Auditor's Guide to IT Auditing E-Book

Contents

Cover

Content

Series Page

Title Page

Copyright

Dedication

Preface

CONTROLS IN MODERN COMPUTER SYSTEMS

OVERALL FRAMEWORK

PART ONE: IT Audit Process

CHAPTER ONE: Technology and Audit

TECHNOLOGY AND AUDIT

BATCH AND ONLINE SYSTEMS

ELECTRONIC DATA INTERCHANGE

ELECTRONIC BUSINESS

CLOUD COMPUTING

CHAPTER TWO: IT Audit Function Knowledge

INFORMATION TECHNOLOGY AUDITING

WHAT IS MANAGEMENT?

MANAGEMENT PROCESS

UNDERSTANDING THE ORGANIZATION’S BUSINESS

ESTABLISHING THE NEEDS

IDENTIFYING KEY ACTIVITIES

ESTABLISH PERFORMANCE OBJECTIVES

DECIDE THE CONTROL STRATEGIES

IMPLEMENT AND MONITOR THE CONTROLS

EXECUTIVE MANAGEMENT’S RESPONSIBILITY AND CORPORATE GOVERNANCE

AUDIT ROLE

CONCEPTUAL FOUNDATION

PROFESSIONALISM WITHIN THE IT AUDITING FUNCTION

RELATIONSHIP OF INTERNAL IT AUDIT TO THE EXTERNAL AUDITOR

RELATIONSHIP OF IT AUDIT TO OTHER COMPANY AUDIT ACTIVITIES

AUDIT CHARTER

CHARTER CONTENT

OUTSOURCING THE IT AUDIT ACTIVITY

REGULATION, CONTROL, AND STANDARDS

CHAPTER THREE: It Risk and Fundamental Auditing Concepts

COMPUTER RISKS AND EXPOSURES

EFFECT OF RISK

AUDIT AND RISK

AUDIT EVIDENCE

CONDUCTING AN IT RISK-ASSESSMENT PROCESS

NIST SP 800 30 FRAMEWORK

ISO 27005

THE “CASCARINO CUBE”

RELIABILITY OF AUDIT EVIDENCE

AUDIT EVIDENCE PROCEDURES

RESPONSIBILITIES FOR FRAUD DETECTION AND PREVENTION

NOTES

CHAPTER FOUR: Standards and Guidelines for IT Auditing

IIA STANDARDS

CODE OF ETHICS

ADVISORY

AIDS

STANDARDS FOR THE PROFESSIONAL PERFORMANCE OF INTERNAL AUDITING

ISACA STANDARDS

ISACA CODE OF ETHICS

COSO: INTERNAL CONTROL STANDARDS

BS 7799 AND ISO 17799: IT SECURITY

NIST

BSI BASELINES

NOTE

CHAPTER FIVE: Internal Controls Concepts Knowledge

INTERNAL CONTROLS

COST/BENEFIT CONSIDERATIONS

INTERNAL CONTROL OBJECTIVES

TYPES OF INTERNAL CONTROLS

SYSTEMS OF INTERNAL CONTROL

ELEMENTS OF INTERNAL CONTROL

MANUAL AND AUTOMATED SYSTEMS

CONTROL PROCEDURES

APPLICATION CONTROLS

CONTROL OBJECTIVES AND RISKS

GENERAL CONTROL OBJECTIVES

DATA AND TRANSACTIONS OBJECTIVES

PROGRAM CONTROL OBJECTIVES

CORPORATE IT GOVERNANCE

COSO AND INFORMATION TECHNOLOGY

GOVERNANCE FRAMEWORKS

NOTES

CHAPTER SIX: Risk Management of the IT Function

NATURE OF RISK

RISK-ANALYSIS SOFTWARE

AUDITING IN GENERAL

ELEMENTS OF RISK ANALYSIS

DEFINING THE AUDIT UNIVERSE

COMPUTER SYSTEM THREATS

RISK MANAGEMENT

NOTES

CHAPTER SEVEN: Audit Planning Process

BENEFITS OF AN AUDIT PLAN

STRUCTURE OF THE PLAN

TYPES OF AUDIT

CHAPTER EIGHT: Audit Management

PLANNING

AUDIT MISSION

IT AUDIT MISSION

ORGANIZATION OF THE FUNCTION

STAFFING

IT AUDIT AS A SUPPORT FUNCTION

PLANNING

BUSINESS INFORMATION SYSTEMS

INTEGRATED IT AUDITOR VERSUS INTEGRATED IT AUDIT

AUDITEES AS PART OF THE AUDIT TEAM

APPLICATION AUDIT TOOLS

ADVANCED SYSTEMS

SPECIALIST AUDITOR

IT AUDIT QUALITY ASSURANCE

CHAPTER NINE: Audit Evidence Process

AUDIT EVIDENCE

AUDIT EVIDENCE PROCEDURES

CRITERIA FOR SUCCESS

STATISTICAL SAMPLING

WHY SAMPLE?

