For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

55
For MIPA 2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS

Transcript of For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

Page 1: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

IS AUDITDR. MITIL CHOKSHI

CHOKSHI & CHOKSHICHARTERED ACCOUNTANTS

Page 2: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Contents

Introduction

Guidelines

Need for controls

Internal Control Framework

Security Threats

Information Systems Risks

IS Audit Process

Page 3: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Introduction“The process of collecting and evaluating evidence to determine

whether:

•Computer system safeguards assets•Maintains data integrity, confidentiality and availability •Allows organizational goals to be achieved •Determines the efficient use of resources”

Gain understanding of the organisation

Understand Risks and evaluate Controls

Test Controls

Page 4: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Page 5: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

GuidelinesISACA Guidelines

• IS Auditing Standards• IS Auditing Guidelines• IS Auditing Procedures• COBIT (Control objectives for information and related

technology)

ISO 27001

Guidelines by Institute of Internal Auditors

Page 6: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

GuidelinesCOSO’s Internal Control – Integrated Framework (the COSO Framework) published by the Committee of Sponsoring Organisations of the Treadway Commission

COCO (Criteria of Control) Framework published by the Canadian Institute of Chartered Accountants

Page 7: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

COSO Framework

Monitoring Applied to the Internal Control Process

Page 8: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Need for ControlsThe Organization must protect itself from:

• Corruption of Data and Database.

• Poor decision making due to poor quality of MIS.

• Losses due to abuse of controls.

• Loss of hardware, software and personnel.

• Maintenance of Privacy .

• Malicious Internet Content.

• Authentication and Privilege attacks

Page 9: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Page 10: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Security Threats

USB devices

Removable media

Internal attack

Network monitoring

Laptop theft

Storage theft

Hardware loss Unprotected Endpoints

Insecure network points

Insecure server rooms

Attacks on physical systems

Page 11: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Security Threats

Disgruntled Employees

Password High Privileged Accounts

Privilege Creep

Authentication and Privilege Attacks

Inappropriate Password Policies

Weak Passwords

Page 12: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Security ThreatsDenial of Service

Natural Disasters

Targeted DOS Single Point of failure

Power cuts Connection downtime

Bandwidth Exhaustion

Vulnerable Servers

Excess reliance on one person

Lack of documentation

Page 13: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Security ThreatsMalicious Internet Content

Social Engineering

Phishing

Drive – by downloads

Malware Web Application

Attacks

Viruses Trojans Worms

Page 14: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Security ThreatsExample: Phishing

Page 15: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Security ThreatsExample: Drive-by downloads

Unintended Software

Page 16: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Security ThreatsExample: Virus Scan

Page 17: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Security ThreatsExample: Trojan Horse

Page 18: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Security ThreatsExample: Spoofing

Page 19: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Security ThreatsExample: Spoofing

Page 20: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Page 21: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Cash receiptsapplication

controls

Salesapplication

controls

Payrollapplication

controls

Other cycleapplication

controls

GENERAL CONTROLS

Risk of unauthorized changeto application software Risk of system crash

Risk of unauthorizedmaster file update

Risk of unauthorizedprocessing

Relationship Between General and Application Controls

Page 22: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Information Systems RisksAccess controls :

• Non-detection of Compromised passwords.

• Unauthorized users can access systems.

• Inappropriate access allowing recognised users greater access

than necessary.

• Unauthorized changes to data in master files.

• Unauthorized changes to systems or programs.

• Denial to access systems, DBMS’s and servers in the event of a

system interruption or disaster.

Page 23: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Controls to Mitigate Risks arising from unauthorized Accesses :

• Authentication (identification) controls need to be strong.

• Roles and privileges should be granted on need-to-know basis only to authorized users.

• Job scheduling procedures and stored procedures need to be

secure.

• An alternate method to identify and register users needs to be tested and made available when needed.

Information Systems Risks

Page 24: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Input Controls

• Unauthorized data received for computer processing.

• Loss of data or duplication of data.

• Automated segregation of duties and access rights.

• Automated authorization approval

• Incorrect output due to wrong input (GIGO)

Information Systems Risks

Page 25: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Mitigating Risks arising from Input Controls:

• Review access rights that set and amend configurable approval and authorization limits.

• Accesses with super user rights.

• Maker Checker Controls

• Range check

• Completeness check

• Duplicate check

Information Systems Risks

Page 26: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Process Controls

• Wrong Validation of data

• Risks arising out of Editing

Procedures

• Incorrect processing of data

• Absence of Data File Control

Procedures

Information Systems Risks

Page 27: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

• Parity checking

• Transaction logs

• Version Usage

• File updating and

maintenance authorization

• Sequence check

• Reasonableness check

• Table lookups

• Existence check

• Key verification

• Logical Relationship check

• Limit check

Mitigating Risks arising from Process Controls:

Information Systems Risks

Page 28: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Output Controls

• Non-integrity of output

• Untimely distribution of output

• Availability of output to unauthorized users

• Data processing results are unreliable

Information Systems Risks

Page 29: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Mitigating Risks arising from Output Controls:

Microsoft Office Word Document

Checklist for mitigating Risk

Information Systems Risks

Page 30: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Page 31: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Statistics

Page 32: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Issues Involved

Page 33: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Page 34: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Preliminary Steps - Understanding of the Organisational Structure to identify CIO,

CISO, etc.

