Mrs. Geetha Murugesan

CISA,CRISC , CGEIT (Passed), COBIT 5.0

Information Security Domain Management and IS Organisation Structure

Network Security

Application Security

Communication and Telecommunication Security

Database Security

Information Asset Protection

Business Continuity Management and DRP

Cloud Computing / Virtualization

Internet of Things

Cybersecurity …. Etc……

2

Information Security – Definition Information security, sometimes shortened to InfoSec,is the practice of defending information fromunauthorized access, use, disclosure, disruption,modification, perusal, inspection, recording ordestruction. It is a general term that can be usedregardless of the form the data may take (e.g. electronic,physical)

3

Information Security Information security (IS) is designed to protect the

confidentiality, integrity and availability of computer system data from those with malicious intentions.

Confidentiality, integrity and availability are sometimes referred to as the CIA Triad of information security

4

Definition "Ensures that only authorized users

(confidentiality) have access to accurate andcomplete information (integrity) whenrequired (availability) ------ISACADefinition

18 May 2014 5

Key Concepts The CIA triad of confidentiality, integrity, and

availability is at the heart of information security

Confidentiality - "is the property, that information isnot made available or disclosed to unauthorizedindividuals, entities, or processes“

Integrity - means maintaining and assuring the accuracy and completeness of data over its entire life-cycle

Availability - For any information system to serve its purpose, the information must be available when it is needed.

6

Organization of the IS Audit Function Audit charter (or engagement letter)

Stating management’s responsibility and objectives for,and delegation of authority to, the IS audit function

Outlining the overall authority, scope andresponsibilities of the audit function

Approval of the audit charter

Change in the audit charter

7

Audit Planning

8

Short-term and Long-term planning

Things to Consider

Individual audit planning

Understanding of overall environment

New control issues

Changing technologies

Changing business processes

Enhanced evaluation techniques

Business practices and functions

Information systems and technology

Gain an understanding of the business’s mission objectives, purpose and processes which include information and processing requirements such as availability, integrity and information confidentiality

Understand the Changes in the Business Environment

Review prior work papers

Identify stated contents such as policies , standards and required guidelines, procedures and organisation structure

Set the Audit scope and objectives

Develop the Audit approach or Audit strategy

Assign the resources to the Audit

Address engagement logistics

9

Audit Planning

Effect of Laws and Regulations on IS Audit PlanningRegulatory requirements generally describe the:

• Establishment

• Organization

• Responsibilities

• Correlation of the regulation to financial, operational and IS audit functions

10

Effect of Laws and Regulations on IS Audit Planning (cont.)

Steps to determine compliance with external requirements:

• Identify external requirements

• Document pertinent laws and regulations

• Assess whether management and the IS function have considered the relevant external requirements

• Review internal IS department documents that address adherence to applicable laws

• Determine adherence to established procedures

• Determine if there are procedures in place to ensure contracts or agreements with external IT services providers reflect any legal requirements related to responsibilities

11

Relationship Among Standards, Guidelines, and Tools and Techniques

Standards

Must be followed by IS auditors

Guidelines

Provide assistance on how to implement the standards

Tools and Techniques

Provide examples for implementing the standards

12

Risk AnalysisFrom the IS auditor’s perspective, risk analysis serves more than one purpose:

It assists the IS auditor in identifying risks and threats to an IT environment and IS system—risks and threats that would need to be addressed by management—and in identifying system specific internal controls. Depending on the level of risk, this assists the IS auditor in selecting certain areas to examine.

13

Risk Analysis (cont.)

• It helps the IS auditor in his/her evaluation of controls in audit planning.

• It assists the IS auditor in determining audit objectives.

• It supports risk-based audit decision making.

• Part of audit planning

• Helps identify risks and vulnerabilities

• The IS auditor can determine the controls needed to mitigate those risks

14

Risk Analysis (cont.)

IS auditors must be able to:

Be able to identify and differentiate risk types and the controls used to mitigate these risks

Have knowledge of common business risks, related technology risks and relevant controls

Be able to evaluate the risk assessment and management techniques used by business managers, and to make assessments of risk to help focus and plan audit work

Have an understand that risk exists within the audit process

15

Risk Analysis (cont.)

