Mrs. Geetha Murugesan CISA,CRISC , CGEIT (Passed),...
Transcript of Mrs. Geetha Murugesan CISA,CRISC , CGEIT (Passed),...
Information Security Domain Management and IS Organisation Structure
Network Security
Application Security
Communication and Telecommunication Security
Database Security
Information Asset Protection
Business Continuity Management and DRP
Cloud Computing / Virtualization
Internet of Things
Cybersecurity …. Etc……
2
Information Security – Definition Information security, sometimes shortened to InfoSec,is the practice of defending information fromunauthorized access, use, disclosure, disruption,modification, perusal, inspection, recording ordestruction. It is a general term that can be usedregardless of the form the data may take (e.g. electronic,physical)
3
Information Security Information security (IS) is designed to protect the
confidentiality, integrity and availability of computer system data from those with malicious intentions.
Confidentiality, integrity and availability are sometimes referred to as the CIA Triad of information security
4
Definition "Ensures that only authorized users
(confidentiality) have access to accurate andcomplete information (integrity) whenrequired (availability) ------ISACADefinition
18 May 2014 5
Key Concepts The CIA triad of confidentiality, integrity, and
availability is at the heart of information security
Confidentiality - "is the property, that information isnot made available or disclosed to unauthorizedindividuals, entities, or processes“
Integrity - means maintaining and assuring the accuracy and completeness of data over its entire life-cycle
Availability - For any information system to serve its purpose, the information must be available when it is needed.
6
Organization of the IS Audit Function Audit charter (or engagement letter)
Stating management’s responsibility and objectives for,and delegation of authority to, the IS audit function
Outlining the overall authority, scope andresponsibilities of the audit function
Approval of the audit charter
Change in the audit charter
7
Audit Planning
8
Short-term and Long-term planning
Things to Consider
Individual audit planning
Understanding of overall environment
New control issues
Changing technologies
Changing business processes
Enhanced evaluation techniques
Business practices and functions
Information systems and technology
Gain an understanding of the business’s mission objectives, purpose and processes which include information and processing requirements such as availability, integrity and information confidentiality
Understand the Changes in the Business Environment
Review prior work papers
Identify stated contents such as policies , standards and required guidelines, procedures and organisation structure
Set the Audit scope and objectives
Develop the Audit approach or Audit strategy
Assign the resources to the Audit
Address engagement logistics
9
Audit Planning
Effect of Laws and Regulations on IS Audit PlanningRegulatory requirements generally describe the:
• Establishment
• Organization
• Responsibilities
• Correlation of the regulation to financial, operational and IS audit functions
10
Effect of Laws and Regulations on IS Audit Planning (cont.)
Steps to determine compliance with external requirements:
• Identify external requirements
• Document pertinent laws and regulations
• Assess whether management and the IS function have considered the relevant external requirements
• Review internal IS department documents that address adherence to applicable laws
• Determine adherence to established procedures
• Determine if there are procedures in place to ensure contracts or agreements with external IT services providers reflect any legal requirements related to responsibilities
11
Relationship Among Standards, Guidelines, and Tools and Techniques
Standards
Must be followed by IS auditors
Guidelines
Provide assistance on how to implement the standards
Tools and Techniques
Provide examples for implementing the standards
12
Risk AnalysisFrom the IS auditor’s perspective, risk analysis serves more than one purpose:
It assists the IS auditor in identifying risks and threats to an IT environment and IS system—risks and threats that would need to be addressed by management—and in identifying system specific internal controls. Depending on the level of risk, this assists the IS auditor in selecting certain areas to examine.
13
Risk Analysis (cont.)
• It helps the IS auditor in his/her evaluation of controls in audit planning.
• It assists the IS auditor in determining audit objectives.
• It supports risk-based audit decision making.
• Part of audit planning
• Helps identify risks and vulnerabilities
• The IS auditor can determine the controls needed to mitigate those risks
14
Risk Analysis (cont.)