- Understanding of the System Architecture.

- Understanding components of the systems (number of servers, routers, users, desk users, on/offsite users)

- Reviewing the IS Security Policy

- Performing systems walk - throughs.

- Assessment of the risks and understanding of the related controls.

Page 35: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

IS Audit Process

Page 36: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Page 37: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

ProceduresInterviews.

- Interviews are a useful audit tool to gather information about internal system controls and risks.

- Employees involved in the day - to - day operations of a functional area possess the best knowledge of that area.

- They are in a position to identify the weak internal system controls and risks.

Page 38: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

ProceduresPreparation of Checklist & Questionnaire

- A detailed checklist should be prepared after having an understanding of the architecture of the system.

- Checklist should be comprehensive.

Sample Checklist

Page 39: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Page 40: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Access Controls testing- Procedures

• Verifying access rights allotted vis-à-vis organizational policy for need to know

• Implementation of Password controls

• Process of review of logs of super users, database administrator

• Logs of active users vis-à-vis HR records for exit, leave, etc.

• License control processes

• Virus control procedures

Page 41: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Vulnerability testing through internal resources

• Internal Security Vulnerability Assessment (ISVA) is a comprehensive analysis of all of the workstations and servers on your network.

• The ISVA detects and identifies Trojan horses, hacker tools, DDoS (Distributed Denial-of-Service) agents, and spyware through code analysis and signature matching, in much the same way as anti-virus.

• It also identifies specific vulnerabilities such as configuration problems in FTP servers, exploits in Microsoft IIS or problems in NT security policy configuration.

Access controls testing- Procedures

Page 42: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Vulnerability testing through external resources

• One of the most common vulnerability assessment activities for companies of all sizes is an external penetration testing scan, typically targeting internet-facing websites.

• Once you set yourself outside of the company, you immediately are given an untrusted status. The systems and resources available to you externally are usually very limited.

Access controls testing- Procedures

Page 43: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

VIDEO CLIP

Page 44: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Input Controls -Procedures

• Verification by entering invalid data

• Verification by entering incomplete data

• Testing Arithmetic Accuracy

Page 45: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Processing Controls -Procedures

Integrated Test Facility (ITF) Approach

Parallel Simulation

Page 46: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

• A dummy ITF center is created for the auditors.

• Creation of transactions to test the controls.

• Creation of Working papers showing expected results from manually

processed information.

• Running of Auditor transactions with actual transactions.

• Comparing of ITF results to working papers.

Integrated Test Facility (ITF) Approach

Processing Controls -Procedures

Page 47: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

• Processing of real client data on an audit program similar to the client’s program.

• Comparison of results of processing with the results of the processing

done by the client’s program.

Parallel Simulation

Processing Controls -Procedures

Page 48: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Computer Operations AuditorsActual

Transactions

ActualTransactions

ComputerApplication

System

ComputerApplication

System

Auditor’sSimulation

Program

Auditor’sSimulation

Program

Actual ClientReport

Actual ClientReport Auditor

SimulationReport

Auditor Simulation

Report

Auditor Compares

Parallel Simulation- Flowchart

Processing Controls -Procedures

Page 49: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Page 50: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Application Controls -Procedures

Black box testing

• Method of software testing

• Examines the functionality of an application (e.g. what the software does) without peering into its internal structures or workings.

• Can be applied to virtually every level of software testing: unit, integration, system and acceptance.

• Typically comprises most if not all higher level testing, but can also dominate unit testing as well.

Black Box Testing

Page 51: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Application Controls -Procedures

White-box testing

• Also known as clear box testing, glass box testing, transparent box testing, and structural testing.

• Method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing).

• Internal perspective of the system, as well as programming skills, are used to design test cases.

• The tester chooses inputs to exercise paths through the code and determine the appropriate outputs.

White Box Testing

Page 52: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Output Controls -Procedures• Checking whether output contain key control information

necessary to validate the accuracy and completeness of the information contained in the report such as last document reference period, etc.?

• If the data has to be transferred from one process to another process, verify if no manual intervention is possible and no unauthorized modification to data can be made.

• Verify physical controls over hardcopy printouts.

Page 53: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Page 54: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014

Format

Format of IS Audit Report

Microsoft Office Word 97 - 2003 Document

Page 55: For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS.

For MIPA 2nd May 2014