In analyzing the business risks arising from the use of IT, it is important for the IS auditor to have a clear understanding of:

The purpose and nature of business, the environment in which the business operates and related business risks

The dependence on technology and related dependencies that process and deliver business information

The business risks of using IT and related dependencies and how they impact the achievement of the business goals and objectives

A good overview of the business processes and the impact of IT and related risks on the business process objectives

16

Risk Analysis (cont.) Source ISACA – CISA Review Manual

17

Internal ControlsPolicies, procedures, practices and organizational

structures implemented to reduce risks

Classification of internal controls

Preventive controls

Detective controls

Corrective control

18

Internal Controls (cont.)

19

Internal Controls (cont.)

Internal control system

Internal accounting controls—Primarily directed at accounting operations such as the safeguarding of assets and the reliability of financial records.

Operational controls—Directed at day-to-day operations, functions and activities to ensure that the operation is meeting the business objectives.

Administrative controls—Concerned with operational efficiency in a functional area and adherence to management policies including operational controls.

Described as supporting the operational controls specifically concerned with operating efficiency and adherence to organizational policy.

20

IS Control ObjectivesInternal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment.

Specific IS control objectives may include:

Safeguarding assets

Ensuring the integrity of general operating system

environments

21

IS Control Objectives (cont.)

Ensuring the integrity of sensitive and critical application system environments through:

Authorization of the input

Validation of the input

Accuracy and completeness of processing of transactions

All transactions are recorded accurately and entered into the system for the proper period

Reliability of overall information processing activities

Accuracy, completeness and security of the output

Database integrity

22

IS Control Objectives (cont.)

Ensuring appropriate identification and authentication of

users of IS resources

Ensuring the efficiency and effectiveness of operations

Complying with requirements, policies and procedures,

and applicable laws

Developing business continuity and disaster recovery plans

Developing an incident response plan

Implementing effective change management procedures

23

COBIT 5.0

24

Source ISACA : An business framework from ISACA, at www.isaca.org/cobit

COBIT 5 (cont.)

The five COBIT 5 principles are:

1. Meeting Stakeholder Needs

2. Covering the Enterprise End-to-end

3. Applying a Single Integrated Framework

4.Enabling a Holistic Approach

5. Separating Governance From Management

25

Meeting Stakeholders Needs

26

Stakeholder needs have to be transformed into an enterprise’s practical strategy.

The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customised goals within the context of the enterprise, IT-related goals and enabler goals.

Covering the Enterprise End-to-end

27

Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved.

Key components of a governance system

Applying a Single, Integrated FrameworkThere are many IT-related standards and best practices, each providing guidance on a subset of IT activities. COBIT 5 aligns with other relevant standards and frameworks at a high level, and thus can serve as the overarching framework for governance and management of enterprise IT.

28

Enabling a Holistic Approach

29

COBIT 5 Enabler Dimensions: All enablers have a set of common dimensions. This set of

common dimensions: Provides a common, simple and structured way to deal with

enablers Allows an entity to manage its complex interactions Facilitates successful outcomes of the enablers

Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved.

Separating Governance From Management• Governance ensures that stakeholders needs,

conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM).

• Management plans, builds, runs and monitorsactivities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

30

Separating Governance From Management (cont.)

31

COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown.

Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.

General Controls

32

Apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.

Internal accounting controls directed at accounting operations

Operational controls concerned with the day-to-day operations

Administrative controls concerned with operational efficiency and adherence to management policies

Organizational logical security policies and procedures

Overall policies for the design and use of documents and records

Procedures and features to ensure authorized access to assets

Physical security policies for all data centers

IS ControlsIS control procedures include:

Strategy and direction of the IT function

General organization and management of the IT function

Access to IT resources, including data and programs

Systems development methodologies and change control

Operations procedures

Systems programming and technical support functions

33

IS Controls (cont.)

Quality assurance procedures

Physical access controls

Business continuity/disaster recovery planning

Networks and communications

Database administration

Protection and detective mechanisms against internal

and external attacks

34

Performing an IS Audit

35

Definition of auditing

Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.

