Slide 1

For MIPA2 nd May 2014 IS AUDIT DR. MITIL CHOKSHI CHOKSHI & CHOKSHI CHARTERED ACCOUNTANTS

Slide 2

For MIPA2 nd May 2014 Contents Introduction Guidelines Need for controls Internal Control Framework Security Threats Information Systems Risks IS Audit Process

Slide 3

For MIPA2 nd May 2014 Introduction The process of collecting and evaluating evidence to determine whether: Computer system safeguards assets Maintains data integrity, confidentiality and availability Allows organizational goals to be achieved Determines the efficient use of resources Gain understanding of the organisation Understand Risks and evaluate Controls Test Controls

Slide 4

For MIPA2 nd May 2014

Slide 5

For MIPA2 nd May 2014 Guidelines ISACA Guidelines IS Auditing Standards IS Auditing Guidelines IS Auditing Procedures COBIT (Control objectives for information and related technology) ISO 27001 Guidelines by Institute of Internal Auditors

Slide 6

For MIPA2 nd May 2014 Guidelines COSOs Internal Control Integrated Framework (the COSO Framework) published by the Committee of Sponsoring Organisations of the Treadway Commission COCO (Criteria of Control) Framework published by the Canadian Institute of Chartered Accountants

Slide 7

For MIPA2 nd May 2014 COSO Framework Monitoring Applied to the Internal Control Process

Slide 8

For MIPA2 nd May 2014 Need for Controls The Organization must protect itself from: Corruption of Data and Database. Poor decision making due to poor quality of MIS. Losses due to abuse of controls. Loss of hardware, software and personnel. Maintenance of Privacy. Malicious Internet Content. Authentication and Privilege attacks

Slide 9

For MIPA2 nd May 2014

Slide 10

For MIPA2 nd May 2014 Security Threats

Slide 11

For MIPA2 nd May 2014 Security Threats

Slide 12

For MIPA2 nd May 2014 Security Threats

Slide 13

For MIPA2 nd May 2014 Security Threats

Slide 14

For MIPA2 nd May 2014 Security Threats Example: Phishing

Slide 15

For MIPA2 nd May 2014 Security Threats Example: Drive-by downloads Unintended Software

Slide 16

For MIPA2 nd May 2014 Security Threats Example: Virus Scan

Slide 17

For MIPA2 nd May 2014 Security Threats Example: Trojan Horse

Slide 18

For MIPA2 nd May 2014 Security Threats Example: Spoofing

Slide 19

For MIPA2 nd May 2014 Security Threats Example: Spoofing

Slide 20

For MIPA2 nd May 2014

Slide 21

For MIPA2 nd May 2014 Cash receipts application controls Sales application controls Payroll application controls Payroll application controls Other cycle application controls Other cycle application controls GENERAL CONTROLS Risk of unauthorized change to application software Risk of unauthorized change to application software Risk of system crash Risk of unauthorized master file update Risk of unauthorized master file update Risk of unauthorized processing Risk of unauthorized processing Relationship Between General and Application Controls

Slide 22

For MIPA2 nd May 2014 Information Systems Risks Access controls : Non-detection of Compromised passwords. Unauthorized users can access systems. Inappropriate access allowing recognised users greater access than necessary. Unauthorized changes to data in master files. Unauthorized changes to systems or programs. Denial to access systems, DBMSs and servers in the event of a system interruption or disaster.

Slide 23

For MIPA2 nd May 2014 Controls to Mitigate Risks arising from unauthorized Accesses : Authentication (identification) controls need to be strong. Roles and privileges should be granted on need-to-know basis only to authorized users. Job scheduling procedures and stored procedures need to be secure. An alternate method to identify and register users needs to be tested and made available when needed. Information Systems Risks

Slide 24

For MIPA2 nd May 2014 Input Controls Unauthorized data received for computer processing. Loss of data or duplication of data. Automated segregation of duties and access rights. Automated authorization approval Incorrect output due to wrong input (GIGO) Information Systems Risks

Slide 25

For MIPA2 nd May 2014 Mitigating Risks arising from Input Controls: Review access rights that set and amend configurable approval and authorization limits. Accesses with super user rights. Maker Checker Controls Range check Completeness check Duplicate check Information Systems Risks

Slide 26

For MIPA2 nd May 2014 Process Controls Wrong Validation of data Risks arising out of Editing Procedures Incorrect processing of data Absence of Data File Control Procedures Information Systems Risks

Slide 27

For MIPA2 nd May 2014 Parity checking Transaction logs Version Usage File updating and maintenance authorization Sequence check Reasonableness check Table lookups Existence check Key verification Logical Relationship check Limit check Mitigating Risks arising from Process Controls: Information Systems Risks

Slide 28

For MIPA2 nd May 2014 Output Controls Non-integrity of output Untimely distribution of output Availability of output to unauthorized users Data processing results are unreliable Information Systems Risks

Slide 29

For MIPA2 nd May 2014 Mitigating Risks arising from Output Controls: Checklist for mitigating Risk Information Systems Risks

Slide 30

For MIPA2 nd May 2014

Slide 31

For MIPA2 nd May 2014 Statistics

Slide 32

For MIPA2 nd May 2014 Issues Involved

Slide 33

For MIPA2 nd May 2014

Slide 34

For MIPA2 nd May 2014 Preliminary Steps -Understanding of the Organisational Structure to identify CIO, CISO, etc. -Understanding of the System Architecture. -Understanding components of the systems (number of servers, routers, users, desk users, on/offsite users) -Reviewing the IS Security Policy -Performing systems walk - throughs. -Assessment of the risks and understanding of the related controls.

