it12015

4/27/2015

1

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

AuditNet® Training without Travel™ Fundamentals of IT Auditing 28 April 2015

Guest Presenter:

Richard Cascarino,

MBA, CIA, CISM, CFE

Richard Cascarino &

Associates


Jim Kaplan CIA CFE

• President and Founder of

AuditNet®, the global resource

for auditors (now available on

Apple and Android and Windows

devices)

• Auditor, Web Site Guru,

• Internet for Auditors Pioneer

• Recipient of the IIA’s 2007

Bradford Cadmus Memorial

Award.

• Author of “The Auditor’s Guide

to Internet Resources” 2nd

Edition

4/27/2015

2


Richard Cascarino MBA CIA CISM CFE

• Principal of Richard Cascarino &

Associates based in Colorado USA

• Over 30 years experience in IT

audit training and consultancy

• Past President of the Institute of

Internal Auditors in South Africa

• Member of ISACA

• Member of Association of Certified

Fraud Examiners

• Author of Auditor's Guide to IT

Auditing


Webinar Housekeeping

• This webinar and its material are the property of AuditNet® and Richard Cascarino and Associates. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided with a link access to that recording as detailed below. Downloading or otherwise duplicating the webinar recording is expressly prohibited.

• Webinar recording link will be sent via email within 5-7 business days.

• NASBA rules require us to ask polling questions during the Webinar and CPE certificates will be sent via email to those who answer ALL the polling questions

• The CPE certificates and link to the recording will be sent to the email address you registered with in GTW. We are not responsible for delivery problems due to spam filters, attachment restrictions or other controls in place for your email client.

• Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.

• After the Webinar is over you will have an opportunity to provide feedback. Please complete the feedback questionnaire to help us continuously improve our Webinars

• If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.

4/27/2015

3


Disclaimers

• The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship.

• While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website

• Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet®


Today’s Agenda – Technology and Audit

– Control Objectives and Risks

– Batch and On-line Systems

– Programming Computers

– Database Systems

– Computer Risks and Exposures

– Computer Security

– Application Systems and their Development

– Computer Operations Controls

• Your Questions

• Conclusion

4/27/2015

4


Systems of Internal Control

• Key Concepts

–"Reasonable Assurance"

–"Acceptable Levels"

• Control Environments

• Primary Element of Internal Control

• Establishes conditions under which Internal Controls will Operate

–Organisation Structure

–Control Framework

–Organizational policies and procedures

–External Influences


Control Environment

•Organizational Structure

–Defines individual managers' responsibilities

–Sets limits of authority

–Ensures appropriate segregation of duties

4/27/2015

5


Control Framework

• May be complex or simple

–Large organizations tend to have highly structured control frameworks

–Small organizations frequently use personal contact between employees

• Elements

–Segregation of duties

–Competence and integrity of people

–Appropriate levels of authority

–Accountability

–Adequate resources

–Supervision and review


Control Framework

• Policies and Procedures

–Describe

•Scope of the function

•Activities

•Interrelationships with other departments

•External Influences

•Laws and Regulations

•Customs

•Union agreements

•Competitive Environments

4/27/2015

6


Control Framework

• Policies and Procedures

–Describe

•Scope of the function

•Activities

•Interrelationships with other departments

•External Influences

•Laws and Regulations

•Customs

•Union agreements

•Competitive Environments


Systems Software

–Computer programs and routines controlling computer hardware, processing and non-user functions

–Includes

Operating Systems

Telecommunications software

Data management

Applications Software

–Computer programs written to support business functions

–Includes

General Ledger / Payroll / Inventory / Order Processing

Manual and Automated Systems

4/27/2015

7


Manual and Automated Systems

End-User Systems

–Generated outside the IT organization to meet specific user needs

–Includes

Micro-based systems

User-developed systems


Control Procedures

General IT Controls –Computer Operations

Physical Security

Logical Security

Program change control

–Systems Development

Application Controls

Business systems oriented

Accuracy

Completeness

Authorization

4/27/2015

8


Classification of Controls

Preventative - prevents an undesirable event

–Restrictions on users

–Requirements for passwords

–Separate authorization

Detective - detects undesirable events after the fact

–Effective use of audit trails

–Exception reports

Corrective - allow things to be put right

–Disaster Recovery Plans

–Transaction reversal capability


Classification of Controls Discretionary - subject to human discretion

–Supervisory review of signatures

Non-discretionary - provided by the system and cannot be overridden –Use of PIN numbers