JUDGMENTAL (OR NON-STATISTICAL) SAMPLING

STATISTICAL APPROACH

SAMPLING RISK

ASSESSING SAMPLING RISK

PLANNING A SAMPLING APPLICATION

CALCULATING SAMPLE SIZE

QUANTITATIVE METHODS

PROJECT-SCHEDULING TECHNIQUES

SIMULATIONS

COMPUTER-ASSISTED AUDIT SOLUTIONS

GENERALIZED AUDIT SOFTWARE

APPLICATION AND INDUSTRY-RELATED AUDIT SOFTWARE

CUSTOMIZED AUDIT SOFTWARE

INFORMATION-RETRIEVAL SOFTWARE

UTILITIES

ON-LINE INQUIRY

CONVENTIONAL PROGRAMMING LANGUAGES

MICROCOMPUTER-BASED SOFTWARE

TEST TRANSACTION TECHNIQUES

CHAPTER TEN: Audit Reporting Follow-up

AUDIT REPORTING

INTERIM REPORTING

CLOSING CONFERENCES

WRITTEN REPORTS

CLEAR WRITING TECHNIQUES

PREPARING TO WRITE

BASIC AUDIT REPORT

EXECUTIVE SUMMARY

DETAILED FINDINGS

POLISHING THE REPORT

DISTRIBUTING THE REPORT

FOLLOW-UP REPORTING

TYPES OF FOLLOW-UP ACTION

PART TWO: Information Technology Governance

CHAPTER ELEVEN: Management

IT INFRASTRUCTURES

PROJECT-BASED FUNCTIONS

QUALITY CONTROL

OPERATIONS AND PRODUCTION

TECHNICAL SERVICES

PERFORMANCE MEASUREMENT AND REPORTING

MEASUREMENT IMPLEMENTATION

NOTES

CHAPTER TWELVE: Strategic Planning

STRATEGIC MANAGEMENT PROCESS

STRATEGIC DRIVERS

NEW AUDIT REVOLUTION

LEVERAGING IT

BUSINESS PROCESS RE-ENGINEERING MOTIVATION

IT AS AN ENABLER OF RE-ENGINEERING

DANGERS OF CHANGE

SYSTEM MODELS

INFORMATION RESOURCE MANAGEMENT

STRATEGIC PLANNING FOR IT

DECISION SUPPORT SYSTEMS

STEERING COMMITTEES

STRATEGIC FOCUS

AUDITING STRATEGIC PLANNING

DESIGN THE AUDIT PROCEDURES

NOTE

CHAPTER THIRTEEN: Management Issues

PRIVACY

COPYRIGHTS, TRADEMARKS, AND PATENTS

ETHICAL ISSUES

CORPORATE CODES OF CONDUCT

IT GOVERNANCE

SARBANES-OXLEY ACT

PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS

HOUSEKEEPING

NOTES

CHAPTER FOURTEEN: Support Tools and Frameworks

GENERAL FRAMEWORKS

COSO: INTERNAL CONTROL STANDARDS

OTHER STANDARDS

GOVERNANCE FRAMEWORKS

NOTE

CHAPTER FIFTEEN: Governance Techniques

CHANGE CONTROL

PROBLEM MANAGEMENT

AUDITING CHANGE CONTROL

OPERATIONAL REVIEWS

PERFORMANCE MEASUREMENT

ISO 9000 REVIEWS

PART THREE: Systems and Infrastructure Lifecycle Management

CHAPTER SIXTEEN: Information Systems Planning

STAKEHOLDERS

OPERATIONS

SYSTEMS DEVELOPMENT

TECHNICAL SUPPORT

OTHER SYSTEM USERS

SEGREGATION OF DUTIES

PERSONNEL PRACTICES

OBJECT-ORIENTED SYSTEMS ANALYSIS

ENTERPRISE RESOURCE PLANNING

CLOUD COMPUTING

NOTES

CHAPTER SEVENTEEN: Information Management and Usage

WHAT ARE ADVANCED SYSTEMS?

SERVICE DELIVERY AND MANAGEMENT

COMPUTER-ASSISTED AUDIT TOOLS AND TECHNIQUES

NOTES

CHAPTER EIGHTEEN: Development, Acquisition, and Maintenance of Information Systems

PROGRAMMING COMPUTERS

PROGRAM CONVERSIONS

NO THANKS SYSTEMS DEVELOPMENT EXPOSURES

SYSTEMS DEVELOPMENT CONTROLS

SYSTEMS DEVELOPMENT LIFECYCLE CONTROL: CONTROL OBJECTIVES

MICRO-BASED SYSTEMS

CLOUD COMPUTING APPLICATIONS

NOTE

CHAPTER NINETEEN: Impact of Information Technology on the Business Processes and Solutions

IMPACT

CONTINUOUS MONITORING

BUSINESS PROCESS OUTSOURCING

E-BUSINESS

NOTES

CHAPTER TWENTY: Software Development

DEVELOPING A SYSTEM

CHANGE CONTROL

WHY DO SYSTEMS FAIL?

AUDITOR’S ROLE IN SOFTWARE DEVELOPMENT

CHAPTER TWENTY-ONE: Audit and Control of Purchased Packages and Services

IT VENDORS

REQUEST FOR INFORMATION

REQUIREMENTS DEFINITION

REQUEST FOR PROPOSAL

INSTALLATION

SYSTEMS MAINTENANCE

SYSTEMS MAINTENANCE REVIEW

OUTSOURCING

SAS 70 REPORTS

CHAPTER TWENTY-TWO: Audit Role in Feasibility Studies and Conversions

FEASIBILITY SUCCESS FACTORS

CONVERSION SUCCESS FACTORS

CHAPTER TWENTY-THREE: Audit and Development of Application Controls

WHAT ARE SYSTEMS?

CLASSIFYING SYSTEMS

CONTROLLING SYSTEMS

CONTROL STAGES

CONTROL OBJECTIVES OF BUSINESS SYSTEMS

GENERAL CONTROL OBJECTIVES

CAATS AND THEIR ROLE IN BUSINESS SYSTEMS AUDITING

COMMON PROBLEMS

AUDIT PROCEDURES

CAAT USE IN NON-COMPUTERIZED AREAS

DESIGNING AN APPROPRIATE AUDIT PROGRAM

PART FOUR: Information Technology Service Delivery and Support

CHAPTER TWENTY-FOUR: Technical Infrastructure

AUDITING THE TECHNICAL INFRASTRUCTURE

INFRASTRUCTURE CHANGES

COMPUTER OPERATIONS CONTROLS

OPERATIONS EXPOSURES

OPERATIONS CONTROLS

PERSONNEL CONTROLS

SUPERVISORY CONTROLS

INFORMATION SECURITY

OPERATIONS AUDITS

NOTES

CHAPTER TWENTY-FIVE: Service-Center Management

PRIVATE SECTOR PREPAREDNESS (PS PREP)

CONTINUITY MANAGEMENT AND DISASTER RECOVERY

MANAGING SERVICE-CENTER CHANGE

NOTES

PART FIVE: Protection of Information Assets

CHAPTER TWENTY-SIX: Information Assets Security Management

WHAT IS INFORMATION SYSTEMS SECURITY?

