CAACM’s 7th Annual General Meeting &

Conference

David HallPresident

Institute of Internal Auditors, Jamaica

July 29, 2013

“Demystifying IT Audit Issues and Jargon for More Effective Reporting and Issues Resolution.”

Agenda

1. IT Jargon2. What is Information Technology Audit3. Categories of IT Audit4. Wireless Network5. Mobile network6. System Interface7. Data Management 8. Segregation of Duties9. Administrative Access10.What is IT Governance11.What should IT Governance Deliver12.Questions for Executive Management & CEO13.Questions for the Board

Information

Technology

Jargon

IT

What Is It ?

APPLE – it is not a fruit

IT IS an American company famous for developing the Macintosh computer and the iPod MP3 player

APPLE

APPLICATION – It is not an application form

IT IS a program used to perform a specific task, e.g. a word-processor. Microsoft – Suite of products

APPLICATION

BACKUP - IT IS NOT A CAR BACKIN UP

IT IS a secondary copy of important documents and data kept as insurance against loss due to a hardware failure or accidental deletion.

ADSL - Asymmetric Digital Subscriber Line.

Technology that allows rapid transmission of data over a telephone line. ADSL provides a convenient method of accessing the Internet at broadband speeds without the need for a cable connection. Unlike dial-up, ADSL allows you to make phone calls whilst online.

BIT – IT IS NOT SOMETHING IN A HORSES MOUTH

The smallest element of computer data. A bit is a number equal to 1 or 0.

The number is represented in digital electronics by a switch that is either

On or off. Larger numbers can be stored as groups of several bits.

A group of eight bits is known as a byte

BLUETOOTH – IT IS NOT A DECAYING TOOTH

IT IS a short-range wireless technology used to transfer data between mobile

phones, computers and other devices.

BOOT - COMPUTER START UP

BUG –IT IS NOT A CREEPY INSECT

It is a mistake in the design of a computer program that prevents it from

working correctly. The term originates from a malfunction in one of the

earliest computers which was caused by a moth

Debugging - The process of finding and correcting bugs in a computer program

COOKIE – IT IS NO A CHOCOLATE CHIP

A small file created by a browser to store information about a web site.

Cookies are typically used to identify previous visitors to the site, remember

their user names and passwords, and customize the site to suite their preferences.

It is usually safe to delete all the cookies on your computer

THE “MAC” IS NOT A HAMBURGER

IT IS A COMPUTER

FIREWALL - IT IS NOT A WALL ON FIRE

A program or device that limits access to a computer from an external network for security reasons. A computer connected to the Internet without a firewall is more vulnerable to hackers.

.

A device that controls a pointer on the screen and allows objects to be manipulated by clicking or dragging them.

A MOUSE – IS NOT THAT ANNOYING RODENT

PHISING

A form of Internet fraud that involves tricking people into revealing confidential information (e.g. credit card details, user names, passwords etc.) by means of a fake e-mail that appears to come from a well-known, legitimate organisation (e.g. a bank).

.PORT

IIA Research Foundation

WORMWORM

A self-replicating program that spreads from one computer to another, usually causing damage and compromising security in the process.

They are purposefully written by vandals to cause as much disruption as possible, or by hackers to compromise the security of a computer.

IIA Research Foundation

A type of compression commonly applied to text-based files.

A file that has been compressed in Zip format must be extracted

(i.e. decompressed) before it can be opened.

ZIP

Compressed files

IIA Research Foundation

CLOUD

There's a good chance you've already used some form of cloud computing.

If you have an e-mail account with a Web-based e-mail service like Hotmail, Yahoo! Mail or Gmail, then you've had some experience with cloud computing.

Instead of running an e-mail program on your computer, you log in to a Web e-mail account remotely.