Definition of IS auditing

Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.

Classification of AuditsThe IS auditor should understand the various types of audits that can be performed, internally or externally, and the audit procedures associated with each: Compliance audits

Financial audits

Operational audits

Integrated audits

Administrative audits

IS audits

Specialized audits

Forensic audits

36

Audit Programs Based on the scope and objective of the particular

assignment

IS auditor’s perspectives:

Security (confidentiality, integrity and availability)

Quality (effectiveness, efficiency)

Fiduciary (compliance, reliability)

Service and capacity

37

Audit Programs (cont.)

General audit procedures are the basic steps in the performance of an audit and usually include: Understanding of the audit area/subject Risk assessment and general audit plan Detailed audit planning Preliminary review of audit area/subject Evaluating audit area/subject Verifying and evaluating controls Compliance testing Substantive testing Reporting (communicating results) Follow-up

38

Audit Programs (cont.)

Procedures for Testing and Evaluating IS Controls Use of generalized audit software to survey the contents of data files

Use of specialized software to assess the contents of operating system parameter files

Flow-charting techniques for documenting automated applications and business process

Use of audit reports available in operation systems

Documentation review

Observation

Walkthroughs

Reperformance of controls

39

Audit MethodologyA set of documented audit procedures designed to achieve planned audit objectives

Composed of:

Statement of scope

Statement of audit objectives

Statement of audit programs

Set up and approved by the audit management

Communicated to all audit staff

40

Audit Methodology (cont.)

Audit phases

Audit subject

Audit objective

Audit scope

Preaudit planning

Audit procedures and steps for data gathering

Procedures for evaluating the test or review results

Procedures for communication with management

Audit report preparation

41

Audit Methodology (cont.)

42

Audit Phases Description

Audit subject Identify the area to be audited.

Audit objective Identify the purpose of the audit.

For example, an objective might be to determine whether program source code changes occur in a well-defined andcontrolled environment.

Audit scope Identify the specific systems, function or unit of the organization to be included in the review.

For example, in the previous program changes example, the scope statement might limit the review to a single application system or to a limited period of time.

Pre audit planning • Identify technical skills and resources needed.• Identify the sources of information for test or review such as

functional flow charts, policies, standards, procedures and prior audit work papers.

• Identify locations or facilities to be audited.

43

Audit Phase - Continued Description

Audit procedures and steps for data gathering

• Identify and select the audit approach to verify and test the controls.

• Identify a list of individuals to interview.• Identify and obtain departmental policies, standards

and guidelines for review.• Develop audit tools and methodology to test and

verify control.

Procedures for evaluating the test or review results

Organization-specific

Procedures for communicationwith management

Organization-specific

Audit report preparation • Identify follow-up review procedures.• Identify procedures to evaluate/test operational

efficiency and effectiveness.• Identify procedures to test controls.• Review and evaluate the soundness of documents,

policies and procedures.

Audit Methodology (cont.)

Audit Methodology (cont.)

What is documented in work papers (WPs)?

Audit plans

Audit programs

Audit activities

Audit tests

Audit findings and incidents

44

Fraud Detection Management’s responsibility

Benefits of a well-designed internal control system

Deterring fraud at the first instance

Detecting fraud in a timely manner

Fraud detection and disclosure

Auditor’s role in fraud prevention and detection

45

Risk-based Auditing

46

Audit Risk and MaterialityAudit risk categories

Inherent risk

Control risk

Detection risk

Overall audit risk

47

Risk Assessment and TreatmentAssessing security risks

Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization

Should be performed periodically to address changes in the environment, security requirements and when significant changes occur

48

Risk Assessment and Treatment (cont.)

Treating security risks

Each risk identified in a risk assessment needs to be treated

Possible risk responses include:

Risk mitigation

Risk acceptance

Risk avoidance

Risk transfer/sharing

49

Risk Assessment Techniques Enables management to effectively allocate limited

audit resources

Ensures that relevant information has been obtained from all levels of management

Establishes a basis for effectively managing the audit department

Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plan

50

Audit ObjectivesSpecific goals of the audit

Compliance with legal and regulatory requirements

Confidentiality

Integrity

Reliability

Availability

51

Compliance vs. Substantive Testing Compliance test

Determines whether controls are in compliance with management policies and procedures

Substantive test

Tests the integrity of actual processing

Correlation between the level of internal controls and substantive testing required

Relationship between compliance and substantive tests

52

Compliance vs. Substantive Testing (cont.)