4/27/2015

9



Voluntary / mandated

–Voluntary - Chosen by the organization to support its business

–Mandatory - required by laws and regulations

Manual / automated

–Manual - implemented by manual intervention

–Automated - Implemented by the computer system

Application / General IS –Application - to do with the business function

–General IS - to do with the running of the IS function



Control Objectives and Risks

–Potential Risks Fraud

Business interruption

Errors

Customer dissatisfaction

Poor public image

Ineffective and Inefficient use of resources

General Control Objectives

–Integrity of Information

–Security

–Compliance

–Integrity of Information

4/27/2015

10


Data and Transaction Objectives

–Input All transactions are initially and completely recorded

All transactions are completely and accurately entered into the system

All transactions are entered once only

–Controls may include Pre-numbered documents

Control total reconciliation

Data validation

Activity logging

Document scanning

Access authorization

Document cancellation



Processing –Approved transactions are accepted by the system and processed

–All rejected transactions are reported, corrected and re-input

–All accepted transactions are processed once only

–All transactions are accurately processed

–All transactions are completely processed

4/27/2015

11



Controls may Include –Control totals

–Programmed balancing

–Segregation of Duties

–Restricted access

–File labels

–Exception reports

–Error logs

–Reasonableness tests

–Concurrent update control



Output

–Hard copy

–File output

–On-line enquiry files

Primary Objectives

–Assurance that the results of Input and Processing are output

–Output is available only to authorized personnel

Typical Controls

–Complete audit trail

–Output distribution logs

4/27/2015

12



Integrity of programs and processing

Change Control –Prevention of unwanted changes

–Ensuring adequate design and development control

–Ensuring adequate testing

–Controlled program transfer

–Ongoing maintainability of systems



Systems Development

Typical Controls –Use of a formal SDLC

–User involvement

–Adequate documentation

–Formalized testing plan

–Planned conversion

–Use of post-implementation reviews

–Establishment of a QA function

–Involvement of Internal Auditors

4/27/2015

13


Polling Question 1


Changing Objectives

Early days - Batch only –All inputs collected centrally

–Input together in "batches"

–Normally punched cards

–May be entered via terminal with update taking place in batch mode

–Primary control objectives

Accuracy

Completeness

4/27/2015

14


Changing Objectives

Nowadays –On-line, Real-time input with a small batch component

–Input via a terminal

–Instantaneous update

–Overnight report production

–Terminals may be local or remote

–Terminals may be dial-up or dedicated

–Terminals may be differing types

–Primary control objectives Availability

Security

Confidentiality

Accuracy


Communications

Microwave

Satellite

Cables

–Dedicated

–Dial-up

Line operations

–Digital to analogue

–Simplex - one way only

–Half-duplex - one way at a time

–Duplex - two way communications

Wireless

4/27/2015

15


Communications

Synchronous Communications

–High speed transmission and reception of long groups of characters

Asynchronous Communications

–Slow, irregular transmissions, one character at a time with start and stop bits

Encryption

–Scrambling of data into unreadable forms such that it can be unscrambled

Protocol

–A set of rules for message transmission in the network


Network Types

Private Public Switched (PSNs)

Value Added (VANs)

Local Area (LANs)

Wide Area (WANs)

The Internet

The Cloud

4/27/2015

16


Network Configurations

Point-to-Point

–Separate, direct links

Multidrop –Multiple terminals sharing a single line

Ring Networks

–No central computer, each machine is a "node"