The software and storage for your account doesn't exist on your computer -- it's on the service's computer cloud

Software as a service (SaaS)

Cloud-based applications—or software as a service (SaaS)—run on distant computers “in the cloud” that are owned and operated by others and that connect to users’ computers via the Internet and, usually, a web browser

Platform as a service (PaaS)

Platform as a service provides a cloud-based environment with everything required to support the complete lifecycle of building and delivering web-based (cloud) applications—without the cost and complexity of buying and managing the underlying hardware, software, provisioning and hosting

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure.

The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives.

These reviews may be performed in conjunction with a financial statement audit, internal audit, or other forms.

What is an Information Technology Audit ?

Further Definition: An information technology audit is an examination of the checks and balances, or controls, within an information technology (IT) group.

An IT audit collects and evaluates "evidence" of an organization's information systems, practices, and operations.

The evaluation of this evidence determines if the information systems are safeguarding the information assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's business goals or objectives.

The IT audit aims to evaluate the following:

1. Availability - Will the organization's computer systems be available for the business at all times when required?

2. Security and Confidentiality - Will the information in the systems be disclosed only to authorized users?

3. Integrity - Will the information provided by the system always be accurate, reliable, and timely?

The audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.

Five (5) Categories of IT Audits

(1) Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.

(2) Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.

—

Five (5) Categories of IT Audits

(3) Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.

(4) Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.

—

Five (5) Categories of IT Audits

(5) Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.

I. Wireless Networks

Wireless networks are proliferating throughout organizations, because they are useful and can support business objectives directly.

However, they are also easy to set up (as any person who has set up a home wireless network can likely attest to) and provide a potential entry point into the corporatenetwork.

CAEs should be concerned both with the security of wireless networks that are authorized by the organization as well as rogue wireless networks that users have established without authorization

IIA Research Foundation

2. Role of the Audit Committee

•

I. Wireless Network Risks

Intrusion – Wireless networks may allow unauthorized entry into the corporate network.

Eavesdropping – Wireless networks may allow unauthorized personnel to access confidential information that is transmitted across wireless networks.

Hijacking – An unauthorized user may hijack the session of an authorized user connected to a wireless network and use that session to access the corporate network.

•

I. Wireless Network Risks

Radio Frequency (RF) Management – The wireless network may send transmissions into unwanted areas, which may have other impacts.

For example, hospitals may have equipment that reacts poorly to radio wave transmissions and therefore should not be exposed to wireless networks.

I. Recommendations for Wireless Networks. Perform a thorough wireless network audit that includes the following two components:

The IT function should assess the existence and location of all approved and non-approved networks across all locations. This will entail an IT auditor physically going through business unit locations with an antenna, trying to detect the presence of wireless devices.

I. At a minimum, the IT auditor should obtain and review a listing of all wireless networks approved by the organization.

Corporate policies and procedures should be established for wireless networks and should provide guidelines for securing and controlling these networks, including the use of data encryption and authentication to the wireless network.

The IT auditor should review the configuration of the known wireless networks to ensure compliance with developed policies and procedures.

II. Mobile Devices

Most organizations have recognized the value of wireless devices such as Blackberrys, Personal Digital Assistants (PDAs) or smart phones.

However, not all organizations have grasped the risk of using these devices.

IIA Research Foundation

II. Mobile Device Risks

If the device is not configured in a secure fashion, the confidentially of this data may be impacted if the device is lost or stolen.

The transmission of data to the device itself may not be secure, potentially compromising the confidentiality or integrity of that data.

II. Mobile Device Risks

Furthermore, these devices may allow remote access into corporate networks.

Consider, for example, a beverage distribution company that equips route drivers with wireless devices that are used to book inventory transactions as they deliver product to each customer.

II. Recommendations for Mobile Devices

The IT auditor should review mobile device management

At a minimum, consideration should be given to:

Provisioning – The process for a user to procure a device.

Standardization – Are devices standardized?

Security Configuration – What policies and procedures have been established for defining security baselines for devices?

II. Recommendations for Mobile Devices

Data Transmission – How is data transmission controlled?