CONTROL TECHNIQUES

WORKSTATION SECURITY

PHYSICAL SECURITY

LOGICAL SECURITY

USER AUTHENTICATION

COMMUNICATIONS SECURITY

ENCRYPTION

HOW ENCRYPTION WORKS

ENCRYPTION WEAKNESSES

POTENTIAL ENCRYPTION

DATA INTEGRITY

DOUBLE PUBLIC KEY ENCRYPTION

STEGANOGRAPHY

INFORMATION SECURITY POLICY

NOTES

CHAPTER TWENTY-SEVEN: Logical Information Technology Security

COMPUTER OPERATING SYSTEMS

TAILORING THE OPERATING SYSTEM

AUDITING THE OPERATING SYSTEM

SECURITY

CRITERIA

SECURITY SYSTEMS: RESOURCE ACCESS CONTROL FACILITY

AUDITING RACF

ACCESS CONTROL FACILITY 2

TOP SECRET

USER AUTHENTICATION

BYPASS MECHANISMS

SECURITY TESTING METHODOLOGIES

NOTES

CHAPTER TWENTY-EIGHT: Applied Information Technology Security

COMMUNICATIONS AND NETWORK SECURITY

NETWORK PROTECTION

HARDENING THE OPERATING ENVIRONMENT

CLIENT SERVER AND OTHER ENVIRONMENTS

FIREWALLS AND OTHER PROTECTION RESOURCES

INTRUSION-DETECTION SYSTEMS

NOTE

CHAPTER TWENTY-NINE: Physical and Environmental Security

CONTROL MECHANISMS

IMPLEMENTING THE CONTROLS

PART SIX: Business Continuity and Disaster Recovery

CHAPTER THIRTY: Protection of the Information Technology Architecture and Assets: Disaster-Recovery Planning

RISK REASSESSMENT

DISASTER—BEFORE AND AFTER

CONSEQUENCES OF DISRUPTION

WHERE TO START

TESTING THE PLAN

AUDITING THE PLAN

CHAPTER THIRTY-ONE: Displacement Control

INSURANCE

SELF-INSURANCE

PART SEVEN: Advanced IT Auditing

CHAPTER THIRTY-TWO: Auditing E-commerce Systems

E-COMMERCE AND ELECTRONIC DATA INTERCHANGE: WHAT IS IT?

OPPORTUNITIES AND THREATS

RISK FACTORS

THREAT LIST

SECURITY TECHNOLOGY

“LAYER” CONCEPT

AUTHENTICATION

ENCRYPTION

TRADING PARTNER AGREEMENTS

RISKS AND CONTROLS WITHIN EDI AND E-COMMERCE

E-COMMERCE AND AUDITABILITY

COMPLIANCE AUDITING

E-COMMERCE AUDIT APPROACH

AUDIT TOOLS AND TECHNIQUES

AUDITING SECURITY CONTROL STRUCTURES

COMPUTER-ASSISTED AUDIT TECHNIQUES

NOTES

CHAPTER THIRTY-THREE: Auditing UNIX/Linux

HISTORY

SECURITY AND CONTROL IN A UNIX/LINUX SYSTEM

ARCHITECTURE

UNIX SECURITY

SERVICES

DAEMONS

AUDITING UNIX

SCRUTINY OF LOGS

AUDIT TOOLS IN THE PUBLIC DOMAIN

UNIX PASSWORD FILE

AUDITING UNIX PASSWORDS

CHAPTER THIRTY-FOUR: Auditing Windows VISTA and Windows 7

HISTORY

NT AND ITS DERIVATIVES

AUDITING WINDOWS VISTA/WINDOWS 7

PASSWORD PROTECTION

VISTA/WINDOWS 7

SECURITY CHECKLIST

CHAPTER THIRTY-FIVE: Foiling the System Hackers

CHAPTER THIRTY-SIX: Preventing and Investigating Information Technology Fraud

PREVENTING FRAUD

INVESTGATION

IDENTITY THEFT

NOTE

APPENDIX A: Ethics and Standards for the IS Auditor

ISACA CODE OF PROFESSIONAL ETHICS

RELATIONSHIP OF STANDARDS TO GUIDELINES AND PROCEDURES

APPENDIX B: Audit Program for Application Systems Auditing

APPENDIX C: Logical Access-Control Audit Program

APPENDIX D: Audit Program for Auditing UNIX/Linux Environments

APPENDIX E: Audit Program for Auditing Windows VISTA and Windows 7 Environments

About the Author

About the Website

Index

End User License Agreement

Pages

ii

iii

iv

v

xvii

xviii

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

25

26

27

28

29

30

31

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

73

74

75

76

77

78

79

80

81

82

83

85

86

87

88

89

90

91

93

94

95

96

97

98

99

100

101

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

187

188

189

190

191

192

193

194

195

196

197

199

200

201

202

203

204

205

207

208

209

210

211

212

213

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

237

238

239

240

241

243

244

245

246

247

248

249

250

251

253

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

271

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

313

314

315

316

317

318

319

320

321

323

324

325

326

327

329

331

332

333

334

335

336

337

338

339

340

341

342

343

345

346

347

348

349

350

351

352

353

355

356

357

358

359

360

361

362

363

364

365

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

415

417

419

420

421

422

423

424

425

426

Guide

Cover

Table of Contents

Start Reading

List of Illustrations

CHAPTER THREE: It Risk and Fundamental Auditing Concepts

Exhibit 3.1 Typical IT Infrastructure

Exhibit 3.2 Cascarino’s Cube

Exhibit 3.3 IT Security

Exhibit 3.4 Control Cells6

CHAPTER NINE: Audit Evidence Process

Exhibit 9.1 Table of Sampling Methods

Exhibit 9.2 PERT Chart

CHAPTER ELEVEN: Management

Exhibit 11.1 Waterfall Cycle

Exhibit 11.2 Vee Cycle

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding.

The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.

Auditor’s Guide to IT Auditing

Second Edition

Copyright © 2012 by Richard E. Cascarino. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

First Edition: Auditor’s Guide to Information Systems Auditing (978-0-470-00989-5). Copyright © 2007 John Wiley & Sons, Inc. Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Cascarino, Richard.      Auditor’s guide to IT auditing / Richard E. Cascarino. — 2nd ed.             p. cm. — (Wiley corporate F&A series)      Rev. ed. of: Auditor’s guide to information systems auditing.      Includes index.      ISBN 978-1-118-14761-0 (hardback); ISBN 978-1-118-22584-4 (ebk);      ISBN 978-1-118-23907-0 (ebk); ISBN 978-1-118-24425-8 (ebk)      1. Electronic data processing—Auditing. I. Cascarino, Richard. Auditor’s guide to information systems auditing. II. Title.      QA76.9.A93C37 2012      658′.0558—dc23

2011042683

ISBN 978-1118-14761-0

I wish to take this opportunity to dedicate this book to my wife, Max, who has, over the last 33 years, put up with my bad temper when the computer would not do what I programmed it to do, my ego when it did eventually work, my despair when the system crashed again and again, and my complacency when the problems were solved.

I would also like to thank those who molded my career over the years, particularly Jim Leary for showing me what an IS manager could be and Scotch Duncan Anderson for showing me what an internal auditor should be.

And in grateful thanks to my friend, the late Gene Schultz, who died before being able to review the second edition of this book having given such a sterling review to the first edition. He was an inspiration and will be sadly missed.