IS auditors must be able to:
Be able to identify and differentiate risk types and the controls used to mitigate these risks
Have knowledge of common business risks, related technology risks and relevant controls
Be able to evaluate the risk assessment and management techniques used by business managers, and to make assessments of risk to help focus and plan audit work
Have an understand that risk exists within the audit process
15
Risk Analysis (cont.)
In analyzing the business risks arising from the use of IT, it is important for the IS auditor to have a clear understanding of:
The purpose and nature of business, the environment in which the business operates and related business risks
The dependence on technology and related dependencies that process and deliver business information
The business risks of using IT and related dependencies and how they impact the achievement of the business goals and objectives
A good overview of the business processes and the impact of IT and related risks on the business process objectives
16
Internal ControlsPolicies, procedures, practices and organizational
structures implemented to reduce risks
Classification of internal controls
Preventive controls
Detective controls
Corrective control
18
Internal Controls (cont.)
Internal control system
Internal accounting controls—Primarily directed at accounting operations such as the safeguarding of assets and the reliability of financial records.
Operational controls—Directed at day-to-day operations, functions and activities to ensure that the operation is meeting the business objectives.
Administrative controls—Concerned with operational efficiency in a functional area and adherence to management policies including operational controls.
Described as supporting the operational controls specifically concerned with operating efficiency and adherence to organizational policy.
20
IS Control ObjectivesInternal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment.
Specific IS control objectives may include:
Safeguarding assets
Ensuring the integrity of general operating system
environments
21
IS Control Objectives (cont.)
Ensuring the integrity of sensitive and critical application system environments through:
Authorization of the input
Validation of the input
Accuracy and completeness of processing of transactions
All transactions are recorded accurately and entered into the system for the proper period
Reliability of overall information processing activities
Accuracy, completeness and security of the output
Database integrity
22
IS Control Objectives (cont.)
Ensuring appropriate identification and authentication of
users of IS resources
Ensuring the efficiency and effectiveness of operations
Complying with requirements, policies and procedures,
and applicable laws
Developing business continuity and disaster recovery plans
Developing an incident response plan
Implementing effective change management procedures
23
COBIT 5 (cont.)
The five COBIT 5 principles are:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single Integrated Framework
4.Enabling a Holistic Approach
5. Separating Governance From Management
25
Meeting Stakeholders Needs
26
Stakeholder needs have to be transformed into an enterprise’s practical strategy.
The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customised goals within the context of the enterprise, IT-related goals and enabler goals.
Covering the Enterprise End-to-end
27
Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved.
Key components of a governance system
Applying a Single, Integrated FrameworkThere are many IT-related standards and best practices, each providing guidance on a subset of IT activities. COBIT 5 aligns with other relevant standards and frameworks at a high level, and thus can serve as the overarching framework for governance and management of enterprise IT.
28
Enabling a Holistic Approach
29
COBIT 5 Enabler Dimensions: All enablers have a set of common dimensions. This set of
common dimensions: Provides a common, simple and structured way to deal with
enablers Allows an entity to manage its complex interactions Facilitates successful outcomes of the enablers
Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved.
Separating Governance From Management• Governance ensures that stakeholders needs,
conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitorsactivities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
30
Separating Governance From Management (cont.)
31
COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown.
Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.
General Controls
32
Apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.
Internal accounting controls directed at accounting operations
Operational controls concerned with the day-to-day operations
Administrative controls concerned with operational efficiency and adherence to management policies
Organizational logical security policies and procedures
Overall policies for the design and use of documents and records
Procedures and features to ensure authorized access to assets
Physical security policies for all data centers
IS ControlsIS control procedures include:
Strategy and direction of the IT function
General organization and management of the IT function
Access to IT resources, including data and programs
Systems development methodologies and change control
Operations procedures
Systems programming and technical support functions
33
IS Controls (cont.)
Quality assurance procedures
Physical access controls
Business continuity/disaster recovery planning
Networks and communications
Database administration
Protection and detective mechanisms against internal
and external attacks
34
Performing an IS Audit
35
Definition of auditing
Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.