Access Into Corporate Networks – Do devices provide access into the corporate network? If so, how is that controlled?

Lost or Stolen Devices – How would the company identify lost or stolen devices and terminate service to them?

Interface Software – If these devices initiate business transactions, how is that information interfaced into the corporate applications?

III. Interfaces

Complex IT environments often require complex interfaces to integrate their critical business applications.

These interfaces may be enabled with middleware technology, which acts a central point of communication and coordination for interfaces.

This may be because interfaces are difficult to classify.

They are similar in function to an infrastructure, or supporting technology, yet they are software applications that may actually process transactions.

IIA Research Foundation

III. Interface Risks

Interfaces, and middleware in particular, are a critical link in the end-to-end processing of transactions. At a minimum, they move data from one system to another.

Interfaces may also pose a single point of failure to the organization. Consider Company XYZ, which is running an ERP system for financial consolidation.

The distributed business units all maintain interfaces from a variety of disparate systems up to the central corporate system. of the company

III. Interface Risks

There are approximately 200 of these interfaces, all running through a single middleware server and application.

That middleware server suddenly stops functioning. This would have a substantial impact on the operations of the company

III. Recommendations for Interfaces

The CAE should ensure the IT risk assessment and audit universe considers interfaces and middleware. Specific items that should be considered are:

Use of Software to Manage Interfaces – Does the software transform data or merely move it from place to place?

Interface IDs – The interface software will probably need access into the systems to/from which it is moving data. How is this access managed? Are generic IDs used? What access are these IDs granted, and who has access to use these IDs?

III. Recommendations for Interfaces

Interface Directories – Are all data moved through a single interface directory? Who has access to that directory? How is it secured and controlled?

If so, does the directory also contain data used in wire transfers or outbound electronic payments? How is the clerk restricted from these data sets?

Interface Types – What types of interfaces are used? Are they real-time or batch-oriented? What transactionsdo they support? Do they initiate the processing ofother transactions (e.g. interfaced sales orders initiatingthe shipment of goods).

IV. Data Management

Organizations are automating more and more business processes and functions. At the same time, the cost of data storage is becoming cheaper and cheaper.

These issues have led to the proliferation of large corporate data storage solutions.

As organizations begin to manage these large repositories of data, many issues emerge.

IIA Professional Practices Framework

IV. Data Management Risks

Failure to manage data repositories, or storage area networks. may result in the loss of critical business data availability.

Organizations must ensure that the integrity of these storage solutions is maintained adequately. New management and maintenance technologies must be deployed, and new management processes must be defined.

Moreover, the growth in data storage also coincides with the promulgation of many new laws, statutes, and regulations regarding the management of data.

Data Management Recommendations - Perform a thorough data management review. At a minimum, consideration should be given to:

Data Classification – Has the organization gone through a data classification exercise? What types of data categories have been established, and what were the criteria for organizing data into those categories?

Data Ownership – Has the organization formally assigned ownership of data to specific data owners? Have the responsibilities of these data owners been documented?

Data Retention – Has a data retention strategy been developed?

V. Privacy

Data privacy and consumer rights are highly visible topics today. A large number of data privacy laws with which large companies must comply have been promulgated.

For example, a large organization that does business in Europe and North America is subject to the EU Privacy Directive on Data Protection, Canada’s Personal information Protection and Electronic Documents Act of2000, any number of U.S. state-level regulations.

If an organization wants to put up a Web site that providesgames or media that children might access, they need to be aware of child-protection data privacy laws as well.

IIA Professional Practices Framework

V. Privacy Risks

Failure to comply with certain privacy laws could result in fines and/or criminal prosecution. In addition, there could be a significant impact to brand equity.

v.Recommendations for Privacy

Perform a privacy audit. At a minimum, the organization should consider:

What Privacy Laws Apply to the Organization – Has the organization identified all various laws, regulations, and statutes with which it must comply?