Slide 35

For MIPA2 nd May 2014 IS Audit Process

Slide 36

For MIPA2 nd May 2014

Slide 37

For MIPA2 nd May 2014 Procedures Interviews. -Interviews are a useful audit tool to gather information about internal system controls and risks. -Employees involved in the day - to - day operations of a functional area possess the best knowledge of that area. -They are in a position to identify the weak internal system controls and risks.

Slide 38

For MIPA2 nd May 2014 Procedures Preparation of Checklist & Questionnaire -A detailed checklist should be prepared after having an understanding of the architecture of the system. -Checklist should be comprehensive.

Slide 39

For MIPA2 nd May 2014

Slide 40

For MIPA2 nd May 2014 Access Controls testing- Procedures Verifying access rights allotted vis--vis organizational policy for need to know Implementation of Password controls Process of review of logs of super users, database administrator Logs of active users vis--vis HR records for exit, leave, etc. License control processes Virus control procedures

Slide 41

For MIPA2 nd May 2014 Vulnerability testing through internal resources Internal Security Vulnerability Assessment (ISVA) is a comprehensive analysis of all of the workstations and servers on your network. The ISVA detects and identifies Trojan horses, hacker tools, DDoS (Distributed Denial-of-Service) agents, and spyware through code analysis and signature matching, in much the same way as anti-virus. It also identifies specific vulnerabilities such as configuration problems in FTP servers, exploits in Microsoft IIS or problems in NT security policy configuration. Access controls testing- Procedures

Slide 42

For MIPA2 nd May 2014 Vulnerability testing through external resources One of the most common vulnerability assessment activities for companies of all sizes is an external penetration testing scan, typically targeting internet-facing websites. Once you set yourself outside of the company, you immediately are given an untrusted status. The systems and resources available to you externally are usually very limited. Access controls testing- Procedures

Slide 43

For MIPA2 nd May 2014 VIDEO CLIP

Slide 44

For MIPA2 nd May 2014 Input Controls -Procedures Verification by entering invalid data Verification by entering incomplete data Testing Arithmetic Accuracy

Slide 45

For MIPA2 nd May 2014 Processing Controls -Procedures Integrated Test Facility (ITF) Approach Parallel Simulation

Slide 46

For MIPA2 nd May 2014 A dummy ITF center is created for the auditors. Creation of transactions to test the controls. Creation of Working papers showing expected results from manually processed information. Running of Auditor transactions with actual transactions. Comparing of ITF results to working papers. Integrated Test Facility (ITF) Approach Processing Controls -Procedures

Slide 47

For MIPA2 nd May 2014 Processing of real client data on an audit program similar to the clients program. Comparison of results of processing with the results of the processing done by the clients program. Parallel Simulation Processing Controls -Procedures

Slide 48

For MIPA2 nd May 2014 Computer Operations Auditors Actual Transactions Actual Transactions Computer Application System Computer Application System Auditors Simulation Program Auditors Simulation Program Actual Client Report Actual Client Report Auditor Simulation Report Auditor Simulation Report Auditor Compares Parallel Simulation- Flowchart Processing Controls -Procedures

Slide 49

For MIPA2 nd May 2014

Slide 50

For MIPA2 nd May 2014 Application Controls -Procedures Black box testing Method of software testing Examines the functionality of an application (e.g. what the software does) without peering into its internal structures or workings. Can be applied to virtually every level of software testing: unit, integration, system and acceptance. Typically comprises most if not all higher level testing, but can also dominate unit testing as well. Black Box Testing

Slide 51

For MIPA2 nd May 2014 Application Controls -Procedures White-box testing Also known as clear box testing, glass box testing, transparent box testing, and structural testing. Method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). Internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. White Box Testing

Slide 52

For MIPA2 nd May 2014 Output Controls -Procedures Checking whether output contain key control information necessary to validate the accuracy and completeness of the information contained in the report such as last document reference period, etc.? If the data has to be transferred from one process to another process, verify if no manual intervention is possible and no unauthorized modification to data can be made. Verify physical controls over hardcopy printouts.

Slide 53

For MIPA2 nd May 2014

Slide 54

For MIPA2 nd May 2014 Format Format of IS Audit Report

Slide 55

For MIPA2 nd May 2014