Popular in Course
verified elite notetaker
Popular in Accounting
This 76 page Document was uploaded by an elite notetaker on Friday December 18, 2015. The Document belongs to a course at a university taught by a professor in Fall. Since its upload, it has received 10 views.
Reviews for Institute-of-Internal-Auditors-IT-Controls
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 12/18/15
The IIA and Technology The Institute of Internal Auditors (IIA) Established in 1941, The IIA is an international professional associatio n headquartered in Altamonte Springs, Fla. With more than 100,000 members and representation from more than 100 countrie s, The Institute is the recognized authority, principal educator, and acknowledged leader in certification, education, research, and tec hnological guidance for the profession worldwide. The IIA helps you keep up with the latest IT advances by offering specia lized training and targeted resources. The IT Audit Curriculum, from The IIA and Deloitte & Touche LLP, helps you stay up to speed with evolving IT systems and adapt to compliance requirements such as the Sarbanes-Oxley Act. Our Global Technology Audit Guides (GTAG), written for CAEs and audit supervisors, address timely issues related to information technology management, control, or security. Our ITAudit is your online resource for free guidance on IT trends and audit t ools. Plan ahead for The IIA’s IT Conference to be held February 2006 in Orlando, Fla. For more details and to join, visit www.theiia.org GTAG Partners AICPA – American Institute of Certified Public Accountants www.aicpa.org CIS – Center for Internet Security www.cisecurity.org CMU/SEI – Carnegie-Mellon University Software Engineering Institute www.cmu.edu ISSA – Information Systems Security Association www.issa.org NACD – National Association of Corporate Directors www.nacd.org SANS Institute www.sans.org GTAG — Table of Contents: Section 1 Section 19 Letter from the President..........................................iiAppendix H – CAE Checklist ................................43 Section 2 Section 20 IT Controls – Executive Summary ............................iii Appendix I – References ........................................45 Section 3 Section 21 Introduction .......................................................Appendix J – Glossary ............................................47 Section 4 Section 22 Assessing IT Controls – An Overview ........................2 Appendix K – About the Global Technology Audit Guides ......................................49 Section 5 Understanding IT Controls ......................................3ion 23 Appendix L – GTAG Partners and Section 6 Global Project Team ..............................................50 Importance of IT Controls ......................................10 GTAG Guide 2 - Change and Patch Section 7 Management: Critical for IT Roles in the Organization ..................................11 Organizational Success ......................................54 Section 8 Analyzing Risk ......................................................15e Paper .................................................. 56 BindView White Paper .......................................... 62 Section 9 Monitoring and Techniques ....................................18 Section 10 Assessment ..........................................................20 Section 11 Conclusion ..........................................................22 Section 12 Appendix A – Information Security Program Elements ..................................................23 Section 13 Appendix B – Compliance With Laws and Regulations ....................................................24 Section 14 Appendix C –Three Categories of IT Knowledge for Internal Auditors ..........................28 Section 15 Appendix D – Compliance Frameworks ....................29 Section 16 Appendix E - Assessing IT Controls Using COSO ........................................................36 Section 17 Appendix F - ITGI Control Objectives for Information and Related Technology (CobiT) ............38 Section 18 Appendix G – Example IT Control Metrics to Be Considered by Audit Committees ....................40 i GTAG — Letter from the President — 1 In my previous role as a chief audit executive (CAE), I noted a need for guidance on IT management and control written specifically for executives. So one of my first acts as presiden t of The IIA was to initiate a project to produce this IT Controls guide. This guide is for the executive, not the technical staff — although it will help those personnel better relate to management and governance perspectives. The purpose of this document is to explain IT controls and audit practic e in a format that allows CAEs to understand and communicate the need for strong IT controls. It is organized to enable t he reader to move through the framework for assess- ing IT controls and to address specific topics based on need. This docum ent provides an overview of the key components of IT control assessment with an emphasis on the roles and responsibilities of key constituents within the organization who can drive governance of IT resources. You may already be familiar with some aspects of this document, while oth er segments will provide new perspectives on how to approach this key audit strategy. It is our hope that the components can be used to edu- cate others about what IT controls are and why management and internal a uditing must ensure proper attention is paid to this fundamental methodology for good governance. Although technology provides opportunities for growth and development, i t also provides the means and tools for threats such as disruption, deception, theft, and fraud. Outside attackers threa ten our organizations, yet trusted insiders are a far greater threat. Fortunately, technology can also provide protection from threats, as you will see i n this guide. Executives should know the right questions to ask and what the answers mean. For ex ample: • Why should I understand IT controls? One word: Assurance. Executives pl ay a key role in assuring information reliability. Assurance comes primarily from an interdependent set of business contr ols, plus the evidence that controls are continuous and sufficient. Management and governance must weigh the evidence provided by controls and audits and conclude that it provides reasonable assurance. This guide will help you understand the evidence. • What is to be protected? Let’s start with trust. Trust enables business and efficiency. Controls provide the basis for trust, although they are often unseen. Technology provides the foundation for many — perhaps most — busine ss controls. Reliability of financial information