Upload
others
View
21
Download
1
Embed Size (px)
Citation preview
Information Technology ControlsA uditing Application Controls
Authors
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR InternationalChristine Bellino Jefferson Wells
Charles H Le Grand CIA CHL GlobalSteve Hunt Enterprise Controls Consulting LP
July 200March 20057
Copyright copy 20057 by The Institute of Internal Auditors (IIA) 247 Maitland Ave Altamonte Springs FL 32701-4201 USA All rights reserved Printed in the United States of America No part of this publication may be reproduced stored in a retrieval system or transmitted in any form by any means mdash electronic mechanical photocopying recording or otherwise mdash without prior written
permission from the publisher
The IIA publishes this document for informational and educational purposes This document is intended to provide information but is not a substitute for legal or accounting advice The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document When legal or accounting issues arise professional assistance should be
sought and retained
i
Section 1Letter from the President ii
Section 2IT Controls ndash Executive Summary iii
Section 3Introduction 1
Section 4Assessing IT Controls ndash An Overview 2
Section 5Understanding IT Controls 3
Section 6Importance of IT Controls 10
Section 7IT Roles in the Organization 11
Section 8Analyzing Risk15
Section 9Monitoring and Techniques 18
Section 10Assessment 20
Section 11Conclusion 22
Section 12Appendix A ndash Information Security Program Elements23
Section 13Appendix B ndash Compliance With Laws and Regulations 24
Section 14Appendix C ndashThree Categories of IT Knowledge for Internal Auditors 28
Section 15Appendix D ndash Compliance Frameworks 29
Section 16Appendix E - Assessing IT ControlsUsing COSO356
Section 17Appendix F - ITGI Control Objectives for Information and Related Technology (CobiT) 378
Section 18Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees 3940
Section 19Appendix H ndash CAE Checklist 423
Section 20Appendix I ndash References 445
Section 21Appendix J ndash Glossary467
Section 22Appendix K ndash About the Global Technology Audit Guides 489
Section 23Appendix L ndash GTAG Partners and Global Project Team 4950
GTAG mdash Table of Contents
ii
GTAG mdash Letter from the President mdash 1
In my previous role as a chief audit executive (CAE) I noted a need for guidance on IT management and control written specifically for executives So one of my first acts as president of The IIA was to initiate a project to produce this ITControls guide This guide is for the executive not the technical staff mdash although it will help those personnel better relateto management and governance perspectives
The purpose of this document is to explain IT controls and audit practice in a format that allows CAEs to understand andcommunicate the need for strong IT controls It is organized to enable the reader to move through the framework for assess-ing IT controls and to address specific topics based on need This document provides an overview of the key components ofIT control assessment with an emphasis on the roles and responsibilities of key constituents within the organization who candrive governance of IT resources You may already be familiar with some aspects of this document while other segments willprovide new perspectives on how to approach this key audit strategy It is our hope that the components can be used to edu-cate others about what IT controls are and why management and internal auditing must ensure proper attention is paid tothis fundamental methodology for good governance
Although technology provides opportunities for growth and development it also provides the means and tools for threatssuch as disruption deception theft and fraud Outside attackers threaten our organizations yet trusted insiders are a fargreater threat Fortunately technology can also provide protection from threats as you will see in this guide Executivesshould know the right questions to ask and what the answers mean For example
bull Why should I understand IT controls One word Assurance Executives play a key role in assuring information reliability Assurance comes primarily from an interdependent set of business controls plus the evidence that controlsare continuous and sufficient Management and governance must weigh the evidence provided by controls and auditsand conclude that it provides reasonable assurance This guide will help you understand the evidence
bull What is to be protected Letrsquos start with trust Trust enables business and efficiency Controls provide the basis for trustalthough they are often unseen Technology provides the foundation for many mdash perhaps most mdash business controlsReliability of financial information and processes mdash now mandated for many companies mdash is all about trust
bull Where are IT controls applied Everywhere IT includes technology components processes people organization andarchitecture mdash collectively known as infrastructure mdash as well as the information itself Many of the infrastructure controls are technical and IT supplies the tools for many business controls
bull Who is responsible Everybody But you must specify control ownership and responsibilities otherwise no one is respon-sible This guide addresses specific responsibilities for IT controls
bull When do we assess IT controls Always IT is a rapidly changing environment fueling business change New risksemerge at a rapid pace Controls must present continuous evidence of their effectiveness and that evidence must beassessed and evaluated constantly
bull How much control is enough You must decide Controls are not the objective controls exist to help meet businessobjectives Controls are a cost of doing business and can be expensive mdash but not nearly as expensive as the probableconsequences of inadequate controls
IT controls are essential to protect assets customers and partners and sensitive information demonstrate safe efficient andethical behavior and preserve brand reputation and trust In todayrsquos global market and regulatory environment these are alltoo easy to lose
Use this guide as a foundation to assess or build your organizationrsquos framework and audit practices for IT business controlcompliance and assurance Use it to help make sense of the conflicting advice you receive Make sure all the elements are inplace to meet the challenges of constant change increasing complexity rapidly evolving threats and the need to improveefficiency constantly
The IIA produced this guide but it is truly a team effort The principal writers are Charles H Le Grand of CHL Globaland Alan S Oliphant FIIA MIIA QiCA of Mair International We owe a great debt of gratitude to our partners IIA inter-national affiliates and members of the Global Technology Audit Guide (GTAG) team We are grateful for their support andencouragement This guide is a testimony to what The IIA does best ldquoProgress Through Sharingrdquo
Sincerely
David A Richards CIA CPAPresident The Institute of Internal Auditors Inc
GTAG Information Technology Controls describes the knowl-edge needed by members of governing bodies executives ITprofessionals and internal auditors to address technologycontrol issues and their impact on business Other profes-sionals may find the guidance useful and relevant The guideprovides information on available frameworks for assessingIT controls and describes how to establish the right frame-work for an organization Moreover it sets the stage forfuture GTAGs that will cover specific IT topics and associ-ated business roles and responsibilities in greater detail
The objectives of the IT Controls guide are tobull Explain IT controls from an executive perspectivebull Explain the importance of IT controls within the
overall system of internal controlsbull Describe the organizational roles and responsibilities
for ensuring IT controls are addressed adequatelywithin the overall system of internal controls
bull Describe the concepts of risk inherent in the use andmanagement of technology by any organization
bull Describe the basic knowledge and understanding of IT controls needed by the CAE to ensure effectiveinternal audit assessments of IT controls
bull Describe the relevant elements of the IT controlsassessment process as provided by the internal auditfunction
21 Introduction to IT ControlsIT controls do not exist in isolation They form an interde-pendent continuum of protection but they may also be sub-ject to compromise due to a weak link They are subject toerror and management override may range from simple tohighly technical and may exist in a dynamic environment
IT controls have two significant elements the automa-tion of business controls and control of IT Thus IT controlssupport business management and governance as well as pro-vide general and technical controls over IT infrastructures
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditing involves significant interaction with the people inpositions of responsibility for controls and requires continu-ous learning and reassessment as new technologies emergeand the organizationrsquos opportunities uses dependenciesstrategies risks and requirements change
22 Understanding IT ControlsIT controls provide for assurance related to the reliability of information and information services IT controls helpmitigate the risks associated with an organizationrsquos use oftechnology They range from corporate policies to theirphysical implementation within coded instructions fromphysical access protection through the ability to traceactions and transactions to responsible individuals and fromautomatic edits to reasonability analysis for large bodies of data
You donrsquot need to ldquoeverythingrdquo about IT controls butremember two key control concepts
bull Assurance must be provided by the IT controls within the system of internal controls This assurancemust be continuous and provide a reliable and continuous trail of evidence
bull The auditorrsquos assurance is an independent and objective assessment of the first assurance Auditorassurance is based on understanding examining andassessing the key controls related to the risks theymanage and performing sufficient testing to ensurethe controls are designed appropriately and function-ing effectively and continuously
Many frameworks exist for categorizing IT controls and theirobjectives This guide recommends that each organizationuse the applicable components of existing frameworks to categorize and assess IT controls and to provide and docu-ment its own framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (reasonable assurance) that activi-ties comply with managementrsquos governance policiesand are consistent with the organizationrsquos riskappetite