53

EvidenceIt is a requirement that the auditor’s conclusions be based on sufficient, competent evidence:

• Independence of the provider of the evidence

• Qualification of the individual providing the information or evidence

• Objectivity of the evidence

• Timing of the evidence

54

Evidence (cont.)

Techniques for gathering evidence:

• Review IS organization structures

• Review IS policies and procedures

• Review IS standards

• Review IS documentation

• Interview appropriate personnel

• Observe processes and employee

performance

• Reperformance

• Walkthroughs

55

Interviewing and Observing Personnel in Performance of Their Duties

• Actual functions

• Actual processes/procedures

• Security awareness

• Reporting relationships

• Observation drawbacks

56

SamplingGeneral approaches to audit sampling:

Statistical sampling

Non-statistical sampling

57

Sampling (cont.)

Two primary methods of sampling used by IS auditors are:

Attribute sampling Stop-or-go sampling

Discovery sampling

Variable sampling

Stratified mean per unit

Unstratified mean per unit

Difference estimation

58

Sampling (cont.)

Statistical sampling terms:

Confident coefficient

Level of risk

Precision

Expected error rate

Sample mean

Sample standard deviation

Tolerable error rate

Population standard deviation

59

Sampling (cont.)

Key steps in choosing a sample:

Determine the objectives of the test

Define the population to be sampled

Determine the sampling method, such as attribute versus variable sampling

Calculate the sample size

Select the sample

Evaluating the sample from an audit perspective

60

Using the Services of Other Auditors and ExpertsConsiderations when using services of other auditors and experts:

Restrictions on outsourcing of audit/security services provided by laws and regulations

Audit charter or contractual stipulations

Impact on overall and specific IS audit objectives

Impact on IS audit risk and professional liability

Independence and objectivity of other auditors and experts

61

Using the Services of Other Auditors and Experts (cont.)

Considerations when using services of other auditors and experts:

Professional competence, qualifications and experience

Scope of work proposed to be outsourced and approach

Supervisory and audit management controls

Method and modalities of communication of results of audit work

Compliance with legal and regulatory stipulations

Compliance with applicable professional standards

62

Computer-assisted Audit Techniques CAATs enable IS auditors to gather information

independently

CAATs include:

Generalized audit software (GAS)

Utility software

Debugging and scanning software

Test data

Application software tracing and mapping

Expert systems

63

Computer-assisted Audit Techniques (cont.)

Features of generalized audit software (GAS):

Mathematical computations

Stratification

Statistical analysis

Sequence checking

Functions supported by GAS:

File access

File reorganization

Data selection

Statistical functions

Arithmetical functions

64

Computer-assisted Audit Techniques (cont.)

Items to consider before utilizing CAATs:

Ease of use for existing and future audit staff

Training requirements

Complexity of coding and maintenance

Flexibility of uses

Installation requirements

Processing efficiencies

Confidentiality of data being processed

65

Computer-assisted Audit Techniques (cont.)

Documentation that should be retained:

Online reports

Commented program listings

Flowcharts

Sample reports

Record and file layouts

Field definitions

Operating instructions

Description of applicable source documents

66

Computer-assisted Audit Techniques (cont.)

CAATs as a continuous online audit approach:

Improves audit efficiency

IS auditors must:

– develop audit techniques for use with advanced computerized systems

– be involved in the creation of advanced systems

– make greater use of automated tools

67

Evaluation of Audit Strengths and Weaknesses Assess evidence

Evaluate overall control structure

Evaluate control procedures

Assess control strengths and weaknesses

68

Evaluation of Audit Strengths and Weaknesses (cont.)

Judging materiality of findings

Materiality is a key issue

Assessment requires judgment of the potential effect

of the finding if corrective action is not taken

69

Exit interview

• Correct facts

• Realistic recommendations

• Implementation dates for agreed recommendations

Presentation techniques

• Executive summary

• Visual presentation

Communicating Audit Results

70

Communicating Audit Results (cont.)