and processes — now mandated for many companies — is all about trust. • Where are IT controls applied? Everywhere. IT includes technology compo nents, processes, people, organization, and architecture — collectively known as infrastructure — as well as t he information itself. Many of the infrastructure controls are technical, and IT supplies the tools for many business cont rols. • Who is responsible? Everybody. But you must specify control ownership and responsibilities, otherwise no one is respon- sible. This guide addresses specific responsibilities for IT controls. • When do we assess IT controls? Always. IT is a rapidly changing environ ment, fueling business change. New risks emerge at a rapid pace. Controls must present continuous evidence of the ir effectiveness, and that evidence must be assessed and evaluated constantly. • How much control is enough? You must decide. Controls are not the objective; controls exist to help m eet business objectives. Controls are a cost of doing business and can be expensive — but not nearly as expensive as the probable consequences of inadequate controls. IT controls are essential to protect assets, customers, and partners, an d sensitive information; demonstrate safe, efficient, and ethical behavior; and preserve brand, reputation, and trust. In today’s global market and regulatory environment, these are all too easy to lose. Use this guide as a foundation to assess or build your organization’s framework and audit practices for IT business control, compliance, and assurance. Use it to help make sense of the conflicting advice you receive. Make sure all the elements are in place to meet the challenges of constant change, increasing complexity, rapidly evolving threats, and the need to improve efficiency constantly. The IIA produced this guide, but it is truly a team effort. The principal writers a re Charles H. Le Grand, of CHL Global, and Alan S. Oliphant, FIIA, MIIA, QiCA, of Mair International. We owe a great debt of gratitude to our partners, IIA inter- national affiliates, and members of the Global Technology Audit Guide (GTAG) team. We are grateful for their support and encouragement. This guide is a testimony to what The IIA does best: “ Progress Through Sharing.” Sincerely, David A. Richards, CIA, CPA President, The Institute of Internal Auditors, Inc. ii GTAG — Executive Summary — 2 GTAG Information Technology Controls describes the knowl- You don’t need to “everything” about IT controls, but edge needed by members of governing bodies, executives, IT remember two key control concepts: professionals, and internal auditors to address technology • Assurance must be provided by the IT controls control issues and their impact on business. Other profes- within the system of internal controls. This assurance sionals may find the guidance useful and relevant. The guide must be continuous and provide a reliable and provides information on available frameworks for assessing continuous trail of evidence. IT controls and describes how to establish the right frame- • The auditor’s assurance is an independent and work for an organization. Moreover, it sets the stage for objective assessment of the first assurance. Auditor future GTAGs that will cover specific IT topics and associ- assurance is based on understanding, examining, and ated business roles and responsibilities in greater detail. assessing the key controls related to the risks they The objectives of the IT Controls guide are to: manage, and performing sufficient testing to ensure • Explain IT controls from an executive perspective. the controls are designed appropriately and function- • Explain the importance of IT controls within the ing effectively and continuously. overall system of internal controls. Many frameworks exist for categorizing IT controls and their • Describe the organizational roles and responsibilities objectives. This guide recommends that each organization for ensuring IT controls are addressed adequately use the applicable components of existing frameworks to within the overall system of internal controls. categorize and assess IT controls, and to provide and docu- • Describe the concepts of risk inherent in the use and ment its own framework for: management of technology by any organization. • Compliance with applicable regulations and • Describe the basic knowledge and understanding of legislation. IT controls needed by the CAE to ensure effective • Consistency with the organization’s goals and internal audit assessments of IT controls. objectives. • Describe the relevant elements of the IT controls • Reliable evidence (reasonable assurance) that activi- assessment process as provided by the internal audit ties comply with management’s governance policies function. and are consistent with the organization’s risk appetite. 2.1 Introduction to IT Controls IT controls do not exist in isolation. They form an interde- 2.3 Importance of IT Controls pendent continuum of protection, but they may also be sub- Many issues drive the need for IT controls, ranging from the ject to compromise due to a weak link. They are subject to need to control costs and remain competitive through the error and management override, may range from simple to need for compliance with internal and external governance. highly technical, and may exist in a dynamic environment. IT controls promote reliability and efficiency and allow the IT controls have two significant elements: the automa- organization to adapt to changing risk environments. Any tion of business controls and control of IT. Thus, IT controls control that mitigates or detects fraud or cyber attacks support business management and governance as well as pro- enhances the organization’s resiliency because it helps the vide general and technical controls over IT infrastructures. organization uncover the risk and manage its impact. The internal auditor’s role in IT controls begins with a Resiliency is a result of a strong system of internal controls sound conceptual understanding and culminates in provid- because a well-controlled organization has the ability to ing the results of risk and control assessments. Internal manage challenges or disruptions seamlessly. auditing involves significant interaction with the people in Key indicators of effective IT controls include: positions of responsibility for controls and requires continu- • The ability to execute and plan new work such as ous learning and reassessment as new technologies emerge IT infrastructure upgrades required to support new and the organization’s opportunities, uses, dependencies, products and services. strategies, risks, and requirements change. • Development projects that are delivered on time and within budget, resulting