objectives:

Conduct a risk assessment Verify the distributed IT units employ entity-

wide standards of performance that promotes compatibility among hardware, operating software, applications, and data


17

Controlling the DDP environment Audit procedures:

Verify corporate policies and standards are communicated

Review current organization chart, mission statement, key job descriptions to determine if any incompatible duties exist

Verify compensating controls are in place where incompatible duties do exist

Review systems documentation Verify access controls are properly

established


18

Computer center controls Physical location

Avoid human-made and natural hazards Example: Chicago Board of Trade

Construction Ideally: single-story, underground utilities,

windowless, use of filters If multi-storied building, use top floor (away from

traffic flows, and potential flooding in a basement) Access

Physical: Locked doors, cameras Manual: Access log of visitors

THE COMPUTER CENTER

19

Computer center controls

THE COMPUTER CENTER

Air conditioning Especially mainframes Amount of heat even from a group of PCs

Fire suppression Automatic: usually sprinklers

Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there

Sprinklers and certain chemicals can destroy the computers and equipment

Manual methods Power supply

Need for clean power, at a acceptable level Uninterrupted power supply

20

Computer center controls Audit objectives Verify physical security controls are reasonable Verify insurance coverage is adequate Verify operator documentation is adequate in

case of failure Audit procedures Tests of physical construction Tests of fire detection Tests of access control Tests of backup power supply Tests for insurance coverage Tests of operator documentation controls

THE COMPUTER CENTER

21

Controlling access privileges Audit objectives

Verify that access privileges are granted in a manner consistent with the need to separate incompatible functions and is in accordance with organizational policy

Audit procedures Review polices for separating incompatible functions Review privileges for groups to determine if access

rights are appropriate for jobs. “need to know” Do privileged employees undergo security clearance? Do employee records indicate that employees

acknowledge their responsibility to maintain confidentiality?

Review users’ permitted logon times

SYSTEM-WIDE CONTROLS

22

Password control Common forms of contra-security behavior Reusable passwords One-time passwords Password policy

Audit objectives Ensure that the organization has an adequate and effective

password policy

Audit procedures Verify that users are required to have passwords Verify that new users are properly trained in password use Determine if procedures are in place to identify weak

passwords Assess the adequacy of password standards such a length

and expiration interval Review the account lockout policy and procedure


23

Password Policy

Proper Dissemination – Promote it, use it during employee training or orientation, and find ways to continue to raise awareness within the organization.

Proper Length: Use at least 8 characters. The more characters, the more difficult to guess or crack. Eight characters is an effective length to prevent guessing, if combined with below.

Proper Strength: Use alphabet (letters), numbers (at least 1), and special characters (at least 1). The more non-alpha, the harder to guess or crack. Make them case sensitive and mix upper and lower case. A “Strong” password for any critical access or key user. Password CANNOT contain a real word in the content.

Proper Access Levels or Complexity: Use multiple levels of access requiring multiple passwords. Use a password matrix of data to grant read-only, read/write, or no access per data field per user. Use biometrics {such as fingerprints, voice prints}. Use supplemental access devices, such as smart cards, or beeper passwords in conjunction with remote logins. Use user-defined procedures.

Proper Timely Changes: At regular intervals, make employees change their passwords.

Proper Protection: Prohibit the sharing of passwords or “post-its” with passwords located near one’s computer.

Proper Deletion: Require the immediate deletion of accounts for terminated employees, to prevent an employee from being able to perpetrate adverse activities.

24

E-mail risks Spoofing Spamming Chain letters Urban legends Hoax virus warnings Flaming Malicious attachments (e.g., viruses)


25

Malicious objects risk Virus Worm Logic bomb Back door / trap door Trojan horse Potential control procedures

Audit Objective Verify that effective management policies and procedures are in

place to prevent the introduction and spread of destructive objects Audit Procedures

Through interviews with personnel, determine if they have been educated regarding risky computing practices

Review procedures to determine if disks or CDs that could contain viruses are routinely transferred between workgroups

Verify that system administrators routinely scan workstations, file servers, and email servers for viruses

Verify that new software is tested on standalone workstations prior to being implemented on the host or network server

Verify that antivirus software is updated at regular intervals and downloaded to individual workstations


26

Controlling electronic audit trails Keystroke monitoring (keystroke log) Event monitoring (key events log) Audit trail objectives

Detecting unauthorized access Reconstructing events Personal accountability

Implementing an audit trail


27

Controlling electronic audit trails Audit objective

Verify adequate audit trails and logs

Audit procedures O/S audit log viewer ACL extraction of log data (see list) Sample organizational security group’s

records


28

Disaster recovery planning

Types of disaster Natural: fire, flood, tornado Human-Made: sabotage, error System failure: power outage, drive

failure, crash


29

Disaster recovery planning

Critical applications identified and ranked

Create a disaster recovery team with responsibilities


30

Disaster recovery planning Site backup

“Hot site” – Recovery Operations Center

“Cold site” – empty shell Mutual aid pact Internally provided backup Other options


31

Disaster recovery planning Hardware backup

(if NOT a hot site) Software backup: operating system

(if NOT a hot site) Software backup: application

software(based on critical application step)


32

Disaster recovery planning Data backup Supplies (on site) Documentation (on site)

User manuals System and software technical

manuals

Test!


33

Disaster Recovery Plan

1. Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible.

2. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what.

3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed.

4. Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers).

5. System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site.

6. Application Software Backup – Make sure copies of critical applications are available at the backup site

7. Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis.

8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.

9. Documentation – An adequate set of copies of user and system documentation.

10. TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year).

34

Disaster recovery planning Audit objectives

Verify management’s DRP is adequate Audit procedures

Verify a second-site backup is adequate Review the critical application list for completeness Verify backups of application software are stored off-

site Verify that critical data files are backed up and

readily accessible to DRP team Verify resources of supplies, documents, and

documentation are backed up and stored off-site Verify that members listed on the team roster are

current employees and that they are aware of their responsibilities


35

Fault tolerance Definition 44% of time IS unavailable is due to system failures! Controls

Redundant systems or parts RAID

UPS Multiprocessors

Audit objective To ensure the organization is employing an appropriate

level of fault tolerance Audit procedures

Verify proper level of RAID devices Review procedures for recovery from system failure Verify boot disks are secured


Audit Objectives and Procedures in a Computer Operations Context January 27, 2005.

Documents

Transcript of Audit Objectives and Procedures in a Computer Operations Context January 27, 2005.