Preface

IN TODAY’S BUSINESS ENVIRONMENT, computers are continuing the revolution started in the 1950s. Size and capacity of the equipment grows on an exponential curve, with the reduction in cost and size ensuring that organizations take advantage of this to develop more effective and responsive systems, which allow them to seek to gain competitive advantage by interfacing more closely with their customers. This second edition has been brought up to date with the latest in information technology (IT) approaches such as cloud computing as well as the latest in standards and regulations. The section on risk management has been expanded to include varying risk-analysis techniques available to the IT auditor.

Net technologies such as cloud computing, electronic data interchange (EDI), electronic funds transfers (EFTs), and e-commerce have fundamentally changed the nature of business itself and, as a result, organizations have become more computer dependent. The radical changes to business are matched only by their impact on society.

It has become impossible for today’s enterprises of any size and in any market sector to exist without computers to assist with their fundamental business operations. Even the old adage that “we can always go back to manual operations” is today a fallacy. The nature of today’s business environment obviates that option. Even the smallest businesses have found that the advent of personal computers (PCs) with increased capabilities and processing speed, while at the same time reduced pricing and sophisticated PC software, has revolutionized the concept of what a small business is.

In order for organizations to take full advantage of the new facilities that computers can offer, it is important that their systems can be controlled and are dependable. They require that their auditors confirm that this is the case. The modern auditor therefore requires significantly more knowledge of computers and computer auditing than did auditors of earlier years.

CONTROLS IN MODERN COMPUTER SYSTEMS

The introduction of the computer has brought fundamental changes to the ways organizations process data. Computer systems:

Are frequently much more complex than manual systems, the larger systems at least requiring a number of highly skilled computer technicians to develop and maintain them.

Process large volumes of data at high speed, and can transmit data effectively and instantaneously over extreme distances, commonly between continents.

Hold data in electronic form, which, without the appropriate tools and techniques, is often more complex for the auditor to access than paper records. In addition, modern systems have reduced the volumes of printed outputs by the incorporation of online access and online inquiry facilities. Indeed, many modern EDI-type systems have no paper audit trail whatsoever.

Process data with much less manual intervention than manual systems. In fact large parts of sophisticated systems now process data with no manual intervention at all. In the past, the main justification for computerization was frequently to reduce the number of staff required to operate the business. With modern decision support and integrated systems, this is becoming a reality not at the clerical level, but at the decision-making and control level. This can have the effect that the fundamental business controls previously relied upon by the auditor, such as segregation of duties or management authorization, may no longer be carried out as previously and must be audited in a different manner. In computer systems, the user profile of the member of staff as defined within the system’s access rights will generally control the division of duties while managerial authorities are, in many cases, built into systems themselves.

Process consistently in accordance with their programs providing the computer has been programmed correctly and change control is effective.

In large minicomputer and mainframe systems, there is a significant concentration of risk in locating the organization’s information resources in one format, although not necessarily in one place. Organizations then become totally reliant on their computer system and must be able to recover from failure or the destruction of their computer system swiftly and with minimal business disruption.

Are often subject to different legal constraints and burdens of proof than manual systems.

May operate within a cloud environment within which control over the availability, security, and confidentiality of systems and data may be handed over to a third party and may be subject to laws of a differing country.

These changes brought about by computerization can greatly increase the opportunity for auditors to deliver a quality service by concentrating the risk and allowing the auditors to correspondingly concentrate their efforts. For example, harnessing the power of the computer to analyze large volumes of data in the way the auditor requires is commonly now the only practical way of analyzing corporate data, and this was not only impractical but also impossible while data was spread around the organization in a myriad of forms.

In addition, the use of computer systems with built-in programmed procedures permit the auditor to adopt a systems approach to auditing in that the controls within the computer system process in a more consistent manner than a manual system. In manual systems the quality of the control procedure can change on a day-by-day basis, depending on the quality of the staff and their consistency of working. This can result in the auditor having to undertake a substantial amount of checking of transactions, to confirm transactions have processed correctly.

Controls within computer systems are commonly classified in two main subdivisions:

General controls.

The controls governing the environment in which the computer system is developed, maintained, and operated, and within which the application controls operate. These controls include the systems-development standards operated by the organization, the controls that apply to the operation of the computer installation, and those governing the functioning of systems software. They have a pervasive effect on all application systems.

Application controls.

The controls, both manual and computerized, within the business application to ensure that data is processed completely, accurately, and in a timely manner. Application controls are typically specific to the business application and include:

Input controls such as data validation and batching

Run-to-run controls to check file totals at key stages in processing, and controls over output

Ultimately, the auditor’s job is to determine if the application systems function as intended, the integrity, accuracy, and completeness of the data is well controlled, and report any significant discrepancies. The integrity of the data relies on the adequacy of the application controls. However, application controls are totally dependent on the integrity of the general controls over the environment within which the application is developed and run.

In the past, the auditor has often assumed a considerable degree of reliance on controls around the computer, that is, in the application controls. This is sometimes referred to as auditing “around” the computer because the auditor concentrates on the input and output from the computer, rather than what happens in the computer.

This has never been truly justified but has become, over recent years, a lethal assumption.

With the spread of online and real-time working, and of the increasing capacity of fixed disks, all of the organization’s data is commonly permanently loaded on the computer system and accessible from a variety of places, with only systems software controls preventing access to the data. This system is increasing in technical complexity, and the ability to utilize any implemented weaknesses is also growing.

It is critical that the auditor is assured of the integrity of the computer operational environment within which the applications systems function. This means that the auditor must become knowledgeable of the facilities provided in key systems software in the organization being audited.

This book is designed for those who need to gain a practical working knowledge of the risks and control opportunities within an IT environment, and the auditing of that environment. Readers who will find the text particularly useful include professionals and students within the fields of:

IT security

IT audit

Internal audit

External audit

Management information systems

General business management

Overall, this book contains the information required by anyone who is, or expects to be, accountable to management for the successful implementation and control of information systems.

It is intended that the text within this book forms the foundation for learning experience, as well as being your reference manual and student text. The emphasis is therefore on both the principles and techniques as well as the practical implementation through the use of realistic case studies.

OVERALL FRAMEWORK

Within the book the terms Information Technology (IT) and Information Systems (IS) are both used because both are in common use to mean virtually identical functions. The book is split into eight parts, namely:

Part I: IT Audit Process

This part covers the introduction to the technology and auditing involved with the modern computer systems. It seeks to establish common frames of reference for all IT students by establishing a baseline of technological understanding as well as an understanding of risks, control objectives, and standards, all concepts essential to the audit function. Internal control concepts and the planning and management of the audit process in order to obtain the appropriate evidence of the achievement of the control objectives is explained as is the audit reporting process.