in cost-effective and 2.2 Understanding IT Controls better product and service offerings compared to IT controls provide for assurance related to the reliability competitors. of information and information services. IT controls help • Ability to allocate resources predictably. mitigate the risks associated with an organization’s use of • Consistent availability and reliability of information technology. They range from corporate policies to their and IT services across the organization and for physical implementation within coded instructions; from customers, business partners, and other external physical access protection through the ability to trace interfaces. actions and transactions to responsible individuals; and from • Clear communication to management of key automatic edits to reasonability analysis for large bodies indicators of effective controls. of data. • The ability to protect against new vulnerabilities and iii GTAG — Executive Summary — 2 threats and to recover from any disruption of IT services quickly and efficiently. • The efficient use of a customer support center or help desk. • Heightened security awareness on the part of the users and a security-conscious culture throughout the organization. 2.4 IT Roles and Responsibilities Many different roles have emerged in recent years for posi- tions within the organization with IT control responsibilities and ownership. Each position within the governance, management, operational, and technical levels should have a clear description of its roles, responsibilities, and owner- ship for IT controls to ensure accountability for specific issues. This section addresses the various IT control roles and responsibilities within the organization and allocates them to specific positions within a hypothetical organiza- tional structure. 2.5 Analyzing Risk IT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified, suit- able risk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying a wide range of specific controls, including insurance. This section explains the concepts of when to apply IT controls. 2.6 Monitoring and Techniques The implementation of a formal control framework facili- tates the process of identifying and assessing the IT controls necessary to address specific risks. A control framework is a structured way of categorizing controls to ensure the whole spectrum of control is covered adequately. The framework can be informal or formal. A formal approach will more readily satisfy the various regulatory or statutory require- ments for organizations subject to them. The process of choosing or constructing a control framework should involve all positions in the organization with direct respon- sibility for controls. The control framework should apply to, and be used by, the whole organization — not just internal auditing. 2.7 IT Control Assessment Assessing IT controls is a continuous process. Business processes are changing constantly as technology continues to evolve. Threats emerge as new vulnerabilities are discov- ered. Audit methods improve as auditors adopt an approach where IT control issues in support of the business objectives are near the top of the agenda. Management provides IT control metrics and reporting. Auditors attest to their validity and opine on their value. The auditor should liaise with management at all levels and with the audit committee to agree on the validity and effec- tiveness of the metrics and assurances for reporting. iv GTAG — Introduction — 3 Introduction – 3 IT is an integral part of all processes that enable businesses and governments to accomplish their missions and objec- tives. IT facilitates local and global communications and fosters international business cooperation. IT controls have two significant components: automation of business controls and control of IT. They support business management and governance, and they provide general and technical controls over the policies, processes, systems, and people that comprise IT infrastructures. IT controls do not exist in isolation. They form an inter- dependent continuum of protection, but they also may be subject to compromise due to a “weak link.” They are subject to error and management override, may range from simple to highly technical, and may exist in a dynamic environment. IT controls support the concept of “defense in depth,” so a single weakness does not always result in a single point of failure. Controls exist to protect stakeholder interests: • The owner’s equity. • Customer concerns, such as privacy and identity. • Employees’ jobs and abilities to prove they did the right thing. • Management’s comfort with the assurance provided by automated processes. IT control assurance addresses the ability of controls to protect the organization against the most important threats and provides evidence that remaining risks are unlikely to harm the organization and its stakeholders significantly. These controls also are essential for assuring the reliability of financial processes and reporting. They are all connected. When a security administrator selects the settings in a firewall configu ration file (a technical task requiring specific skills and knowledge), he or she implements a policy (which may or may not be documented elsewhere) that, when deployed, determines the messages that will or will not be allowed into or out of the communications network, and establishes the “ports” through which they may travel. Your organization gets an element of protection from its firewalls that i s vital to the protection of information and the infrastructures where that information is collected, processed, stor ed, and communicated. 1 GTAG — Assessing IT Controls — An Overview — 4 When CAEs review and assess the controls over IT, they should ask: • What do we mean by IT controls? “I keep six honest serving-men • Why do we need IT controls? (They taught me all I knew); • Who is responsible for IT controls? Their names are • When is it appropriate to apply IT controls? What and Why and When • Where exactly are IT controls applied? • How do we perform IT control assessments? and How and Where and Who” The audit process provides a formal structure for address- — Rudyard Kipling, from “Elephant’s Child” ing IT controls within the overall system of internal controls. Figure 1, The Structure of IT Auditing , below, in Just So Stories. divides the assessment into a logical series of steps. The internal auditor’s role in IT controls begins with a sound conceptual understanding and culminates in provid- ing the results of risk and control assessments. Internal auditors interact with the people responsible for controls and must pursue continuous learning and reassessment as new technologies emerge