Star Networks –Single central computer coordinating all communications


Cloud Configurations

Infrastructure as a Service

Platform as a

Service

Applications and Software as a Service

4/27/2015

17


Online Service Capabilities

On-line enquiry Allows a remote user to retrieve data directly

–Primary concern - Confidentiality

On-line data entry Remote entry of data

Allows concurrent processing of data

–Primary concerns

Transaction authenticity

Accuracy

Completeness


Online Service Capabilities

On-line update As per on-line data entry but with immediate effect

–Primary concerns

Concurrency control

Availability

4/27/2015

18


Basic Online Concerns

Availability

Security

–Unauthorized access

–Accidental or intentional changes

Security threatened areas

–Operating system

–Management features

–Inter-computer communication

–Dial-up access

–Gateways

–Poor performance


Availability

Availability of –Hardware components

–Software

–Data

–Networking capability

–Human resources

4/27/2015

19


Availability

Ensured by

–Adequate physical environment

–Adequate backups

–Multiple redundancies

–Peer-to-peer networking

–Adequate Disaster Recovery Planning

–Training


Security

A factor of

–Hardware

–Software

–Human element

Hardware

–Theft

–Sabotage

–Penetration

Operating System Software

–Theft

–Corruption

–Bypassing

4/27/2015

20


Security

Applications Software

–Theft

–Corruption

–Bypassing

–Substitution

Data

–Theft

–Corruption

–Substitution

–Manipulation


Sources of Security Risk

Insiders - Users

Insiders - Specialists

Outsiders - Legitimate

Outsiders - Hackers

4/27/2015

21


Polling Question 2


Programming Computers

Programming languages

Who programs?

The SDLC

Change Control

Problem Management

4/27/2015

22


Programming Languages

Binary Programs

–0110 1001 1110 0101

–0001 0101 0101 0011

Then Symbolic Code

–PACK RATE,RATE1

–L HRS,HRS1

–MVC REG,4

FORTRAN

–PAY:

REGPA=RATE*HOURS

CALL TXCAL

DED=WITTX+UIF+INS+PENS


More Languages

COBOL –NET-PAY-CALC-ROUTINE.

MULTIPLY RATE BY HOURS-WORKED

GIVING NORMAL-PAY

Future –4th Generation Languages

–5th Generation Languages

–No Languages?

–Artificial Intelligence

4/27/2015

23


Programs

Source Code

Object Code

Executable Code

Compilers

Assemblers

Interpreters


Program Processes

Analyze

Design

Code

Test

Retest

Redesign

Retest

Run

Audit

4/27/2015

24


The SDLC

Used to control the generation of programmed systems

Objective - to produce a quality system, as specified, on time, within budget

Primary phases

Feasibility study

Outline system design

Detailed system design

Code

Test

Implement

Post-implementation Review


SDLC Problems

–Availability of user staff

–Access to the right level of staff

–"Technology lust"

–Over extended timescales

–Inexperienced staff

–Timescale problems

Too long between milestones

Key staff change

Business objectives change

Costs escalate

Hardware / software may become obsolete

4/27/2015

25


Conversion Activities

Acquisition of data

Identification of sources

Development of conversion programs

Sanitization of input data

Maintenance of current systems

File conversion

Major task

–Requires strict control

–May jeopardize the whole project

–Rubbish in - rubbish out

–Audit involvement essential


Polling Question 3

4/27/2015

26


Systems Development Exposures

–Erroneous management decisions

–Unacceptable accounting policies

–Inaccurate record keeping

–Business interruption

–Built-in fraud

–Violation of legal statutes

–Excessive operating cost

–Inflexibility

–Overrun budgets

–Unfulfilled objectives


Causes

–Incomplete economic evaluation

–Management abdication

–Inadequate specifications

–Systems design errors

–Incompetent personnel

–Technical self-gratification

–Poor communications

–No project "kill" points

–Temptations to computer abuse

–Incoherent direction

4/27/2015

27


Project Management

–Agreed schedules / Schedule review

–Work assignment

–Performance monitoring

–Progress monitoring

–Status reporting and follow-up

–Project planning elements

–Project guidelines

–Work breakdowns

–Start and completion dates

–A monitoring mechanism


Change Control

Objective - to ensure risk is controlled, not introduced, during a change

–All changes are authorized

–All authorized changes are made

–Only authorized changes are made

–All changes are as specified

–All changes are cost-effective

4/27/2015

28


Problem Management

Objective - to control systems during emergency situations

–Unforeseen changes

–Bypass normal control mechanisms

–May require direct programmer access to live data

–Must be controlled separately

–Must involve user authorization


Databases

Definition of Terms

–Database

a collection of data logically organized to meet the information requirements of a universe of users