Chapter 1 covers the basics of technology and audit. The chapter is intended to give readers an understanding of the technology in use in business as well as knowledge of the jargon and its meaning. It covers the components of control within an IT environment and explains who the main players are and what their role is within this environment.

Chapter 2 looks at the laws and regulations governing IT audit and the nature and role of the audit charter. It reviews the varying nature of audit and the demand for audits as well as the need for control and audit of computer-based IS. The types of audit and auditor and range of services to be provided are reviewed together with the standards and codes of ethics of both the Institute of Internal Auditors (IIA) and the standards specified by the Information Systems Audit and Control Association (ISACA).

Chapter 3 explores the concepts of materiality and risk within the IT audit function and contrasts materiality as it is commonly applied to financial statement audit such as those performed by independent external auditors. In this context, the quality and types of evidence required to meet the definitions of sufficiency, reliability, and relevancy are examined. The risks involved in examining evidence to arrive at an audit conclusion are reviewed as are the need to maintain the independence and objectivity of the auditor and the auditor’s responsibility for fraud detection in both an IT and non-IT setting. A variety of differing risk assessment methods is examined.

Chapter 4 explores in detail the ISACA Code of Professional Ethics and the current ISACA IS Auditing Standards and Guidelines Standards and discusses the IIA Code of Ethics, Standards for the Professional Practice of Internal Auditing, and Practice Advisories. In addition, standards and guidelines other than the ISACA and IIA models are explored.

Chapter 5 introduces the concepts of corporate governance with particular attention to the implications within an IT environment and the impact on IS auditors. Criteria of Control (COCO), Committee of Sponsoring Organizations of the Treadway Commission (COSO), King, Sarbanes-Oxley Act of 2002, and other recent legislative impacts are examined together with the structuring of controls to achieve conformity to these structures. Control classifications are examined in detail together with both general and application controls. Particular attention is paid to COBIT (Control Objectives for Information and Related Technology) from both a structural and relevance perspective.

Chapter 6 introduces the concept of computer risks and exposures and includes the development of an understanding of the major types of risks faced by the IT function including the sources of such risk as well as the causes. It also emphasizes management’s role in adopting a risk position, which itself necessitates a knowledge of the acceptable management responses to computer risks. One of the most fundamental influencing factors in IT auditing is the issue of corporate risk. This chapter examines risk and its nature within the corporate environment and looks at the internal audit need for the appropriate risk analysis to enable risk-based auditing as an integrated approach. This includes the effect of computer risks, the common risk factors, and the elements required to complete a computer risk analysis

Chapter 7 examines the audit planning process at both a strategic and tactical level. The use of risk-based auditing and risk-assessment methods and standards are covered. The preliminary evaluation of internal controls via the appropriate information-gathering and control-evaluation techniques as a fundamental component of the audit plan and the design of the audit plan to achieve a variety of audit scopes is detailed.

Chapter 8 looks at audit management and its resource allocation and prioritization in the planning and execution of assignments. The management of IS Audit quality through techniques such as peer reviews and best-practice identification is explored. The human aspects of management in the forms of career development and career path planning, performance assessment, counseling, and feedback as well as professional development through certifications, professional involvement, and training (both internal and external) are reviewed.

Chapter 9 exposes the fundamental audit evidence process and the gathering of evidence that may be deemed sufficient, reliable, relevant, and useful. Evidence-gathering techniques such as observation, inquiry, interviewing, and testing are examined and the techniques of compliance versus substantive testing are contrasted. The complex area of statistical and non-statistical sampling techniques and the design and selection of samples and evaluation of sample results is examined. The essential techniques of computer assisted audit techniques (CAATs) are covered and a case study using the software provided is detailed.

Chapter 10 covers audit reporting and follow-up. The form and content of an audit report are detailed and its purpose, structure, content, and style as dictated by the desired effect on its intended recipient for a variety of types of opinion are considered as well as the follow-up to determine management’s actions to implement recommendations.

Part II: Information Technology Governance

This part details the processes involved in planning and managing the IT function and the management issues faced in a modern IT department. The techniques used by management and the support tools and frameworks are examined with respect to the need for control within the processes.

Chapter 11 covers IT project-management, risk management including economic, social, cultural, and technology risk management as well as software quality-control management, the management of IT infrastructure, alternative IT architectures and configuration, and the management of IT delivery (operations) and support (maintenance). Performance measurement and reporting and the IT balanced scorecard are also covered as are the use of outsourcing, the implementation of IT quality assurance, and the socio-technical and cultural approach to management.

Chapter 12 examines IT strategic planning and looks at competitive strategies and business intelligence and their link to corporate strategy. These, in turn, influence the development of strategic information systems frameworks and applications. Strategic planning also includes the management of IT human resources, employee policies, agreements, contracts, segregation of duties within IT, and the implementation of effective IT training and education.

Chapter 13 looks at the broader IS/IT management issues including the legal issues relating to the introduction of IT to the enterprise; intellectual property issues in cyberspace: trademarks, copyrights, patents as well as ethical issues; rights to privacy; and the implementation of effective IT governance.

Chapter 14 introduces the need for support tools and frameworks such as COBIT: Management Guidelines, a framework for IT/IS managers and COBIT: Audit’s Use in Support of the Business Support Cycle. International standards and good practices such as ISOI7799, IT Infrastructure Library®(ITIL®), privacy standards, COSO, COCO, Cadbury, King, and Sarbanes-Oxley also play a vital role in ensuring the appropriate governance.

Chapter 15 covers the need for, and use of, techniques such as change control reviews, operational reviews, and ISO 9000 reviews.

Part III: Systems and Infrastructure Lifecycle Management

IT is essential to an organization only in so far as it can effectively assist in the achievement of the business objectives. This means that the business-application systems need to be appropriate to the business needs and meet the objectives of the users in an effective and efficient manner. Part III explores the manner in which application systems are planned, acquired externally, or developed internally and ultimately implemented and maintained. In all cases such systems have an objective of being auditable in addition to the other unique business objectives. This part also examines the variety of roles that the auditor could be called on to undertake and the circumstances and controls appropriate to each.

Chapter 16 covers the IT planning and managing components and includes developing an understanding of stakeholders and their requirements together with IT stay planning methods such as system investigation, process integration/reengineering opportunities, risk evaluation, cost-benefit analysis, risk assessment, object-oriented systems analysis, and design. Enterprise Resource Planning (ERP) software to facilitate enterprise applications integration is reviewed.