and the organization’s opportuni- ties, uses, dependencies, strategies, risks, and requirements change. Figure 1 - The Structure of IT Auditing 2 GTAG — Understanding IT Controls — 5 COSO 1 defines internal control as: “A process, effected by an 5.1 ControlClassifications organization’s board of directors, management, and other Controls may be classified to help understand their purposes personnel, designed to provide reasonable assurance regard- and where they fit into the overall system of internal controls ing the achievement of objectives in the following cate- (See Figure 3,Some Control Classifications, page 4). By under- gories: standing these classifications, the control analyst and auditor • Effectiveness and efficiency of operations. are better able to establish their positions in the control • Reliability of financial reporting. framework and answer key questions such as: Are the detec- • Compliance with applicable laws and regulations.” tive controls adequate to identify errors that may get past the IT controls encompass those processes that provide assur- preventive controls? Are corrective controls sufficient to fix ance for information and information services and help mit- the errors once detected? A common classification of IT igate the risks associated with an organization’s use of controls is general versus application. technology. These controls range from written corporate General controls (also known as infrastructure controls) policies to their implementation within coded instructions; apply to all systems components, processes, and data for a from physical access protection to the ability to trace actions given organization or systems environment. General and transactions to the individuals who are responsible for controls include, but are not limited to: information them; and from automatic edits to reasonability analysis for security policy, administration, access, and authentication; large bodies of data. separation of key IT functions; management of systems acquisition and implementation; change management; backup; recovery; and business continuity. Application controls pertain to the scope of individual business processes or application systems. They include such controls as data edits, separation of business functions (e.g., transaction initiation versus authorization), balancing of processing totals, transaction logging, and error reporting. The function of a control is highly relevant to the assessment of its design and effectiveness. Controls may be classified as preventive, detective, or corrective. Preventive controls prevent errors, omissions, or security incidents from occurring. Examples include simple data-entry edits that block alphabetic characters from being entered into numeric fields, access controls that protect sensitive data or system resources from unauthorized people, and complex and dynamic technical controls such as antivirus software, Figure 2 firewalls, and intrusion prevention systems. It is not necessary to know “everything” about IT controls. Do not be concerned if you do not understand the full continuum or all t he technical intricacies of IT controls. Many of these controls are the domain of specialists who manag e specific risks associated with individual components of the systems and network infrastructure. In keep ing with good separation of duties prac- tices, some people who have specialized knowledge in a technology, such as database management, may know little about network components or communication protocols, and vice versa. There are two key control concepts to remember: 1. Assurance must be provided by the IT controls within the whole system of internal control and must be continuous and produce a reliable and continuous trail of evidence. 2. The auditor’s assurance is an independent and objective assessment of the first assu rance. It is based on understanding, examining, and assessing the key controls related to t he risks the auditors manage, as well as performing sufficient tests to ensure the controls ar e designed appropriately and function effectively. 1COSO – Committee of Sponsoring Organizations for the Commission on Fr audulent Financial Reporting (The Committee of Sponsoring Organizations of the Treadway Commission). See www.coso.org. 3 GTAG – Understanding IT Controls – 5 as governance, management, and technical. Information securi- ty program elements for these three categories are described in Appendix A (page 25). The first two levels — gover- nance and management — are the most applicable to the scope of this guide, although it may also be useful to under- stand how higher-level controls specifically are established within the technical IT infrastructures. Technical controls will be the subject of more topic-specific GTAGs. 5.2.1 Governance Controls The primary responsibility for internal control resides with the board of directors in its role as keeper of the governance framework. IT control at the governance level involves ensuring that effective information management and security principles, policies, and processes are in place and performance and compliance metrics demonstrate ongoing support for that framework. Governance controls are those mandated by, and Figure 3 - Some Control Classifications controlled by, either the entire board of directors or a board committee in conjunction with the organization’s executive Detective controls detect errors or incidents that elude management. These controls are linked with the concepts preventive controls. For example, a detective control may of corporate governance, which are driven both by identify account numbers of inactive accounts or accounts organizational goals and strategies and by outside bodies that have been flagged for monitoring of suspicious activi- such as regulators. ties. Detective controls can also include monitoring and An important distinction between governance and analysis to uncover activities or events that exceed author- management controls is the concept of “noses in, fingers ized limits or violate known patterns in data that may indi- out.” The board’s responsibility involves oversight rather cate improper manipulation. For sensitive electronic than actually performing control activities. For example, the communications, detective controls can indicate that a mes- audit committee of the board does no auditing, but it sage has been corrupted or the sender’s secure identification does oversee both the internal and external auditing of the cannot be authenticated. organization. Corrective controls correct errors, omissions, or inci- dents once they have been detected. They vary from simple 5.2.2 Management Controls correction of data-entry errors, to identifying and removing