23 Importance of IT ControlsMany issues drive the need for IT controls ranging from theneed to control costs and remain competitive through theneed for compliance with internal and external governanceIT controls promote reliability and efficiency and allow theorganization to adapt to changing risk environments Anycontrol that mitigates or detects fraud or cyber attacksenhances the organizationrsquos resiliency because it helps theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsbecause a well-controlled organization has the ability tomanage challenges or disruptions seamlessly
Key indicators of effective IT controls includebull The ability to execute and plan new work such as
IT infrastructure upgrades required to support newproducts and services
bull Development projects that are delivered on time and within budget resulting in cost-effective and better product and service offerings compared tocompetitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of key indicators of effective controls
bull The ability to protect against new vulnerabilities and
iii
GTAG mdash Executive Summary mdash 2
threats and to recover from any disruption of IT services quickly and efficiently
bull The efficient use of a customer support center or help desk
bull Heightened security awareness on the part of the users and a security-conscious culture throughout theorganization
24 IT Roles and ResponsibilitiesMany different roles have emerged in recent years for posi-tions within the organization with IT control responsibilitiesand ownership Each position within the governance management operational and technical levels should havea clear description of its roles responsibilities and owner-ship for IT controls to ensure accountability for specificissues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
25 Analyzing RiskIT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified suit-able risk responses are determined ranging from doing nothingand accepting the risk as a cost of doing business to applying awide range of specific controls including insurance Thissection explains the concepts of when to apply IT controls
26 Monitoring and TechniquesThe implementation of a formal control framework facili-tates the process of identifying and assessing the IT controlsnecessary to address specific risks A control framework is astructured way of categorizing controls to ensure the wholespectrum of control is covered adequately The frameworkcan be informal or formal A formal approach will morereadily satisfy the various regulatory or statutory require-ments for organizations subject to them The process ofchoosing or constructing a control framework shouldinvolve all positions in the organization with direct respon-sibility for controls The control framework should apply toand be used by the whole organization mdash not just internalauditing
27 IT Control AssessmentAssessing IT controls is a continuous process Businessprocesses are changing constantly as technology continuesto evolve Threats emerge as new vulnerabilities are discov-ered Audit methods improve as auditors adopt an approachwhere IT control issues in support of the business objectivesare near the top of the agenda
Management provides IT control metrics and reportingAuditors attest to their validity and opine on their valueThe auditor should liaise with management at all levels andwith the audit committee to agree on the validity and effec-tiveness of the metrics and assurances for reporting
iv
GTAG mdash Executive Summary mdash 2
IT is an integral part of all processes that enable businessesand governments to accomplish their missions and objec-tives IT facilitates local and global communications and fosters international business cooperation IT controls havetwo significant components automation of business controlsand control of IT They support business management andgovernance and they provide general and technical controlsover the policies processes systems and people that comprise IT infrastructures
IT controls do not exist in isolation They form an inter-dependent continuum of protection but they also may besubject to compromise due to a ldquoweak linkrdquo They are subject to error and management override may range fromsimple to highly technical and may exist in a dynamic environment IT controls support the concept of ldquodefense in depthrdquo so a single weakness does not always result in asingle point of failureControls exist to protect stakeholder interests
bull The ownerrsquos equitybull Customer concerns such as privacy and identitybull Employeesrsquo jobs and abilities to prove they did the
right thingbull Managementrsquos comfort with the assurance provided
by automated processesIT control assurance addresses the ability of controls to protect the organization against the most important threatsand provides evidence that remaining risks are unlikely toharm the organization and its stakeholders significantlyThese controls also are essential for assuring the reliability offinancial processes and reporting
1
Introduction ndash 3GTAG mdash Introduction mdash 3
They are all connected
When a security administrator selects the settings in a firewall configuration file (a technical task requiring specificskills and knowledge) he or she implements a policy (which may or may not be documented elsewhere) that when deployed determines the messages that will or will not be allowed into or out of the communications network and establishes the ldquoportsrdquo through which they may travel Your organization gets an element of protection from its firewalls that is vital to the protection of information and the infrastructures where that information is collected processed stored and communicated
When CAEs review and assess the controls over IT theyshould ask
bull What do we mean by IT controlsbull Why do we need IT controlsbull Who is responsible for IT controlsbull When is it appropriate to apply IT controlsbull Where exactly are IT controls appliedbull How do we perform IT control assessments
The audit process provides a formal structure for address-ing IT controls within the overall system of internal controls Figure 1 The Structure of IT Auditing belowdivides the assessment into a logical series of steps
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditors interact with the people responsible for controlsand must pursue continuous learning and reassessment asnew technologies emerge and the organizationrsquos opportuni-ties uses dependencies strategies risks and requirementschange
GTAG mdash Assessing IT Controls mdash An Overview mdash 4
2
ldquoI keep six honest serving-men
(They taught me all I knew)
Their names are
What and Why and When
and How and Where and Whordquo
mdash Rudyard Kipling
from ldquoElephantrsquos Childrdquo
in Just So Stories
Figure 1 - The Structure of IT Auditing
3
COSO1 defines internal control as ldquoA process effected by anorganizationrsquos board of directors management and otherpersonnel designed to provide reasonable assurance regard-ing the achievement of objectives in the following cate-gories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulationsrdquo
IT controls encompass those processes that provide assur-ance for information and information services and help mit-igate the risks associated with an organizationrsquos use oftechnology These controls range from written corporatepolicies to their implementation within coded instructionsfrom physical access protection to the ability to trace actionsand transactions to the individuals who are responsible forthem and from automatic edits to reasonability analysis forlarge bodies of data
51 Control ClassificationsControls may be classified to help understand their purposesand where they fit into the overall system of internal controls(See Figure 3 Some Control Classifications page 4) By under-standing these classifications the control analyst and auditorare better able to establish their positions in the controlframework and answer key questions such as Are the detec-tive controls adequate to identify errors that may get past thepreventive controls Are corrective controls sufficient to fixthe errors once detected A common classification of IT controls is general versus application
General controls (also known as infrastructure controls)apply to all systems components processes and data for agiven organization or systems environment General controls include but are not limited to information security policy administration access and authenticationseparation of key IT functions management of systemsacquisition and implementation change managementbackup recovery and business continuity
Application controls pertain to the scope of individualbusiness processes or application systems They include suchcontrols as data edits separation of business functions (egtransaction initiation versus authorization) balancing ofprocessing totals transaction logging and error reportingThe function of a control is highly relevant to the assessment of its design and effectiveness Controls may be classified as preventive detective or corrective
Preventive controls prevent errors omissions or securityincidents from occurring Examples include simple data-entryedits that block alphabetic characters from being enteredinto numeric fields access controls that protect sensitive dataor system resources from unauthorized people and complexand dynamic technical controls such as antivirus softwarefirewalls and intrusion prevention systems
GTAG mdash Understanding IT Controls mdash 5
1 COSO ndash Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (The Committee of Sponsoring Organizationsof the Treadway Commission) See wwwcosoorg
It is not necessary to know ldquoeverythingrdquo about IT controls
Do not be concerned if you do not understand the full continuum or all the technical intricacies of IT controls Many of these controls are the domain of specialists who manage specific risks associated with individual components of the systems and network infrastructure In keeping with good separation of duties prac-tices some people who have specialized knowledge in a technology such as database management may know littleabout network components or communication protocols and vice versa
There are two key control concepts to remember1 Assurance must be provided by the IT controls within the whole system of internal control and must
be continuous and produce a reliable and continuous trail of evidence2 The auditorrsquos assurance is an independent and objective assessment of the first assurance It is based
on understanding examining and assessing the key controls related to the risks the auditors manage as well as performing sufficient tests to ensure the controls are designed appropriately and function effectively
Figure 2