Definition of IS auditing
Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.
Classification of AuditsThe IS auditor should understand the various types of audits that can be performed, internally or externally, and the audit procedures associated with each: Compliance audits
Financial audits
Operational audits
Integrated audits
Administrative audits
IS audits
Specialized audits
Forensic audits
36
Audit Programs Based on the scope and objective of the particular
assignment
IS auditor’s perspectives:
Security (confidentiality, integrity and availability)
Quality (effectiveness, efficiency)
Fiduciary (compliance, reliability)
Service and capacity
37
Audit Programs (cont.)
General audit procedures are the basic steps in the performance of an audit and usually include: Understanding of the audit area/subject Risk assessment and general audit plan Detailed audit planning Preliminary review of audit area/subject Evaluating audit area/subject Verifying and evaluating controls Compliance testing Substantive testing Reporting (communicating results) Follow-up
38
Audit Programs (cont.)
Procedures for Testing and Evaluating IS Controls Use of generalized audit software to survey the contents of data files
Use of specialized software to assess the contents of operating system parameter files
Flow-charting techniques for documenting automated applications and business process
Use of audit reports available in operation systems
Documentation review
Observation
Walkthroughs
Reperformance of controls
39
Audit MethodologyA set of documented audit procedures designed to achieve planned audit objectives
Composed of:
Statement of scope
Statement of audit objectives
Statement of audit programs
Set up and approved by the audit management
Communicated to all audit staff
40
Audit Methodology (cont.)
Audit phases
Audit subject
Audit objective
Audit scope
Preaudit planning
Audit procedures and steps for data gathering
Procedures for evaluating the test or review results
Procedures for communication with management
Audit report preparation
41
Audit Methodology (cont.)
42
Audit Phases Description
Audit subject Identify the area to be audited.
Audit objective Identify the purpose of the audit.
For example, an objective might be to determine whether program source code changes occur in a well-defined andcontrolled environment.
Audit scope Identify the specific systems, function or unit of the organization to be included in the review.
For example, in the previous program changes example, the scope statement might limit the review to a single application system or to a limited period of time.
Pre audit planning • Identify technical skills and resources needed.• Identify the sources of information for test or review such as
functional flow charts, policies, standards, procedures and prior audit work papers.
• Identify locations or facilities to be audited.
43
Audit Phase - Continued Description
Audit procedures and steps for data gathering
• Identify and select the audit approach to verify and test the controls.
• Identify a list of individuals to interview.• Identify and obtain departmental policies, standards
and guidelines for review.• Develop audit tools and methodology to test and
verify control.
Procedures for evaluating the test or review results
Organization-specific
Procedures for communicationwith management
Organization-specific
Audit report preparation • Identify follow-up review procedures.• Identify procedures to evaluate/test operational
efficiency and effectiveness.• Identify procedures to test controls.• Review and evaluate the soundness of documents,
policies and procedures.
Audit Methodology (cont.)
Audit Methodology (cont.)
What is documented in work papers (WPs)?
Audit plans
Audit programs
Audit activities
Audit tests
Audit findings and incidents
44
Fraud Detection Management’s responsibility
Benefits of a well-designed internal control system
Deterring fraud at the first instance
Detecting fraud in a timely manner
Fraud detection and disclosure
Auditor’s role in fraud prevention and detection
45
Audit Risk and MaterialityAudit risk categories
Inherent risk
Control risk
Detection risk
Overall audit risk
47
Risk Assessment and TreatmentAssessing security risks
Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization
Should be performed periodically to address changes in the environment, security requirements and when significant changes occur
48
Risk Assessment and Treatment (cont.)