Management responsibility for internal controls typically unauthorized users or software from systems or networks, to involves reaching into all areas of the organization with recovery from incidents, disruptions, or disasters. special attention to critical assets, sensitive information, and Generally, it is most efficient to prevent errors or detect operational functions. Consequently, close collaboration them as close as possible to their source to simplify correc- among board members and executive managers is essential. tion. These corrective processes also should be subject to Management must make sure the IT controls needed to preventive and detective controls, because they represent achieve the organization’s established objectives are applied another opportunity for errors, omissions, or falsification. and ensure reliable and continuous processing. These Many other control classifications described in this guide controls are deployed as a result of deliberate actions by may be useful in assessing their effectiveness. For example, management to: automated controls tend to be more reliable than manual • Recognize risks to the organization, its processes, controls, and nondiscretionary controls are more likely to be and assets. applied consistently than discretionary controls. Other • Enact mechanisms and processes to mitigate and control classifications include mandatory, voluntary, manage risks (protect, monitor, and measure results). complementary, compensating, redundant, continuous, on-demand, and event-driven. 5.2.3 Technical Controls Technical controls form the foundation that ensures the reli- 5.2 Governance, Management, Technical ability of virtually every other control in the organization. Another common classification of controls is by the group For example, by protecting against unauthorized access and responsible for ensuring they are implemented and main- intrusion, they provide the basis for reliance on the integri- tained properly. For the purpose of assessing roles and ty of information — including evidence of all changes and responsibilities, this guide primarily categorizes IT controls their authenticity. These controls are specific to the 4 GTAG — Understanding IT Controls — 5 The Center for Internet Security (www.cisecurity.org) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent of the top vulnerabilities identified by the U.S. National Institute of Sta ndards and Technology (NIST), Federal Bureau of Investigation (FBI), SANS Institute, and Computer Security Institute (CSI). technologies in use within the organization’s IT infrastruc- tures. The ability to automate technical controls that imple- ment and demonstrate compliance with management’s intended information-based policies is a powerful resource to the organization. 5.3 IT Controls – What to Expect Individual control mechanisms a CAE can expect to find within the organization can be defined within the hierarchy of IT controls, from the overall high-level policy statements issued by management and endorsed by the board of direc- tors, down to the specific control mechanisms incorporated into application systems. The hierarchy in Figure 4, IT Controls, this page, represents a logical “top-down” approach, both when considering controls to implement and when determining areas on which to focus audit resources during reviews of the entire IT operating environment. The different elements of the Figure 4 – IT Controls hierarchy are not mutually exclusive; they are all connect- ed and can intermingle. Many of the control types within the system and data processed. the elements are described below. • A statement on the classification of information and the rights of access at each level. The policy should 5.3.1 Policies also define any limitations on the use of this informa- All organizations need to define their aims and objectives tion by those approved for access. through strategic plans and policy statements. Without clear • A definition of the concepts of data and systems statements of policy and standards for direction, organiza- ownership, as well as the authority necessary to origi- tions can become disoriented and perform ineffectively. nate, modify, or delete information. Without these Organizations with clearly defined aims and objectives tend guidelines, it is often difficult to coordinate change to be successful. within large organizations, because there may not be Because technology is vital to the operations of most organ- anyone designated to have overall responsibility for izations, clear policy statements regarding all aspects of IT the data or systems. should be devised and approved by management, endorsed • A general policy that defines the extent to which users by the board of directors, and communicated to all staff. can deploy intelligent workstations to create their own Many different policy statements can be required, depending applications. on the organization’s size and the extent to which it deploys • Personnel policies that define and enforce conditions IT. For smaller organizations, a single policy statement may for staff in sensitive areas. This includes the positive be sufficient, provided it covers all the relevant areas. Larger vetting of new staff prior to joining the organization, organizations that implement IT extensively will require carrying out annual credit checks, and having employ- more detailed and specific policies. ees sign agreements accepting responsibility for the IT policy statements include, but are not restricted to: required levels of control, security, and confidentiality. • A general policy on the level of security and privacy This policy would also detail related disciplinary throughout the organization. This policy should be procedures. consistent with all relevant national and internation- • Definitions of overall business continuity planning al legislation and should specify the level of control requirements. These policies should ensure that all and security required depending on the sensitivity of aspects of the business are considered in the event of 5 GTAG — Understanding IT Controls — 5 a disruption or disaster — not just the IT elements. that should apply to sensitive processes and A good source of IT and security policies is the SANS information. Security Policy Resource page (http://www.sans.org/ • Data Structures – Having consistent data definitions resources/policies/#intro), a consensus research project of across the full range of applications ensures disparate the SANS Institute community. The project offers free systems can access data seamlessly and security resources for rapid development and implementation of controls for private and other sensitive data can be information security policies, including policy templates for applied uniformly. 