Chapter 17 covers the areas of information management and usage monitoring. Measurement criteria such as evaluating service level performance against service-level agreements, quality of service, availability, response time, security and controls, processing integrity, and privacy are examined. The analysis, evaluation, and design information together with data and application architecture are evaluated as tools for the auditor.

Chapter 18 investigates the development, acquisition, and maintenance of information systems through Information Systems’ project management involving the planning, organization, human resource deployment, project control, monitoring, and execution of the project plan. The traditional methods for the system development life cycle (SDLC) (analysis, evaluation, and design of an entity’s SDLC phases and tasks) are examined, as are alternative approaches for system development such as the use of software packages, prototyping, business process reengineering, or computer-aided software engineering (CASE). In addition system maintenance and change-control procedures for system changes together with tools to assess risk and control issues and to aid the analysis and evaluation of project characteristics and risks are discussed.

Chapter 19 examines the impact of IT on the business processes and solutions, business process outsourcing (BPO), and applications of e-business issues and trends.

Chapter 20 looks at the software-development-design process itself and covers the separation of specification and implementation in programming, requirements specification methodologies, and technical process design. In addition database creation and manipulation, principles of good screen and report design, and program language alignment are covered.

Chapter 21 looks at the audit and control of purchased packages to introduce readers to those elements critical to the decision taken to make or buy software. This includes a knowledge of the systems-development process and an understanding of the user’s role in training required so that the outsource decision on the factors surrounding it may be made to best effect.

Chapter 22 looks at the auditor’s role in feasibility studies and conversions. These are perhaps the most critical areas of systems implementation, and audit involvement should be compulsory.

Chapter 23 looks at the audit and development of application-level controls including input/origination controls, processing control procedures, output controls, application system documentation, and the appropriate use of audit trails.

Part IV: Information Technology Service Delivery and Support

This part examines the technical infrastructure in a variety of environments and the influence the infrastructure has on the management and control procedures required to attain the business objectives. The nature and methodologies of service center management are exposed for discussion.

Chapter 24 examines the complex area of the IS/IT technical infrastructure (planning, implementation, and operational practices). IT architecture/standards over hardware including mainframe, minicomputers, client-servers, routers, switches, communications, and PCs as well as software including operating systems, utility software, and database systems are revealed. Network components including communications equipment and services rendered to provide networks, network-related hardware, network-related software, and the use of service providers are covered as are security/testing and validation, performance monitoring, and evaluation tools and IT control monitoring and evaluation tools, such as access control systems monitoring and intrusion-detection-systems monitoring tools. In addition, the role of managing information resources and information infrastructure through enterprise management software and the implementation of service center management and operations standards/guidelines within COBIT, ITIL, and ISO 17799 together with the issues and considerations of service center versus proprietary technical infrastructures are explored.

Chapter 25 introduces the areas of service center management and the maintenance of Information Systems and technical infrastructures. These involve the use of appropriate tools designed to control the introduction of new and changed products into the service center environment and include such aspects as security management, resource/configuration management, and problem and incident management. In addition, the administration of release and versions of automated systems as well as the achievement of service-level management through capacity planning and management of the distribution of automated systems and contingency/backup and recovery management are examined.

The key management principles involved in management of operations of the infrastructure (central and distributed), network management, and risk management are outlined as are both the need for customer liaison as well as the management of suppliers.

Part V: Protection of Information Assets

This part examines the essential area of IT security in all of its manifestations. The administration of security focusing on information as an asset is commonly problematic and may frequently be observed as a patchwork of physical and logical security techniques with little thought to the application and implementation of an integrated approach designed to lead to the achievement of specific control objectives.

Chapter 26 looks at the area of information assets security management. This covers information technology and security basics and the fundamental concepts of IT security. The need for securing IT resources and maintaining an adequate policy framework on IT asset security, the management of IT security, and security training standards are examined as are the major compliance and assurance issues in IT security.

Chapter 27 covers the critical area of the components of logical IT security. Logical access control issues and exposures are explored together with access-control software. The auditing of logical access to ensure the adequate control of logical security risks using the appropriate logical security features, tools, and procedures is detailed.

Chapter 28 looks at the application of IT security including communications and network security. The principles of network security, client-server, Internet and web-based services, and firewall security systems are all detailed together with connectivity protection resources such as cryptography, digital signatures, digital certificates, and key management policies. IT security also encompasses the use of intrusion-detection systems and the proper implementation of mainframe security facilities. Security is also a critical element in the development of application systems and involves both the systems development and maintenance processes and database design.

Chapter 29 examines the concepts of physical IT security including physical access exposures and controls.

Part VI: Business Continuity and Disaster Recovery

In many organizations, the ongoing continuity and availability of an information-processing capability is critical to the corporate survival of the entity. This part explores the need for and techniques utilized in the protection of the information technology architecture and assets through both disaster recovery planning and the transfer of risk by utilizing the appropriate insurance profile. The auditor’s role in examining corporate continuity plans is examined in detail.

Chapter 30 introduces the activities required to ensure the protection of the IT architecture and assets. These include backup provisions involving business-impact analysis and business-continuity planning leading to IT disaster recovery planning, obtaining management support and commitment to the process, plan preparation and documentation, obtaining management approval, and distribution of the plan. In addition, the testing, maintenance, and revision of the plan together with audit’s role in all of these activities are investigated.

Chapter 31 looks at insurance and the variety of insurance coverage that can be obtained. Issues such as the valuation of assets, including equipment, people, information processes, and technology, are examined.

Part VII: Advanced IT Auditing

The final part explores the technical auditor’s function and role in auditing specialized areas such as the audit and control of e-commerce systems, auditing operating systems at both micro and mainframe levels, securing systems against outside penetration, and investigating security breaches.

Chapter 32 examines the tasks required to establish and optimize the IT audit functions including defining the scope of IP auditing, setting the objectives, staffing, and training. Measuring the effectiveness of the IT audit and the role of the specialist are critical in producing an effective IT audit function. It also introduces readers to the concepts of the paperless society inherent in e-commerce, business-2-business (B2B), business-2-consumer (B2C), and electronic data interchange (EDI) in general. These concepts change the internal control structure required in such an environment as well as changing the sources of what audit and legal evidence is available. The auditor will be required to implement the correct program to bring the contoured auction in line with this changing business environment.

Chapter 33 takes the reader through the advanced concepts of auditing within a UNIX / Linux environment including the major threat categories and control opportunities as well as the use of the appropriate audit tools.