Detective controls detect errors or incidents that eludepreventive controls For example a detective control mayidentify account numbers of inactive accounts or accountsthat have been flagged for monitoring of suspicious activi-ties Detective controls can also include monitoring andanalysis to uncover activities or events that exceed author-ized limits or violate known patterns in data that may indi-cate improper manipulation For sensitive electroniccommunications detective controls can indicate that a mes-sage has been corrupted or the senderrsquos secure identificationcannot be authenticated
Corrective controls correct errors omissions or inci-dents once they have been detected They vary from simplecorrection of data-entry errors to identifying and removingunauthorized users or software from systems or networks torecovery from incidents disruptions or disasters
Generally it is most efficient to prevent errors or detectthem as close as possible to their source to simplify correc-tion These corrective processes also should be subject topreventive and detective controls because they representanother opportunity for errors omissions or falsification
Many other control classifications described in this guidemay be useful in assessing their effectiveness For exampleautomated controls tend to be more reliable than manualcontrols and nondiscretionary controls are more likely to beapplied consistently than discretionary controls Other control classifications include mandatory voluntary complementary compensating redundant continuous on-demand and event-driven
52 Governance Management TechnicalAnother common classification of controls is by the groupresponsible for ensuring they are implemented and main-tained properly For the purpose of assessing roles andresponsibilities this guide primarily categorizes IT controls
as governance management and technical Information securi-ty program elements for these three categories are describedin Appendix A (page 25) The first two levels mdash gover-nance and management mdash are the most applicable to thescope of this guide although it may also be useful to under-stand how higher-level controls specifically are establishedwithin the technical IT infrastructures Technical controlswill be the subject of more topic-specific GTAGs
521 Governance Controls
The primary responsibility for internal control resides withthe board of directors in its role as keeper of the governanceframework IT control at the governance level involvesensuring that effective information management and security principles policies and processes are in place andperformance and compliance metrics demonstrate ongoingsupport for that framework
Governance controls are those mandated by and controlled by either the entire board of directors or a boardcommittee in conjunction with the organizationrsquos executivemanagement These controls are linked with the concepts of corporate governance which are driven both by organizational goals and strategies and by outside bodiessuch as regulators
An important distinction between governance and management controls is the concept of ldquonoses in fingersoutrdquo The boardrsquos responsibility involves oversight ratherthan actually performing control activities For example theaudit committee of the board does no auditing but it does oversee both the internal and external auditing of theorganization
522 Management Controls
Management responsibility for internal controls typicallyinvolves reaching into all areas of the organization with special attention to critical assets sensitive information andoperational functions Consequently close collaborationamong board members and executive managers is essentialManagement must make sure the IT controls needed toachieve the organizationrsquos established objectives are appliedand ensure reliable and continuous processing These controls are deployed as a result of deliberate actions bymanagement to
bull Recognize risks to the organization its processes and assets
bull Enact mechanisms and processes to mitigate and manage risks (protect monitor and measure results)
523 Technical Controls
Technical controls form the foundation that ensures the reli-ability of virtually every other control in the organizationFor example by protecting against unauthorized access andintrusion they provide the basis for reliance on the integri-ty of information mdash including evidence of all changes andtheir authenticity These controls are specific to the
GTAG ndash Understanding IT Controls ndash 5
4
Figure 3 - Some Control Classifications
GTAG mdash Understanding IT Controls mdash 5
5
technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization
53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems
The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below
531 Policies
All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies
IT policy statements include but are not restricted tobull A general policy on the level of security and privacy
throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of
the system and data processedbull A statement on the classification of information and
the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access
bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems
bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications
bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures
bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of
Figure 4 ndash IT Controls
The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal
Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)
a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS
Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants
532 Standards
Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently
Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for
bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization
bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited
bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls
that should apply to sensitive processes and information
bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly
bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers
As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them
533 Organization and Management
Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented
5331 Separation of Duties
Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information
Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum
GTAG mdash Understanding IT Controls mdash 5
6
GTAG mdash Understanding IT Controls mdash 5
7
Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts
5332 Financial Controls
Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects
5333 Change Management
Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations
5334 Other Management Controls
Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications
534 Physical and Environmental Controls
IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications
Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is
restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data
away from environmental hazards such as low-lyingflood plains or flammable liquid stores
When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable
535 Systems Software Controls
Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2
Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs
IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the
Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability
Some key technical controls the CAE should expect tofind in a well-managed IT environment include
bull Access rights allocated and controlled according tothe organizationrsquos stated policy
bull Division of duties enforced through systems softwareand other configuration controls
bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored
bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a
stated requirementbull Change management processes mdash including patch
management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data
536 Systems Development and
Acquisition Controls
Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner
Some basic control issues should be evident in all systemsdevelopment and acquisition work
bull User requirements should be documented and theirachievement should be measured
bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system
bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct
bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided
bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be
subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls
Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered
537 Application-based Controls
The objective of internal controls over application systems is toensure that
bull All input data is accurate complete authorized and correct
bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data
from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application
bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters
bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized
bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input
bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct
bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources
GTAG mdash Understanding IT Controls mdash 5
8
GTAG mdash Understanding IT Controls mdash 5
9
54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are
bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations
bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting
bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located
55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them
Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite
Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite
Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly
Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)
The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)
Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include
bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services
bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of effectivecontrols
bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services
bull The efficient use of a customer support center or helpdesk
bull A security-conscious culture among end usersthroughout the organization
Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees
The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control
GTAG mdash Importance of IT Controls mdash 6
10
2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley
GTAG mdash IT Roles in the Organization mdash 7
Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained
Overall the objectives for the use of IT within any organization are
bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite
bull To protect stakeholder interestsbull To enable mutually beneficial relationships with
customers business partners and other outside parties that accomplish business objectives
bull To identify and respond to threats and potential violations of control appropriately
Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members