24 important security requirements. Although the templates • Documentation – Standards should specify the were compiled to help the people attending SANS training minimum level of documentation required for each programs, SANS makes them available to the world because application system or IT installation, as well as for Internet security depends on vigilance by all participants. different classes of applications, processes, and processing centers. 5.3.2 Standards As with policies, standards should be approved by manage- Standards exist to support the requirements of policies. They ment, should be written in clear and understandable language, are intended to define ways of working that achieve the and should be made available to all who implement them. required objectives of the organization. Adopting and enforcing standards also promotes efficiency because staff are 5.3.3 Organization and Management not required to reinvent the wheel every time a new business Organization and management plays a major role in the whole application is built or a new network is installed. Standards system of IT control, as it does with every aspect of an organi- also enable the organization to maintain the whole IT zation’s operations. An appropriate organization structure operating environment more efficiently. allows lines of reporting and responsibility to be defined and Large organizations with significant resources are in a effective control systems to be implemented. position to devise their own standards. On the other hand, smaller organizations rarely have sufficient resources for this 220.127.116.11 Separation of Duties exercise. There are many sources of information on stan- Separation of duties is a vital element of many controls. An dards and best practice, some of which are listed in organization’s structure should not allow responsibility for all Appendix I (See page 45). aspects of processing data to rest upon one individual or As a guideline, the CAE should expect to see standards department. The functions of initiating, authorizing, adopted for: inputting, processing, and checking data should be separat- • Systems Development Processes – When organiza- ed to ensure no individual can both create an error, tions develop their own applications, standards apply omission, or other irregularity and authorize it and/or to the processes for designing, developing, testing, obscure the evidence. Separation-of-duties controls for implementing, and maintaining systems and application systems are provided by granting access programs. If organizations outsource application privileges only in accordance with job requirements for development or acquire systems from vendors, the processing functions and accessing sensitive information. CAE should ascertain that agreements require the Traditional separation of duties within the IT environ- providers to apply standards consistent with the ment is divided between systems development and organization’s standards, or acceptable to the operations. Operations should be responsible for running organization. production systems — except for change deployment — and • Systems Software Configuration – Because systems should have little or no contact with the development software provides a large element of control in the IT process. This control includes restrictions preventing environment, standards related to secure system con- operators from accessing or modifying production programs, figurations, such as the CIS Benchmarks from the systems, or data. Similarly, systems development personnel Center for Internet Security, are beginning to gain should have little contact with production systems. By wide acceptance by leading organizations and tech- assigning specific roles during implementation and other nology providers. The way products such as operating change processes to both the personnel responsible for appli- systems, networking software, and database manage- cation systems and those responsible for operations, appro- ment systems are configured can either enhance priate separation of duties can be enforced. In large security or create weaknesses that can be exploited. organizations, many other functions should be considered to • Application Controls – All applications which ensure appropriate separation of duties, and these controls support business activities need to be controlled. can be quite detailed. For example, privileged accounts, such Standards are necessary for all applications the organ- as the Administrator group in Windows and Super User in ization develops or purchases that define the types of UNIX, can modify log entries, access any file, and in many controls that must be present across the whole range cases act as any user or role. It is important to restrict the of business activities, as well as the specific controls number of individuals with this privilege to a minimum. 6 GTAG — Understanding IT Controls — 5 Software tools are also available and should be considered to Some typical physical and environmental controls include: limit the power and monitor the activities of individuals • Locating servers in locked rooms to which access is with privileged accounts. restricted. • Restricting server access to specific individuals. 18.104.22.168 Financial Controls • Providing fire detection and suppression equipment. Because organizations make considerable investments in IT, • Housing sensitive equipment, applications, and data budgetary and other financial controls are necessary to away from environmental hazards such as low-lying ensure the technology yields the protected return on invest- flood plains or flammable liquid stores. ment or proposed savings. Management processes should be When considering physical and environmental security, it is in place to collect, analyze, and report information related to also appropriate to consider contingency planning — also these issues. Unfortunately, new IT developments often suf- known as disaster recovery planning — which includes fer massive cost over-runs and fail to deliver the expected response to security incidents. What will the organization do if cost savings because of insufficient planning. Budgetary con- there is a fire or flood, or if any other threat manifests itself? trols can help identify potential failings early in the process How will the organization restore the business and related IT and allow management to take positive action. They may facilities and services to ensure normal processing continues also produce historical data that organizations can use in with minimum effect on regular operations? This type of future projects. planning goes beyond merely providing for alternative