Responsibility for Privacy – Has a chief privacy officer role been created?

VI. Segregation of Duties

As organizations integrate their environments into larger, more complex applications, segregation of duties is less a function of job role and more a function of what transactions the user can perform in the system.

Consequently, appropriate segregation of duties is largely dependent on application level security.

Application level security is becoming increasingly complex and requires a greater level of expertise to administer.

IIA Professional Practices Framework

vi. Segregation of Duty Risks

Inadequate segregation of duties could expose the organization to theft, fraud, or unauthorized use of information resources.

vi. Recommendations for Segregation of Duties

Perform a segregation of duties audit, which should include:

Understanding How Segregation of Duties is Being Managed and Controlled – What processes, people, and tools are used to support the management of segregation of duties?

Defining Conflicts – Has the organization developed a comprehensive listing of all job functions that are deemed to be incompatible?

Determining Specific Deficiencies – Has the organization used the list of conflicts to identify either specific security roles, or specific individuals who have been granted access that presents a violation of segregation of duties?

VII. Administrative Access

Systems administration personnel are generally granted high levels of access to IT resources. This is explained away because they are presumed to be administrators who need this access to perform their job.

Recommendations for Administrative Access

In every environment, administrative access is required to operate the systems. However, the IT audit function should help ensure that systems administrators only have access to data and functions required to perform job responsibilities.

The IT auditor should also consider:

Splitting the access to perform a function so that two people are needed to perform the function.

Reviewing generic Ids which are shared by more than one users.

Limit access to administrative functions to a small number of persons

Periodic independent reviews of audit trails.

WHAT IS IT GOVERNANCE ?

IT governance has been defined by the Information Systems Audit & Control Association ( ISACA ) as:

…the responsibility of executives and the board of directors.

It consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.

The term ‘governance’ is derived from the Latin word gubernare, which means to direct or to steer.

ISACA – Information Systems Audit & Control Association

WWW.ISACA.ORG

COBIT FRAMEWORK

- 4 Domains

- 32 processes

WHAT IS IT GOVERNANCE ?

(i) Primarily determines how IT decisions are made,

(ii) Who makes the decisions,

(iii) Who is held accountable, and

(iv) How the results of decisions are measured and monitored

What Should IT Governance Deliver?

IT governance can thus be pictured as focusing primarily on the following five areas:

• Strategic alignment —Alignment of IT Strategy and Business Strategy

• Value delivery —Creating new value for the enterprise through IT, maintaining and increasing value derived from existing IT investments, and eliminating IT initiatives and assets that are not creating sufficient value for the enterprise.

Risk management —Addressing IT-related risks. IT risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.

Resource management —Ensuring that the right capabilities are in place to execute the strategic plan and sufficient, appropriate and effective resources are provided.

Performance measurement —Tracking the achievement of the objectives of the enterprise’s IT-related services and solutions and compliance with specific external requirements.

Questions for Executive Management & the CEO

1. Is it clear what IT is doing?

2. How often do IT projects fail to deliver what they promised?

3. Are end users satisfied with the quality of the IT service?

4. Are sufficient IT resources and infrastructure available to meet required enterprise strategic objectives?

5. How well are IT outsourcing agreements being managed?

6. How is the value delivered by IT being measured?

. Questions for the Board

1. Does the Board assess the criticality of IT, whether on a project or operational basis?

2. Is the Board aware of IT risk exposures and their containment? Is IT on the Board’s Agenda

3. Does the Board ascertain that management has put processes and practices in place to ensure that IT

delivers value to the business?

4. Does the Board work with the executives to define and monitor high level IT performance?

5. Does the Board ensure that IT investments represent a balance of risk and benefits and that budgets are acceptable?

THANK YOU

David A. HallPresidentInstitute of Internal Auditors, Jamaica

Telephone : (876) 997-1040

E-mail : davidyasmin@aol.com