Treating security risks
Each risk identified in a risk assessment needs to be treated
Possible risk responses include:
Risk mitigation
Risk acceptance
Risk avoidance
Risk transfer/sharing
49
Risk Assessment Techniques Enables management to effectively allocate limited
audit resources
Ensures that relevant information has been obtained from all levels of management
Establishes a basis for effectively managing the audit department
Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plan
50
Audit ObjectivesSpecific goals of the audit
Compliance with legal and regulatory requirements
Confidentiality
Integrity
Reliability
Availability
51
Compliance vs. Substantive Testing Compliance test
Determines whether controls are in compliance with management policies and procedures
Substantive test
Tests the integrity of actual processing
Correlation between the level of internal controls and substantive testing required
Relationship between compliance and substantive tests
52
EvidenceIt is a requirement that the auditor’s conclusions be based on sufficient, competent evidence:
• Independence of the provider of the evidence
• Qualification of the individual providing the information or evidence
• Objectivity of the evidence
• Timing of the evidence
54
Evidence (cont.)
Techniques for gathering evidence:
• Review IS organization structures
• Review IS policies and procedures
• Review IS standards
• Review IS documentation
• Interview appropriate personnel
• Observe processes and employee
performance
• Reperformance
• Walkthroughs
55
Interviewing and Observing Personnel in Performance of Their Duties
• Actual functions
• Actual processes/procedures
• Security awareness
• Reporting relationships
• Observation drawbacks
56
Sampling (cont.)
Two primary methods of sampling used by IS auditors are:
Attribute sampling Stop-or-go sampling
Discovery sampling
Variable sampling
Stratified mean per unit
Unstratified mean per unit
Difference estimation
58
Sampling (cont.)
Statistical sampling terms:
Confident coefficient
Level of risk
Precision
Expected error rate
Sample mean
Sample standard deviation
Tolerable error rate
Population standard deviation
59
Sampling (cont.)
Key steps in choosing a sample:
Determine the objectives of the test
Define the population to be sampled
Determine the sampling method, such as attribute versus variable sampling
Calculate the sample size
Select the sample
Evaluating the sample from an audit perspective
60
Using the Services of Other Auditors and ExpertsConsiderations when using services of other auditors and experts:
Restrictions on outsourcing of audit/security services provided by laws and regulations
Audit charter or contractual stipulations
Impact on overall and specific IS audit objectives
Impact on IS audit risk and professional liability
Independence and objectivity of other auditors and experts
61
Using the Services of Other Auditors and Experts (cont.)
Considerations when using services of other auditors and experts:
Professional competence, qualifications and experience
Scope of work proposed to be outsourced and approach
Supervisory and audit management controls
Method and modalities of communication of results of audit work
Compliance with legal and regulatory stipulations
Compliance with applicable professional standards
62
Computer-assisted Audit Techniques CAATs enable IS auditors to gather information
independently
CAATs include:
Generalized audit software (GAS)
Utility software
Debugging and scanning software
Test data
Application software tracing and mapping
Expert systems
63
Computer-assisted Audit Techniques (cont.)
Features of generalized audit software (GAS):
Mathematical computations
Stratification
Statistical analysis
Sequence checking
Functions supported by GAS:
File access
File reorganization
Data selection
Statistical functions
Arithmetical functions
64
Computer-assisted Audit Techniques (cont.)
Items to consider before utilizing CAATs:
Ease of use for existing and future audit staff
Training requirements
Complexity of coding and maintenance
Flexibility of uses
Installation requirements
Processing efficiencies
Confidentiality of data being processed
65
Computer-assisted Audit Techniques (cont.)
Documentation that should be retained:
Online reports
Commented program listings
Flowcharts
Sample reports
Record and file layouts
Field definitions
Operating instructions
Description of applicable source documents
66
Computer-assisted Audit Techniques (cont.)
CAATs as a continuous online audit approach:
Improves audit efficiency
IS auditors must:
– develop audit techniques for use with advanced computerized systems
– be involved in the creation of advanced systems
– make greater use of automated tools
67
Evaluation of Audit Strengths and Weaknesses Assess evidence
Evaluate overall control structure
Evaluate control procedures
Assess control strengths and weaknesses
68
Evaluation of Audit Strengths and Weaknesses (cont.)