–Database Management System (DBMS)

a hardware/software system which manages data by providing organization, access and control functions

–Data Dictionary / Data Directory Systems (DD / DS)

the software which manages a repository of information about data and the data base environment

–Database Administration

a human function involved in the co-ordination and control of data related activities

4/27/2015

29


Databases

Definition of Terms

–User System Interfaces

components of the data base environment which request, manipulate and transform data into information for an end user

–Data Structure

the interrelationships of data

–Storage Structures

methods and techniques used to physically represent data structures on storage devices

–Access Methods

software logic procedures used to retrieve, insert, modify and delete data on a storage device


Database Types

Sequential

Hierarchical

Network

Relational Model

Components –Data Definition Language (DDL)

–Storage Structure Definition Language (SSDL)

–Data Manipulation Language (DML)

–DBMS Nucleus and Utilities

4/27/2015

30


Sequential Approach

Fundamental Assumption

–There is a Direct Relationship between data


Hierarchical Approach

Fundamental Assumption –There is some Hierarchical Relationship between data

Terminology Root Segment

Parent Segment

Child Segment

Twins

4/27/2015

31


Network Approach

Fundamental Assumption

–There is some General Relationship between data

Terminology

–Records / Pointers

Note Any Structure may be defined

Records may contain multiple fields


Relational Model

Fundamental Assumption –There is some Mathematical Relationship between data

Employee Table

Emp No Dept No Name

Dept Table

Dept No Name

4/27/2015

32


The DBA

Database Administrator

Functions Of The DBA –Co-coordinating the information content of the database

–Deciding the storage structure and access strategy

–Liaising with users

–Defining authorization checks and validation procedures

–Defining a strategy for back-up and recovery

–Monitoring performance and responding to changes in requirements


Tools of the DBA

Utility Programs –Loading

–Reorganization Routines

–Statistical Analysis

–Journaling (e.g., Logs)

–Recovery

Data Dictionary

Database Analyzers

4/27/2015

33


Database Recovery

When? Examples

–Action Failure } Insert, Replace } Delete

–DB Operation Fails }

–Transaction Failure Deadlock

–System Failure Power, Hardware, Software

–Media Failure Head Crash


Recovery Criteria

Reinstate Databases to a known state

Minimize lost work

Allow recovery on a transaction basis

Provide fast recovery

Minimize manual work

Ensure safety of recovery data

Provide mechanism to inform users of "lost" transactions

Cater for various types of failures

4/27/2015

34


Recovery Tools

The Recovery Log

The Checkpoint

The Database Dump

Database Restart/Recovery Software


Recovery Logs

Before/after images of the recovery log

–Before Image - Content

Image of Data before modification

Date/Time of change

Processing Program Id of modifying transaction

May be written to Recovery Log stored on a direct access file

–Before Image - Function

Applied to point in time of failure of the environment

Applied to Database to "back out" faulty update transactions

Establishes Database to most recent Quiet Point (Checkpoint)

4/27/2015

35


After Image Logs

After Images - Content –Image of data after modification

–Date/Time of change

–Processing Program id of modifying transaction

After Images - Function –Applied to reloaded Database dump

–Brings the Database forward in time to the last checkpoint or point of failure

Database Checkpoint taken at a quiet point of the data base ( i.e., all update activity has terminated

Buffers are flushed and update transactions are queued until checkpoint is taken


Checkpoints

Database Checkpoints can be taken at anytime

May be difficult to synchronize with O/S Checkpoints

May be procedurally initiated by application programs

May be automatically initiated by algorithm

–Elapsed Time

–Transactions processed

4/27/2015

36


Polling Question 4


Computer Security

What is Computer Security? –Security around and within

The computer and associated equipment

The people using it

–Federal information processing standards (FIPS) Publication 102

Computer Security "The quality exhibited by a computer system that embodies its protection against internal failures, human errors, attacks, and natural catastrophes that might course improper disclosures, modification, destruction, or denial of service".