IT pro- cessing power to be available and routine backup of production 22.214.171.124 Change Management data; it must consider the logistics and coordination needed for Change management processes can be specified under orga- the full scope of business activity. Finally, history consistently nizational and management control elements. These demonstrates that a disaster recovery plan that has not been processes should ensure that changes to the IT environment, tested successfully in a realistic simulation is not reliable. systems software, application systems, and data are applied in a manner that enforces appropriate division of duties; makes 5.3.5 Systems Software Controls sure changes work as required; prevents changes from being Systems software products enable the IT equipment to be exploited for fraudulent purposes; and reveals the true costs used by the application systems and users. These products of inefficiencies and system outages that can be obscured by include operating systems such as Windows, UNIX, and ineffective monitoring and reporting processes. Change Linux; network and communications software; firewalls; management is one of the most sensitive areas of IT controls antivirus products; and database management systems and can seriously impact system and service availability if (DBMS) such as Oracle and DB2. not administered effectively. The IT Process Institute has Systems software can be highly complex and can apply to published research demonstrating that effective IT change components and appliances within the systems and network management can bring significant benefits organizations. environment. It may be configured to accommodate highly specialized needs and normally requires a high degree of spe- 126.96.36.199 Other Management Controls cialization to maintain it securely. Configuration techniques Other typical management controls include vetting proce- can control logical access to the applications, although some dures for new staff, performance measurement, provision of application systems contain their own access controls, and specialist training for IT staff, and disciplinary procedures. may provide an opening for hackers to use to break into a These are listed in the Information Security Program system. Configuration techniques also provide the means to Elements in Appendix A and will be covered in greater enforce division of duties, generate specialized audit trails, detail in other GTAG publications. and apply data integrity controls through access control lists, filters, and activity logs. 5.3.4 Physical and Environmental Controls IT audit specialists are required to assess controls in this IT equipment represents a considerable investment for many area. Small organizations are unlikely to have the resources organizations. It must be protected from accidental or deliber- to employ such specialists and should consider outsourcing ate damage or loss. Physical and environmental controls, the work. Whether IT auditors are employed or outsourced, originally developed for large data centers that house main- they require a highly specific set of knowledge. Much of this frame computers, are equally important in the modern world knowledge can come from experience, but such knowledge of distributed client-server and Web-based systems. Although must be updated constantly to remain current and useful. the equipment commonly used today is designed for ease of Certification confirms that a technical specialist has use in a normal office environment, its value to the business acquired a specified set of knowledge and experience and has and the cost and sensitivity of applications running business passed a related examination. In the IT audit world, global processes can be significant. All equipment must be protect- certificates include the Qualification in Computer Auditing ed, including the servers and workstations that allow staff (QiCA), from IIA–United Kingdom and Ireland; Certified access to the applications. Information Systems Auditor (CISA), available through the 7 GTAG — Understanding IT Controls — 5 Information Systems Audit and Control Association subject to structured assurance validation processes. (ISACA); and Global Information Assurance Certification Where systems development is outsourced, the outsourcer or (GIAC) Systems & Network Auditor (GSNA), from the provider contracts should require similar controls. SANS Institute’s GIAC program. Additional certifications Project management techniques and controls need to be part address general and specialized competence in information of the development process, whether developments are security, network administration, and other areas closely performed in-house or are outsourced. Management should related to IT auditing and are useful for identifying an IT know projects are on time and within budget and that resources auditor’s potential ability. are used efficiently. Reporting processes should ensure that Some key technical controls the CAE should expect to management completely understands the current status of find in a well-managed IT environment include: development projects and does not receive any surprises when • Access rights allocated and controlled according to the end product is delivered. the organization’s stated policy. • Division of duties enforced through systems software 5.3.7 Application-based Controls and other configuration controls. The objective of internal controls over application systems is to • Intrusion and vulnerability assessment, prevention, ensure that: and detection in place and continuously monitored. • All input data is accurate, complete, authorized, • Intrusion testing performed on a regular basis. and correct. • Encryption services applied where confidentiality is a • All data is processed as intended. stated requirement. • All data stored is accurate and complete. • Change management processes — including patch • All output is accurate and complete. management — in place to ensure a tightly controlled • A record is maintained to track the process of data process for applying all changes and patches to soft- from input to storage, and to the eventual output. ware, systems, network components, and data. Reviewing the application controls traditionally has been the “bread and butter” of the IT auditor. However, because 5.3.6 Systems Development and application controls now represent a huge percentage of Acquisition Controls business controls, they should be the priority of every Organizations rarely adopt a single methodology for all internal auditor. All internal auditors need to be able to systems development projects. Methodologies are chosen to evaluate a business process and understand and assess the suit the