Judging materiality of findings
Materiality is a key issue
Assessment requires judgment of the potential effect
of the finding if corrective action is not taken
69
Exit interview
• Correct facts
• Realistic recommendations
• Implementation dates for agreed recommendations
Presentation techniques
• Executive summary
• Visual presentation
Communicating Audit Results
70
Communicating Audit Results (cont.)
Audit report structure and contents
An introduction to the report
Audit findings presented in separate sections
The IS auditor’s overall conclusion and opinion
The IS auditor’s reservations with respect to the audit
Detailed audit findings and recommendations
A variety of findings
71
Audit DocumentationAudit documentation includes:
Planning and preparation of the audit scope and objectives
Description on the scoped audit area
Audit program
Audit steps performed and evidence gathered
Other experts used
Audit findings, conclusions and recommendations
73
Control Self-Assessment A management technique
A methodology
In practice, a series of tools
Can be implemented by various methods
74
Objectives of CSA Leverage the internal audit function by shifting some
control monitoring responsibilities to functional areas
Enhancement of audit responsibilities, not a replacement
Educate management about control design and monitoring
Empowerment of workers to assess the control environment
75
Benefits of CSA Early detection of risks
More effective and improved internal controls
Increased employee awareness of organizational objectives
Highly motivated employees
Improved audit rating process
Reduction in control cost
Assurance provided to stakeholders and customers
76
Disadvantages of CSA Could be mistaken as an audit function replacement
May be regarded as an additional workload
Failure to act on improvement suggestions could damage employee morale
Lack of motivation may limit effectiveness in the detection of weak controls
77
Technology Drivers for CSA Combination of hardware and software
Use of an electronic meeting system
Computer-supported decision aids
Group decision making is an essential component
79
Traditional vs. CSA Approach Traditional Approach
Assigns duties/supervises staff
Policy/rule driven
Limited employee participation
Narrow stakeholder focus
CSA Approach
Empowered/accountable employees
Continuous improvement/learning curve
Extensive employee participation and training
Broad stakeholder focus
80
Integrated AuditingProcess whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity.
• Focuses on risk to the organization (for an internal auditor)
• Focuses on the risk of providing an incorrect or misleading audit opinion (for an external auditor)
81
Integrated Auditing (cont.)
82
Process involves:
Identification of risks faced by organization and of relevant key controls
Review and understanding of the design of key controls
Testing that key controls are supported by the IT system
Testing that management controls operate effectively
A combined report or opinion on control risks, design and weaknesses
Continuous Auditing Distinctive character
Short time lapse between the facts to be audited and the collection of evidence and audit reporting
Drivers
Better monitoring of financial issues
Allows real-time transactions to benefit from real-time monitoring
Prevents financial fiascoes and audit scandals
Uses software to determine proper financial controls
83
Continuous Auditing (cont.)
84
Continuous monitoring
Provided by IS management tools
Based on automated procedures to meet fiduciary responsibilities
Continuous auditing
Audit-driven
Completed using automated audit procedures
Continuous Auditing (cont.)
Application of continuous auditing due to:
New information technology developments
Increased processing capabilities
Standards
Artificial intelligence tools
85
Continuous Auditing (cont.)
Prerequisites:
A high degree of automation
An automated and reliable information-producing process
Alarm triggers to report control failures
Implementation of automated audit tools
Quickly informing IS auditors of anomalies/errors
Timely issuance of automated audit reports
Technically proficient IS auditors
Availability of reliable sources of evidence
Adherence to materiality guidelines
Change of IS auditors’ mindset
Evaluation of cost factors
86
Continuous Auditing (cont.)
IT techniques in a continuous auditing environment:
Transaction logging
Query tools
Statistics and data analysis (CAAT)
Database management systems (DBMS)
Data warehouses, data marts and data mining
Intelligent agents
Embedded audit modules (EAM)
Neural network technology
Standards such as Extensible Business Reporting Language
87
Continuous Auditing (cont.)
Advantages
Instant capture of internal control problems
Reduction of intrinsic audit inefficiencies
Disadvantages
Difficulty in implementation
High cost
Elimination of auditors’ personal judgment and evaluation
88