Audit report structure and contents

An introduction to the report

Audit findings presented in separate sections

The IS auditor’s overall conclusion and opinion

The IS auditor’s reservations with respect to the audit

Detailed audit findings and recommendations

A variety of findings

71

Management Implementation of Recommendations

Auditing is an ongoing process

Timing of follow-up

72

Audit DocumentationAudit documentation includes:

Planning and preparation of the audit scope and objectives

Description on the scoped audit area

Audit program

Audit steps performed and evidence gathered

Other experts used

Audit findings, conclusions and recommendations

73

Control Self-Assessment A management technique

A methodology

In practice, a series of tools

Can be implemented by various methods

74

Objectives of CSA Leverage the internal audit function by shifting some

control monitoring responsibilities to functional areas

Enhancement of audit responsibilities, not a replacement

Educate management about control design and monitoring

Empowerment of workers to assess the control environment

75

Benefits of CSA Early detection of risks

More effective and improved internal controls

Increased employee awareness of organizational objectives

Highly motivated employees

Improved audit rating process

Reduction in control cost

Assurance provided to stakeholders and customers

76

Disadvantages of CSA Could be mistaken as an audit function replacement

May be regarded as an additional workload

Failure to act on improvement suggestions could damage employee morale

Lack of motivation may limit effectiveness in the detection of weak controls

77

Auditor Role in CSA Internal control professionals

Assessment facilitators

78

Technology Drivers for CSA Combination of hardware and software

Use of an electronic meeting system

Computer-supported decision aids

Group decision making is an essential component

79

Traditional vs. CSA Approach Traditional Approach

Assigns duties/supervises staff

Policy/rule driven

Limited employee participation

Narrow stakeholder focus

CSA Approach

Empowered/accountable employees

Continuous improvement/learning curve

Extensive employee participation and training

Broad stakeholder focus

80

Integrated AuditingProcess whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity.

• Focuses on risk to the organization (for an internal auditor)

• Focuses on the risk of providing an incorrect or misleading audit opinion (for an external auditor)

81

Integrated Auditing (cont.)

82

Process involves:

Identification of risks faced by organization and of relevant key controls

Review and understanding of the design of key controls

Testing that key controls are supported by the IT system

Testing that management controls operate effectively

A combined report or opinion on control risks, design and weaknesses

Continuous Auditing Distinctive character

Short time lapse between the facts to be audited and the collection of evidence and audit reporting

Drivers

Better monitoring of financial issues

Allows real-time transactions to benefit from real-time monitoring

Prevents financial fiascoes and audit scandals

Uses software to determine proper financial controls

83

Continuous Auditing (cont.)

84

Continuous monitoring

Provided by IS management tools

Based on automated procedures to meet fiduciary responsibilities

Continuous auditing

Audit-driven

Completed using automated audit procedures

Continuous Auditing (cont.)

Application of continuous auditing due to:

New information technology developments

Increased processing capabilities

Standards

Artificial intelligence tools

85

Continuous Auditing (cont.)

Prerequisites:

A high degree of automation

An automated and reliable information-producing process

Alarm triggers to report control failures

Implementation of automated audit tools

Quickly informing IS auditors of anomalies/errors

Timely issuance of automated audit reports

Technically proficient IS auditors

Availability of reliable sources of evidence

Adherence to materiality guidelines

Change of IS auditors’ mindset

Evaluation of cost factors

86

Continuous Auditing (cont.)

IT techniques in a continuous auditing environment:

Transaction logging

Query tools

Statistics and data analysis (CAAT)

Database management systems (DBMS)

Data warehouses, data marts and data mining

Intelligent agents

Embedded audit modules (EAM)

Neural network technology

Standards such as Extensible Business Reporting Language

87

Continuous Auditing (cont.)

Advantages

Instant capture of internal control problems

Reduction of intrinsic audit inefficiencies

Disadvantages

Difficulty in implementation

High cost

Elimination of auditors’ personal judgment and evaluation

88