Chapter 34 covers in detail the theory and practice of auditing within a Windows Vista or Windows 7 environment. This again includes the major control opportunities, controls to be sought, and audit tools to be used.

Chapter 35 addresses the major risk of computer hackers including definitions of how hackers gain entrance and the design of the appropriate security hierarchy in order to effectively manage this critical risk.

Chapter 36 examines the problem of computer fraud and countermeasures to prevent, detect, and alleviate the problems. This includes the effect of the risk of fraud on the business control objectives, the techniques applicable for determining higher risk, as well as the impact of computer fraud on an organization. The ability to distinguish between types of computer fraud, and the nature and effect as well as identification of likely fraud indicators enables the structuring of an appropriate antifraud security environment. The auditor must be capable of distinguishing between fraud and forensic auditing and applying the appropriate techniques. This involves an understanding of the rules that influence the acceptability of computer evidence as legally acceptable and binding evidence.

Appendices

Five appendices will be found at the back of the book including the appropriate ethics and standards for the IT auditor as well as sample audit programs for:

Application Systems Auditing

Logical access control

UNIX / Linux environments

Windows Vista and Version 7

PART ONEIT Audit Process

CHAPTER ONETechnology and Audit

THIS CHAPTER COVERS the basics of technology and audit. The chapter is intended to provide an understanding of the technology currently in use in business as well as knowledge of the jargon and its meaning. It also covers the components of control within an information technology (IT) environment and explains who the main players are and what their roles are within this environment.

After reading this chapter you should be able to:

Understand the technology currently in use in business

Understand the jargon and its meaning

Define the components of control in an IT environment

Briefly explain who the players are and what their roles are

Define the fundamental differences between batch and online systems

Explain the principal business risks within each processing type

Describe the components that make up the online system and the effect these have on control objectives

Explain the controls within each type of computer system

Contrast the basics of batch and online security

Demonstrate an ability to:

Identify the differing types of database structures

Identify the principal components of each type of Database Management System (DBMS)

Identify the primary threats to each of these components

Relate DBMS components to the operating system environment in which they operate

Identify potential control opportunities and select among control alternatives

Identify the principal DBMS products in the market

Recognize vulnerabilities in multiple DBMS environments and make appropriate recommendations

TECHNOLOGY AND AUDIT

Before the auditor can make an effective start in auditing the technology, it is critical that both Audit and IT speak a common language and that the auditor understands the technical jargon with which they will be confronted.

Some Computing Jargon

Before we can start to discuss the audit and control of computer systems, we must have a common understanding of the jargon used.

Hardware

Hardware consists of those components that can physically be touched and manipulated. Principles among those components are:

CPU.

The Central Processing Unit is the heart of the computer. This is the logic unit that handles the arithmetic processing of all calculations.

Peripherals.

Peripheral devices are those devices that attach to the CPU to handle—typically—inputs and outputs. These include:

Terminals

Printers

Disk and tape devices

Memory.

Memory takes the form in modern computers of silicon chips capable of storing information. In commercial computers, this information takes the form of 1 and 0 in the notation known as

binary.

Memory comes in various forms including:

RAM.

Random Access Memory whose contents can be changed but which is vulnerable to loss of power where the contents of memory may also be lost. This type of memory is also known as

dynamic

or

volatile

memory.

ROM.

Read-Only Memory is a form of memory whereby instructions are “burned-in” and not lost in the event of a power loss. These programs cannot be changed. This is also known as non-volatile memory.

PROM.

Programmable Read-Only Memory is similar to ROM but can have the contents changed.

EPROM.

Erasable Programmable Read-Only Memory is similar to PROM but the instructions can be erased by ultra-violet light. There is another version of memory known as

nonvolatile RAM.

This is memory that has been attached to a battery so that, in the event of a power loss, the contents will not be lost.

Mainframe.

Mainframe computers are the large (physically as well as in power) computers used by companies to carry out large-volume processing and concentrated computing.

Mini.

Minicomputers are physically smaller than mainframes, although the power of many minicomputers exceeds that of recent mainframes.

Micro.

Microcomputers are physically small computers with limited processing power and storage. Having said that, the power and capacity of today’s micro is equivalent to that of a mainframe only five years ago.

LANs.

Local Areas Networks are collections of computers linked together within a comparatively small area.

WANs.

Wide Area Networks are collections of computers spread over a large geographic area.

Storage

Data is stored in a variety of forms for both permanent and temporary retention:

Bits.

Binary Digits, individual ones and zeros

Bytes.

Collections of Bits making up individual characters

Disks.

Large-capacity storage devices containing anything from 10 Mb to 150 Gb of data

Diskettes.

Small-capacity removable disks containing from 360 k to 100 Mb of data

Optical Disks.

Laser-encoded disks containing between 650 Mb and 9 GB of data

Tapes.

Reel-to-Reel or cassettes that store data

Memory.

See Memory under the Hardware section

Communications

In order to maximize the potential of the effective use of the information on computers it is essential that isolated computers be able to communicate and share data, programs, and hardware devices.

Terminals.

Remote devices allowing the input and output to and from the computer of data and programs.

Modem.

MOdulator/DEModulator, which translates digital computer signals into analog signals for telephone wires and retranslates them at the other end.

Multiplexer.

Combining signals from a variety of devices to maximize utilization of expensive communication lines.

Cable.

Metallic cable, usually copper, which can carry the signal between computers. These may come in the form of “twisted pair,” where two or more cables are strung together within a plastic sleeve, or in the form of coaxial, where a cable runs within a metallic braiding in the same manner as a television aerial cable.

Fiber Optics.

These consist of fine strands of fiberglass or plastic filaments that carry light signals without the need for electrical insulation. They have extremely high capacity and transfer rates but are expensive.

Microwave.

This form of communication involves sending high-power signals from a transmitter to a receiver. They work on a direct line-of-sight basis but require no cables.

Input

Inputs to computer systems have developed rapidly over the years. The IT Auditor will still occasionally encounter some of the earlier types:

Cards.

Rarely seen nowadays, punch cards were among the first input and output media and consisted of cardboard sheets, some 8 inches by 4 inches with 80 columns, where rectangular holes could be punched in combinations to represent numeric, alphabetic, and special characters.

Paper Tape.

Another early input/output medium, paper tape was a low-cost alternative to punch cards and consisted of a one-inch wide paper tape with circular holes punched in it to form the same range of characters.

Keyboards.

The most common input device today (although that is changing). Most keyboards are still based on the original typist’s QWERTY keyboard design.

Mouse.