Attempts at an authorized access

The use of data-processing resources for unauthorized purposes

4/27/2015

37


Scope of Security

Physical security

Personnel security

Data security

Application software security

Systems software security

Tele-communications security


Scope of Security

Computer operations security

Vital records retention

EDP insurance

Outside contract services

Disaster recovery plans

Computer crime and fraud

4/27/2015

38


Security Myths

Computer security is a technical problem

Security breakdowns only happen to other firms

The major threat is the data processing staff

The major threat is outsiders

Only a computer wizard can perpetrate a computer fraud

Computer security is physical security

It's not my problem


Security Controls

Procedural Controls

Workstation Security

Communications Security

Encryption

Message authentication

Reconciliation

4/27/2015

39


Polling Question 5


Computer Operations

Responding To Equipment Failures

Production Of Backup Copies as Defined

Restoration From Backup when Authorized

Handling "unpredictable" Conditions

4/27/2015

40


Computer Operations

Mounting And Dismounting Data Files

Loading Paper Into Printers

Aligning Special Forms

Scheduling Runs

Loading Programs

Balancing Run Priorities

Responding To Operating System Prompts

Responding To Application System Prompts

Maintaining Incident Logs

Performing Routine Housekeeping Tasks


File and Program Libraries

On-line vs. Off-line

Remote Site Libraries –Program Source vs. Object Code

–Automated Library Functions

–Segregation of Duties

–Output Distribution

Dispatch of hard copy

Control over spool files

Networked printers

Destruction of confidential scrap

4/27/2015

41


Operations Exposures

Human error Data entry

Console entry

Wrong generations of files

Wrong versions of programs

Media damage in handling

Hardware failure

Software failure

Computer abuse

Disasters


Operations Controls

Run Controls

Predefined run schedules

Computer and manual run logs

System performance statistics

Budgetary controls

Supervision

4/27/2015

42


Operations Controls

Segregation of duties

IT cannot initiate transactions

Systems and programming independent from operations

Programmers cannot operate the machine

Operators cannot access file libraries

IT librarian an independent function

IT staff have no control over corporate assets

Operations staff should be rotated

Operations staff must take holidays

Operators should not attempt to correct programs


Polling Question 6

4/27/2015

43


Overall IT Objectives

• IT Control

• IT Effectiveness

• IT Efficiency

• IT Auditability


Questions?

• Any Questions?

Don’t be Shy!

4/27/2015

44


Coming Up Next

IT AUDIT BASIC

2. IT Basics Auditing Database Structures Apr 30

3. IT Basics Audit use of CAATs May 5

4. Auditing Contingency Planning May 7

5. IT Fraud and Countermeasures May 12

IT AUDIT ADVANCED

1. Advanced IT Audit Risk Analysis for Auditors May 14

2. Advanced IT Audit Securing the Internet May 19

3. Advanced IT Audit IT Security Reviews May 21

4. Advanced IT Audit Performance Auditing of the IT Function May 26

5. Advanced IT Audit Managing the IT Audit Function May 28


Thank You!

Richard Cascarino, MBA, CIA, CISM, CFE

Richard Cascarino & Associates

970-291-1497 [email protected]

Jim Kaplan

AuditNet LLC®

800-385-1625

www.auditnet.org

[email protected]

http://www.auditnet.org/

mailto:[email protected]

it12015

Technology

webinar recording

founder of auditnet

opinions of auditnet

property of auditnet

auditnet specificallydisclaims

auditing copyright

email client

polling questions