particular circumstances of each project. The IT controls provided by automated processes. auditor should assess whether or not the organization devel- There are several types of generic controls that the CAE ops or acquires application systems using a controlled should expect to see in any application: method that subsequently provides effective controls over • Input Controls – These controls are used mainly to and within the applications and data they process. All check the integrity of data entered into a business computer application systems should perform only those application, whether the source is input directly by functions the user requires in an efficient way. By examining staff, remotely by a business partner, or through a application development procedures, the auditor can gain Web-enabled application. Input is checked to ensure assurance that applications work in a controlled manner. that it remains within specified parameters. Some basic control issues should be evident in all systems • Processing Controls – These controls provide development and acquisition work: automated means to ensure processing is complete, • User requirements should be documented, and their accurate, and authorized. achievement should be measured. • Output Controls – These controls address what is • Systems design should follow a formal process to done with the data. They should compare results ensure that user requirements and controls are with the intended result and check them against designed into the system. the input. • Systems development should be conducted in a • Integrity Controls – These controls can monitor data structured manner to ensure that requirements and in process and/or in storage to ensure that data design features are incorporated into the finished remains consistent and correct. product. • Management Trail – Processing history controls, often • Testing should ensure that individual system elements referred to as an audit trail, enable management to work as required, system interfaces operate as expect- track transactions from the source to the ultimate result ed, users are involved in the testing process, and the and to trace backward from results to identify the intended functionality has been provided. transactions and events they record. These controls • Application maintenance processes should ensure that should be adequate to monitor the effectiveness of changes in application systems follow a consistent overall controls and identify errors as close as possible pattern of control. Change management should be to their sources. 8 GTAG — Understanding IT Controls — 5 5.4 Information Security Information security is an integral part of all IT controls. Information security applies to both infrastructure and data and is the foundation for the reliability of most other IT con- trols. The exceptions are controls relating to the financial aspects of IT (e.g., ROI, budgetary controls) and some proj- ect management controls. The universally accepted elements of information security are: • Confidentiality – Confidential information must only be divulged as appropriate, and must be protected from unauthorized disclosure or interception. Confidentiality includes privacy considerations. • Integrity – Information integrity refers to the state of data as being correct and complete. This specifically includes the reliability of financial processing and reporting. • Availability – Information must be available to the business, its customers, and partners when, where, and in the manner needed. Availability includes the abili- ty to recover from losses, disruption, or corruption of data and IT services, as well as from a major disaster where the information was located. 5.5 IT Controls Framework IT controls are not automatic. For the more than 50 years organizations have used IT, controls have not always been the default condition of new systems hardware or software. The development and implementation of controls typically lag behind the recognition of vulnerabilities in systems and the threats that exploit such vulnerabilities. Further, IT controls are not defined in any widely recognized standard applicable to all systems or to the organizations that use them. Many frameworks exist for categorizing IT controls and their objectives. Each organization should use the most applicable components of these frameworks to categorize or assess IT controls and to provide and document its own internal control framework for: • Compliance with applicable regulations and legislation. • Consistency with the organization’s goals and objectives. • Reliable evidence (assurance) that activities are in compliance with management’s governance policies and are consistent with the organization’s risk appetite. Risk Appetite An organization’s risk appetite defines the degree of risk a company or other organizati on is willing to accept in pursuit of its goals, as determined by executive management and governan ce. Risk appetite can specify, for example, whether or not an organization will take an aggressive role in the deployment of new and emerging technologies. An organization’s risk appetite can be affected by its industry and regulatory environme nt. Closely related to risk appetite is an organization’s risk tolerance, which measures how far it is willing to deviate from i ts stated measure of risk appetite. 9 GTAG — Importance of IT Controls — 6 Many issues drive the need for IT controls, including • Clear communication to management of effective controlling costs and remaining competitive, protecting controls. against information theft by hackers, and complying with • The ability to protect against new vulnerabilities and legislation and regulation such as the U.S. Sarbanes-Oxley threats quickly and efficiently and to recover from Act of 2002 , the European Union’s Data Protection any disruption of IT services. Directive, and related legislation in other countries. IT con- • The efficient use of a customer support center or help trols promote reliability and efficiency and allow the organ- desk. ization to adapt to changing risk environments. For • A security-conscious culture among end users example, any control that mitigates or detects fraud or cyber throughout the organization. attacks enhances the organization’s resiliency by helping the Although the internal audit function likely will include organization uncover the risk and manage its impact. specialist IT auditors to address IT issues in detail, the CAE Resiliency is a result of a strong system of internal controls also should understand IT control issues at a high level, that give an organization the ability to manage disruptions particularly their interactions with other IT and non-IT seamlessly.