An electromechanical pointing device used for inputting instructions in real time.

Scanners.

Optical devices that can scan pictures into a digitized computer-readable form. These devices may be used in combination with OCR (Optical Character Recognition) software to allow the computer to interpret the pictures of data into actual characters.

Bar Codes.

Optically recognizable printing that can be interpreted by low-cost scanners. Common in retail operations.

Voice.

Perhaps the future of computer input whereby the computer user, programmer, or auditor simply dictates into a microphone and the computer responds appropriately.

Output

As with inputs, outputs are changing rapidly. In the earliest of computing times, output came in three basic forms. The most common of these was paper, however, quantities of cards and paper tape were output for subsequent reprocessing. Nowadays most outputs are via screens or directly onto magnetic media.

Paper.

Still a popular output medium, paper may be in continuous stationery form, cut sheet form, or preprinted business stock such as invoices or negotiable instruments such as checks.

Computer.

Output directly to another computer is a growing trend with the coming of age of electronic data interchange (EDI).

Screen.

Output to screen is the current norm for the majority of outputs with graphics, tables, charts, and three-dimensional forms possible.

Microfilm/fiche.

For permanent, readable recording of outputs with a small storage space required, microfilm is a popular output medium. Each frame contains one page of printed output. An alternative is the creation of microfiche, measuring approximately 6 inches by 4 inches and containing some 200 pages of printout.

Magnetic Media.

Output to disks, diskettes, and tapes is commonly used to store large volumes of information.

Voice.

Another new output medium is voice, where a permanent record is not required.

Control

Within the computer systems, control is exercised at a variety of points within the overall architecture. At each stage, opportunities exist to vary the manner in which the computer systems perform to meet the needs of the users.

Operating System.

The Operating System is the set of programs that control the basic operations of the computer. All other software runs under the direction of the Operating System and rely on its services for all of the work they undertake.

Applications.

These systems perform the business functions required of the computer. They run under the direct control of the Operating System but may contain many powerful control elements themselves.

Parameters.

These are user-defined variations adjusting the manner in which programs normally operate.

Run Instructions.

These are instructions to operators of computers instructing them on the jobs to be run and responses to machine questions to be entered.

JCL.

Job Control Language is a means of automating the job-running process by giving the computer the instructions in the form of batch programming language.

Human Element.

Ultimate control is exercised by the people who use, operate, program, and manage computers.

People

As pointed out in the Criteria of Control (CoCo) report referenced in Chapter 15, control is exercised by people and, as such, the auditor must understand the roles and responsibilities of the individuals involved in the development and processing of computer systems.

Operators.

Use the computers on a day-to-day basis.

Programmers.

Write the application programs that run on the computer.

Systems Designers.

Design the overall structure of the application systems and specify the programs required.

Systems Analysts.

Analyze the business structures, applications, and procedures to determine what, if any, contribution IT can make. They also design the outline of business specifications of new systems.

Systems Programmers.

Are responsible for the well-being of the Operating Systems and programs, the related systems software components.

Database Analysts.

Are responsible for maintaining the DBMS, which is the systems software that controls access to and format of the data.

Network Analysts.

Are responsible for ensuring availability, performance standards, and security are achieved on networks.

Management.

Plan, organize, and direct to ensure corporate objectives are achieved.

Data

Data consists of:

Fields held in

Records held in

Files held on

Disks

BATCH AND ONLINE SYSTEMS

Batch versus Online

In the early days of commercial computing, and up to the late 1960s, most processing took place on a batch basis only. This meant that all inputs were collected centrally and input together in “batches” of documents. This would typically take place using a centralized data preparation function to convert the data from written form into holes punched into either cards or continuous paper tape. The process was highly error prone and the input medium was fragile. In later batch systems the data was entered via a terminal onto a file, which would later be processed in batch mode. In this type of system, the primary control objectives were the accuracy and completeness of capture.

Many highly effective controls were designed and implemented to ensure completeness of data capture of batches of data, complete capture of all batches, and accurate capturing of batches of input data. These controls included the manual preparation of batch header documents for later comparison to computer-generated information, and double keystroke verification, whereby an operator entered the data into a batch of cards or directly onto a file containing a batch of input transactions. This data was then re-inputted by an independent data capture clerk and compared by the system to ensure accuracy and completeness.

With the advent of online systems, such controls fell away because they were deemed to be no longer appropriate. In many cases within an online environment very few alternative controls were implemented and frequently the auditor would find that large assumptions were made as to the adequacy of the controls surrounding the accuracy and completeness of data input.

In today’s systems, capture and processing will normally take place using online, real-time data capture with a small batch component. Input is typically via a terminal with instantaneous updates. Overnight report production in batch mode is common. The terminals may be local or remote and the remote terminals may be either dial-up or dedicated. The terminals themselves may be of differing types, but the principal control objectives remain:

Availability

Security

Confidentiality

Accuracy

In online systems there is an additional component to the system that comes complete with its own concerns, and that is the communications component. This may take the forms of microwave links, satellite hookups, or the more basic cables, which themselves may be either dedicated or dial-up.

Computers communicate in a digital form where a signal is either on or off, whereas normal telephone cables operate in an analog mode where the signal is moderated either by changing the height of the curve (amplitude modulation or AM) or by changing the frequency of the signal (frequency modulation or FM). Communications may operate in a Simplex mode where traffic is one way only. This means effectively that a circuit must make a complete circle to get there and get a reply back. This form of circuit is inexpensive but vulnerable. Half-duplex communication allows two-way traffic, but only one way at a time. This is the type of signal used in citizens’ band (CB) radio. Duplex communications involves simultaneous two-way communication. Computer systems typically use half-duplex communication.

Other communication concepts that will be of interest to the auditor are:

Synchronous communications.

High-speed transmission and reception of long groups of characters

Asynchronous communications.

Slow, irregular transmissions, one character at a time with start and stop bits

Encryption.

Scrambling of data into unreadable forms such that it can be unscrambled

Protocol.

A set of rules for message transmission in the network

Networks themselves may be of varying types including Private Networks; Public Switched Networks (PSNs), such as the telephone systems; Value Added Networks (VANs), such as Beltel, where the service provider adds on additional services instead of simply providing point-to-point connection; and Local Area Networks (LANs), where the connections are both private and nearby. Where there is a significant physical distance involved the network may be referred to as a Wide Area Network (WAN). In recent years, the Internet has become of increasing concern as well as use to the Internal Auditor. The Internet is a collection of computers worldwide connected together loosely and provides both a source of information as well as a source of external risk.