71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires
bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458
bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets
bull Approval of the data classifications structure and therelated access rights
The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important
711 Audit Committee
The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for
bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting
bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting
bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately
bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to
new systems development and acquisitionbull Examining internal and external audit plans and
work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring
the resolution of issues raisedbull Understanding the IT topics that impact ethics
monitoring
712 Compensation Committee
The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves
713 Governance Committee
The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should
bull Ensure that potential and current board membershave a suitable IT knowledge or background
bull Assess board committeesrsquo performance in terms oftheir oversight of IT
bull Review any external regulatory governance assessments in relation to IT topics
bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency
714 Risk Management Committee
The risk management committee is responsible for oversight
11
GTAG mdash IT Roles in the Organization mdash 7
of all risk analysis and assessment risk response and riskmonitoring Its role includes
bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization
bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance
bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash
including IT risks mdash and considering it against the organizationrsquos risk appetite
bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate
bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks
715 Finance Committee
The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data
72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so
that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions
721 Chief Executive Officer
The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will
bull Define corporate objectives and performance measures in relation to IT
bull Act as custodian over the organizationrsquos critical success factors in relation to IT
bull Understand and approve the short-term and long-range strategy for IT
bull Approve IT resources for the organization includingstructure and oversightmonitoring
bull Determine IT issues for periodic management boardand staff discussion
bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas
722 Chief Financial Officer
The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of
bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining
technologically competitivebull The technologies used to implement financial
applicationsbull The operation of specific financial applications
IT Controls and Ethics
As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior
12
GTAG mdash IT Roles in the Organization mdash 7
13
bull The limitations and benefits of ITbull The IT control structure for general controls that
apply to all business systems and data as well as controls that are specific to financial applications
The CFO should operate as the highest-level control ownerfor financial systems and data
723 Chief Information Officer
The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should
bull Understand the business requirements that drive theneed to implement IT
bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business
strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks
bull Design implement and maintain an IT internal control framework
bull Plan source and control IT resourcesbull Explore assess select and implement technology
advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels
of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian
and IT control owner bull Measure the operational performance of IT in support
of business objectives byndash Setting expectationsndash Evaluating results
bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors
724 Chief Security Officer
The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO
bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy
bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks
bull Acts as a key link between the compliance legalCIO and audit functions
bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive
bull Is responsible for business continuity planningincluding incident handling and disaster recovery
bull Ensures that security staff provide support for imple-menting controls at all levels
bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization
725 Chief Information Security Officer (CISO)
Information security is a subset of the overall security roleThe CISO
bull Develops and implements the information security policy in coordination with the CSO
bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives
bull Ensures alignment of information security and busi-ness objectives
bull Manages operational information risks throughoutthe organization
bull Oversees security within the IT organizationbull Provides education and awareness on information
security issues and new best practicesbull Develops end-user policies for the usage of IT
information in conjunction with the humanresources function
bull Coordinates information security work with the chief risk officer (CRO) and CIO
bull Advises the CEO CRO CIO and board on IT risk issues
bull Acts as a key link for the CAE when internal auditing performs IT control-related audits
726 Chief Legal Counsel (CLC)
Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves
bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto
bull Ensuring financial reports and presentations complywith laws and regulations
bull Understanding IT legal issues and advising on legalrisks related to IT
bull Managing organizational reputation in relation tolegal issues compliance and public relations
bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols
regarding suspected criminal activity
727 Chief Risk Officer
The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes
bull Analysis and assessment of IT risk exposures including information compromises such as loss
damage unauthorized disclosure and interruptedaccess
bull Assessment of IT events such as interruptions disasters and changes
bull Analysis and assessment of business risk as it is affected by IT risk
bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks
73 Audit
731 Internal Auditing ndash CAE and Audit Staff
Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves
bull Advising the audit committee and senior management on IT internal control issues
bull Ensuring IT is included in the audit universe andannual plan (selecting topics)
bull Ensuring IT risks are considered when assigningresources and priorities to audit activities
bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff
bull Ensuring that audit planning considers IT issues foreach audit
bull Liaising with audit clients to determine what theywant or need to know
bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable
evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the
audit processesbull During systems development or analysis activities
operating as experts who understand how controlscan be implemented and circumvented
bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks
732 External Auditor
Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include
bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits
bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements
GTAG mdash IT Roles in the Organization mdash 7
14
3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)
81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance
It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization
The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as
ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo
In addition the CAE should consider risk tolerance COSOdefines risk tolerance as
ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo
Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with
the organizationrsquos risk appetitebull The internal control framework is adequate to ensure
that the organizationrsquos performance remains withinthe stated risk tolerances
82 Risk Considerations in Determining the Adequacy of IT Controls
Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness
When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE
should consider the processes established by management to determine
bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for
each business function and processbull IT risks faced by the organization and quality of
service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they
providebull Harmful IT incidents in the past 24 months
The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project
821 The IT Infrastructure
Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems
The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security
The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers
GTAG mdash Analyzing Risk mdash 8
15
822 IT Risks Faced by the Organization
The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls
823 Risk Appetite and Tolerance
Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation
The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite
824 Performing Risk analysis
Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas
There are eight basic questions associated with the riskassessment process The first five include
bull What are the assets at risk and the value of theirconfidentiality integrity and availability
bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets
bull If a threat event happened how bad could its impact be
bull How often might the event be expected to occur (frequency of occurrence)
bull How certain are the answers to the first four questions (uncertainty analysis)
The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient
825 Value of Information
Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security
Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories
bull Exclusive possession ndash cost in the event of a breachof confidentiality
bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability
826 Appropriate IT Controls
Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)
The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework
83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them
In general there are several ways to mitigate the poten-tial impact of risks
bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low
bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors
bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider
bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects
GTAG mdash Analyzing Risk mdash 8
16
84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include
bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective
controls effectivebull Do the controls provide evidence when control
parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken
bull Is evidence retained (audit or management trail)
85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization
IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other
It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls
bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been
defined assigned and acceptedbull Are IT infrastructure equipment and tools
logically and physically securedbull Are access and authentication control
mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance
with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)
bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved
bull Are change and configuration management and quality assurance processes in place
bull Are structured monitoring and service measurementprocesses in place
bull Are specialist IT audit skills available (eitherinternally or outsourced)
Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf
GTAG mdash Analyzing Risk mdash 8
Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management
(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network
and perimeter)5 Malware protection (including worms and viruses)
Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo
1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each
person with computer access8 Dont use vendor-supplied defaults for passwords
and security parameters9 Track all access to data by unique ID
10 Regularly test security systems and processes11 Implement and maintain an information
security policy12 Restrict physical access to data
17
91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation
A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily
Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work
The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process
especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override
Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)
The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
GTAG mdash Monitoring and Techniques mdash 9
COSO Model for Technology Controls
Monitoringbull Monthly metrics from technology
performance bull Technology cost and control
performance analysisbull Periodic technology
management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas
Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to
plan and return on investmentbull Documentation and approval of IT plans
and systems architecturebull Compliance with information and
physical security standardsbull Adherence to business continuity risk
assessmentbull Technology standards
compliance enforcement
Information and Communicationbull Periodic corporate communications (intranet e-mail
meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution
Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business
areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls
considered Importantbull Overall technology policy and Information
security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units
Figure 5 - COSO Model for Technology Controls
18
compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)
92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks
Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows
921 Ongoing Monitoring
bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment
bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered
specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached
bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached
922 Special Reviews
bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances
bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk
GTAG mdash Monitoring and Techniques mdash 9
Suitable Recognized Framework
ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo
mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003
19
101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business
The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems
A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance
Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities
Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample
bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method
bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files
bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach
102 Testing IT Controls and Continuous Assurance
In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data
1021 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-
20
GTAG mdash Assessment mdash 10
How Auditing Contributes to IT Controls
During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management
ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events
1022 Automated Internal Control Analysis Tools
Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use
1023 Automated Risk Analysis
Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools
Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right
103 Audit CommitteeManagementAudit Interfaces
It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues
The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations
ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their
value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting
A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially
Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework
The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist
GTAG mdash Assessment mdash 10
Figure 6 ndash Audit Interfaces
21
Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda
Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process
The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members
22
GTAG mdash Conclusion mdash 11
Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg
121 Governance (Board of Directors)bull Oversee risk management and compliance programs
pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security
bull Strive to protect the interests of all stakeholdersdependent on information security
bull Review information security policies regardingstrategic partners and other third parties
bull Strive to ensure business continuitybull Review provisions for internal and external audits of
the information security programbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
122 Managementbull Establish information security management policies
and controls and monitor compliancebull Assign information security roles responsibilities
and required skills and enforce role-based information access privileges
bull Assess information risks establish risk thresholdsand actively manage risk mitigation
bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties
bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture
during acquisition development operations andmaintenance
bull Protect the physical environmentbull Ensure internal and external audits of the informa-
tion security program with timely follow-upbull Collaborate with security staff to specify the informa-
tion security metrics to be reported to management
123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements
bull User identification and authentication
bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms
and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the
technical metrics to be reported to management
23
GTAG mdash Appendix A mdash Information Security Program Elements mdash 12
There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments
For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries
This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors
131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)
However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of
ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews
Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls
Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant
to IT Controls
The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls
13111 Sections 103 and 802
These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting
One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained
13112 Section 201
This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors
13113 Section 301
Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT
13114 Section 302 and 404
Section 302 of the act requires the CEO and CFO mdash who
24
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
25
are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges
They must disclosebull ldquoAll significant deficiencies in the design or opera-
tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo
bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo
Section 404 requires the CEO and CFO to produce an annual audit report that
bull Assesses the effectiveness of the internal controlstructure over financial reporting
bull Discloses all known internal control weaknessesbull Discloses all known frauds
This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley
13115 Section 409
Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses
132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management
A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means
bull Senior management is actively involvedbull The bank has an OR management system processes
policies and procedures enterprisewidebull The bank has the right governance and sufficient
resources to manage operational risksbull The bank has an OR management function that is
responsible forndash Designing and implementing the OR management
frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement
methodologyndash Designing and implementing an OR management
reporting systemndash Developing strategies to identify measure monitor
and control or mitigate ORbull An OR measurement system is closely integrated into
the day-to-day risk management processbull The OR exposures and loss experiences are regularly
reportedbull The OR management system is documentedbull Internal and external auditors regularly review the
OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function
The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required
First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy
Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange
The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA
bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
bull Internal loss data must be linked to the bankrsquos current business activities
bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA
bull According to the internal loss collection processndash OR losses related to credit risk and historically
included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately
ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge
bull The OR measurement system must use relevantexternal data
Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including
bull Strategies and processesbull Structure and organization of the risk management
functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including
operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)
133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)
The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)
134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999
The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)
135 US Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg
136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)
Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers
26
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
GTAG ndash Appendix B - Compliance with Laws and Regulations - 13
27
137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls
GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14
28
141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors
1411 Category 1 ndash All Auditors
Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge
1412 Category 2 ndash Audit Supervisors
Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must
bull Understand the threats and vulnerabilities associatedwith automated business processes
bull Understand business controls and risk mitigation thatshould be provided by IT
bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments
bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits
bull Ensure the effective use of IT tools in audit assess-ments and testing
bull Approve plans and techniques for testing controlsand information
bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses
bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas
bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected
1413 Category 3 ndash Technical IT Audit Specialists
Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology
IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence
The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications
Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals
4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
29
151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg
152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control
In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience
153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language
154 ITGI Control Objectives for Information and Related Technology (CobiT)
Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance
155 ISO 17799 (Code of Practice for Information Security Management)
ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading
The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to
ISOIEC 177992000 bull Part 2 is a specification for implementing an
information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002
1551 What Is Information Security
BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities
Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately
Information security is characterized within BS 7799 asthe preservation of
bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access
bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods
bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired
Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met
1552 How to Establish Security Requirements
BS 7799 states that it is essential that an organization
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
30
identify its security requirements There are three mainsources
bull Assessing risks to the organization BS 7799 does notprescribe a methodology
bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy
bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations
1553 Assessing Security Risks
BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically
1554 Selecting Controls
Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com
1555 Topics Addressed in BS 7799
1 Scope2 Terms and definitions3 Security policy
31 Information security policy document32 Review and evaluation
4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing
5 Asset classification and control51 Accountability for assets52 Information classification
6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions
7 Physical and environmental security71 Secure areas72 Equipment security73 General control
8 Communications and operations management
81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software
9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking
10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes
11 Business continuity management111 Business continuity management process
12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations
156 ISF Standard of Good Practice for Information Security
The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom
157 Generally Accepted Information Security Principles (GAISP)
The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including
bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-
tive-level information management (exposure draft distributed September 1999)
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
bull Detailed Principles ndash guidance for operational infor-mation security management (under development)
GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details
1571 Pervasive Principles
The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology
bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable
bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-
trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties
bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations
bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance
bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance
bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information
bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat
Figure 7 ndash Security Management
31
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
32
events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents
bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness
bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives
158 AICPACICA Trust Services Principles and Criteria
The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas
bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple
bull Communications ndash The organization has communi-cated its defined policies to authorized users
bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies
bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies
Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices
1581 Security Principle ndash The system is protected
against unauthorized access (both physical
and logical)
In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components
1582 Availability Principle ndash The system is
available for operation and use as
committed or agreed
The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties
Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does
5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties
6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
33
address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance
1583 Processing Integrity Principle ndash System
processing is complete accurate timely
and authorized
Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing
The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems
Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond
the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed
1584 Privacy Principle and Components ndash
Personal information is collected used
retained and disclosed in conformity with the
commitments in the organizationrsquos privacy
notice and with the AICPACICA Trust
Services Privacy Criteria
The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are
bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures
bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed
bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information
bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice
bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes
bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate
bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual
bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical
bull Quality ndash The organization maintains accurate
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
34
complete and relevant personal information for thepurposes identified in the notice
bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes
1585 Confidentiality Principle ndash Information
designated as ldquoconfidentialrdquo is protected as
committed or agreed
The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential
Information that may be subject to confidentialityincludes
bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry
Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness
Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous
access controls can help protect the information while it isstored on computer systems
1586 Certification Authority (CA) Principle
The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols
159 IIA Systems Assurance and Control (SAC)
The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411
1510 Corporate Governance
15101 OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy
15102 EU Commission
The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society
GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16
35
The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states
ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo
The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework
161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations
These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT
The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control
The third category deals with complying with those lawsand regulations to which the entity is subject
Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that
bull They understand the extent to which the entityrsquosoperations objectives are being achieved
bull Published financial statements are being preparedreliably
bull There is compliance with applicable laws and regulations
Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time
162 COSO Internal Control mdash Integrated Framework
Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are
1621 Control Environment
The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors
1622 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change
1623 Control Activities
Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties
1624 Information and Communication
Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and
GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16
36
control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders
1625 Monitoring
Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board
There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions
There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective
The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework
GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
37
Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems
Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes
CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives
1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks
10 Manage projects11 Manage quality
Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as
well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems
12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes
Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems
18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations
Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources
31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit
This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment
CobiT is comprised ofbull An executive summary which provides an overview
of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-
level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective
bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives
bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives
Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work
GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
38
bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources
bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective
Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg
CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise
39
The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7
that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations
The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security
These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the
ldquoTechnologyrdquo section of httpwwwtheiiaorg
The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement
181 Metrics for Boards of DirectorsTrustees
Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident
bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a
comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program
principles for which approved policies and controls have been implemented by management
ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified
bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated
committee meetings for which information security is on the agenda
ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders
ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods
bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-
party relationships for which information security requirements have been implemented in agreements
bull Strive to ensure business continuityndash Percentage of organizational units with an
established business-continuity planbull Review provisions for internal and external audits of
the information security programndash Percentage of required internal and external audits
completed and reviewed by the boardndash Percentage of audit findings that have not
been resolvedbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
7 httpreformhousegovTIPRC
GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18
40
and policies established by the board as part of an effectiveinformation security program
bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program
elements for which approved policies and controls are operational
ndash Percentage of staff assigned responsibilities for information security policies and controls who have
acknowledged accountability for their responsibili-ties in connection with those policies and controls
ndash Percentage of information security policy compliance reviews that noted violations
ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls
bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting
period who satisfactorily completed security-awareness training before being granted network access
ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy
ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users
ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance
ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle
bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators
bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have
been reviewed this reporting period including+ Employees with high-level system and application
privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors
ndash Percentage of users who have undergone back-ground checks
bull Assess information risks establish risk thresholds and
actively manage risk mitigationndash Percentage of critical information assets and
information-dependent functions for which some form of risk assessment has been performed and documented as required by policy
ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified
ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy
bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that
are related to third-party relationshipsndash Percentage of critical information assets or
functions to which third-party personnel have been given access
ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy
ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically
ndash Percentage of security incidents that involve third-party personnel
ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures
ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements
ndash Percentage of out-of-compliance review findings that have been corrected since the last review
bull Identify and classify information assetsndash Percentage of information assets that have been
reviewed and classified by the designated owner in accordance with the classification scheme established by policy
ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy
ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans
ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned
ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy
bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to
systems architecture identified in the most recent risk assessment that have been mitigated adequately
ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms
ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture
bull Protect the physical environmentndash Percentage of critical organizational information
assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media
ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented
ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding
ndash Percentage of servers in locations with controlled physical access
ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule
ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule
ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness
bull Collaborate with security personnel to specify theinformation security metrics to be reported to management
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
41
GTAG mdash Appendix H mdash CAE Checklist mdash 19
42
1 Identify the IT control environment of the organization including
a Values
b Philosophy
c Management style
d IT awareness
e Organisation
f Policies
g Standards
2 Identify relevant legislation and regulation impactingIT control such as
a Governance
b Reporting
c Data protection
d Compliance
3 Identify the roles and responsibilities for IT control inrelation to
a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee
b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO
c Auditi Internal Auditii External Audit
Action Questions
1 Do corporate policies and standards that describe theneed for IT controls exist
2 What legislation exists that impacts on the need forIT controls
3 Has management taken steps to ensure compliancewith this legislation
4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles
5 Is the allocation of responsibilities compatible withthe need to apply division of duties
6 Are IT responsibilities documented
7 Are IT control responsibilities communicated to thewhole organization
8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls
9 What evidence is there of individual role holdersexercising their responsibilities
10Does internal auditing employ sufficient IT audit specialists to address the IT control issues
CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas
GTAG mdash Appendix H mdash CAE Checklist mdash 19
43
4 Identify the risk assessment process Does it cover
a Risk appetite
b Risk tolerances
c Risk analysis
d Matching risks to IT controls
5 Identify all monitoring processes including
a Regulatory
b Normal in-house
c Other than internal auditing
6 Identify information and communication mechanisms
a Control information
b Control failures
11 How is the risk appetite and tolerance of the organization determined
12 Is the risk appetite and tolerance of the organization authorized at board level
13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control
14 Is a formal risk analysis process used by theorganization
15 Is the process understood by all those with responsibility for IT control
16 Is the process used consistently throughout theorganization
17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards
18 Are there monitoring processes carried out bymanagement outside of internal audit
19 What metrics are provided to the board of directors its committees and management inrelation to IT security
20 What additional reports are provided to theboard of directors and to management on a regular basis
21 Is management always provided with reportswhen there are IT control failures
22 Do the board of directors and its committeesreceive similar reports of IT control failures
Action Questions
GTAG mdash Appendix I mdash References mdash 20
44
The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT
echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues
201 Governance
Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm
Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg
Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap
Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716
IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503
Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896
202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk
Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg
Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity
Generally Accepted Information Security Principles(GAISP) Information Systems Security Association
Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml
Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml
ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg
Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3
OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html
Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm
Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices
203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg
DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml
GTAG mdash Appendix I mdash References mdash 20
45
ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm
ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler
IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm
ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca
NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml
NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml
NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml
NSA Configuration Guides httpwwwnsagovsnac
SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg
204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg
Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov
Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca
Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
46
GTAG mdash Appendix J mdash Glossary mdash 21
A listing of technical terms used in the guide with a simpleplain English definition
Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases
Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence
CAE ndash Chief audit executive
CEO ndash Chief executive officer
CFO ndash Chief financial officer (and controller)
CIO ndash Chief information officer
CISO ndash Chief information security officer
CLC ndash Chief legal council
COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg
CRM ndash Customer resource management
CSO ndash Chief Security Officer
Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda
Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders
Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable
efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms
Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices
General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)
GLBA ndash US Gramm-Leach-Bliley Act
Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives
GTAG ndash Global Technology Audit Guide
HIPAA ndash US Health Information Portability andAccountability Act
Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization
Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel
Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use
Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology
ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg
IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information
IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures
ITPI ndash IT Process Institute See httpwwwitpiorg
Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing
Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo
Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely
Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo
47
GTAG mdash Appendix J mdash Glossary mdash 21
GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22
48
This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control
The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication
221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects
The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide
231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role
Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute
Michael R Dickson Business Technology Group LLC
Clint Kreitner PresidentCEO CIS The Center forInternet Security
Alex Lajoux NACD National Association of CorporateDirectors
Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA
Mark Salamasick CIA University of Texas at Dallas
Karyn Waller AICPA American Institute of CertifiedPublic Accountants
232 Partner Organizations
AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants
CIS ndash Clint Kreitner Center for Internet Security
CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute
ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association
NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors
SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO
233 Project Review Team
Peter Allor ISS Internet Security Systems
Jack Antonelli ADP
Ken D Askelson CIA JC Penney Co Inc
Becky Bace Infidel Inc
Kevin Behr IPSI Institute for Integrated Publication andInformation Systems
Jeff Benson BearingPoint
Robert S Block Chairman 3D Business Tools USA
Sylvia Boyd The IIA
Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA
Larry Brown Options Clearing Corp
Stephanie Bryant University of South Florida
Phil Campbell Specialized IT LLC USA
John Carlson BITS Banking Industry TechnologySecretariat
Chris Compton Intrusion Labs
Guy Copeland CSC Computer Sciences Corp
Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA
Bob Daniels EDS
Bob Dix US House of Representatives
49
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
50
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
5
Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA
Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program
Greg Garcia ITAA Information Technology Association ofAmerica
Russ Gates Dupage Consulting LLC
Lou Giles Chevron Phillips Chemical Co
Doug Guerrero EDS
Kai Tamara Hare Nuserve
Michael S Hines CIA Purdue University
Bob Hirth Protiviti
Don Holden CISSP Concordant Inc USA
Dave Kern Ethentica
Gene Kim CTO Tripwire Inc USA
Jim Kolouch BearingPoint
David Kowal VP JP Morgan Chase
Paul Kurtz CSIA Cyber Security Industry Alliance
Cindy LeRouge PhD Decision SciencesMIS Department
John Cook School of Business St Louis University USA
Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants
Debbie Lew Guidance Software
Brenda Lovell CIA CCSA CGAP The IIA
Warren Malmquist Adolph Coors Co
Stacy Mantzaris CIA IIA
Dennis Miller Heritage Bank
Patrick Morrissey Auditwire
Bruce Moulton Symantec
Paul Moxey ACCA Association of Chartered CertifiedAccountants
Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA
Fred Palmer Palmer Associates
Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc
Bernie Plagman TechPar Group
Heriot Prentice MIIA FIIA QiCA The IIA
Dick Price Beacon IT Ltd BS 7799 Consultancy USA
Michael Quint Corporate Compliance Officer EDSCorporate Audit USA
Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA
Amy Ray Bentley College
Martin Ross GSC Global Security Consortium
Chip Schilb EDS USA
Howard Schmidt eBay
Mark Silver Symantec
George Spafford President Spafford Global ConsultingSaint Joseph IL USA
Adam Stone Assurant
Jay H Stott CIA Fidelity Investments
Dan Swanson CIA IIA
Jay R Taylor CIA CISA CFE General MotorsCorporation
Bill Tener University amp Community College System ofNevada
Archie Thomas
Fred Tompkins BearingPoint
Don Warren Rutgers University
Dominique Vincenti CIA The IIA
Mark Winn Intrusec
Amit Yoran
234 IIA International Affiliates
Frank Alvern CIA CCSA Nordea Bank Norway
Alexandre Alves Apparecido Brazil
Dror Aviv Israel
David F Bentley England UK and Ireland
Gerardo Carstens CIA IIA Argentina
Richard Cascarino South Africa
Iftikhar Chaudry Pakistan
Hisham T El Gindy Manager KPMG Hazem Hassan Egypt
Dr Ulrich Hahn CIA Switzerland
Rossana S Javier Makati City Philippines
Andras Kovacks Hungary
Christopher McRostie Australia
Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan
Kyoko Shimizu CIA Japan
John Silltow Security Control and Audit Ltd UnitedKingdom
Ken Siong International Federation of Accountants
Anton van Wyk PwC South Africa
Nick Wolanin Adjunt Senior Lecturer Australian Graduate
Julie Young Australia
235 Other International
Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada
P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates
Ariel Peled President ISSA Israeli Chapter
P Shreekanth India
Karen Woo Selangor Malaysia
236 IIA International Advanced Technology Committee
Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa
Alexandre Alves Apparecido Brasil Telecom Brazil
Ken D Askelson CIA JC Penney Co Inc USA
Dror Aviv CFSA IIA Israel
Donald L Bailey Grant Thornton LLP USA
EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)
Norman F Barber Microsoft Corp USA
David F Bentley QiCA Consultant England
Claude Cargou GIE AXA France
Michael P Fabrizius CIA Bon Secours Health SystemInc USA
Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan
Douglas Guerrero EDS Corp USA
Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland
David J Hill IBM Corp USA
Michael S Hines CIA Purdue University USA
Mark J Hornung Ernst amp Young LLP USA
Gene Kim CTO Tripwire Inc USA
David S Lione KPMG LLP Southeast Region USA
Peter B Millar ACL Services Ltd Canada
Allan M Newstadt CIA World BankInternationalFinance Corp USA
Brenda J S Putman CIA City Utilities of Springfield USA
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
51
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23
52
Kyoko Shimizu CIA Shin Nihon amp Co Japan
Brian M Spindel CIA SecurePipe Inc USA
Rajendra P Srivastava University of Kansas USA
Jay Stott CIA Fidelity Investments USA
Jay R Taylor CIA CISA CFE General Motors Corp USA
Thomas Jason Wood CIA Ernst amp Young LLP USA
Akitomo Yamamoto IIA Japan
237 The Writing Team
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR International
Charles H Le Grand CIA CHL Global
238 IIA Headquarters Staff Production Team
Michael Feland
Trish Harris
Tim McCollum
Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business
Contin
u
ity Manag
ement
Th
is G
TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization
could potentially encounter if a natural or
man-made disruptive event t
hat affects the exte
nded ope
ra
bility of the organization were to occur The guide includes disaster rec
o
very
planning for continuity of critical information technology infrastructure and business application systems
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an
d su
pport management in
its
deve
lopm
ent and maintenance
of a
BCM pr
o
gram
Vis
it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme
nts
Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250
wwwtheiiaorg
ISBN 0-89413-570-8ISBN 978-0-89413-623-8
i
Section 1Letter from the President ii
Section 2IT Controls ndash Executive Summary iii
Section 3Introduction 1
Section 4Assessing IT Controls ndash An Overview 2
Section 5Understanding IT Controls 3
Section 6Importance of IT Controls 10
Section 7IT Roles in the Organization 11
Section 8Analyzing Risk15
Section 9Monitoring and Techniques 18
Section 10Assessment 20
Section 11Conclusion 22
Section 12Appendix A ndash Information Security Program Elements23
Section 13Appendix B ndash Compliance With Laws and Regulations 24
Section 14Appendix C ndashThree Categories of IT Knowledge for Internal Auditors 28
Section 15Appendix D ndash Compliance Frameworks 29
Section 16Appendix E - Assessing IT ControlsUsing COSO356
Section 17Appendix F - ITGI Control Objectives for Information and Related Technology (CobiT) 378
Section 18Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees 3940
Section 19Appendix H ndash CAE Checklist 423
Section 20Appendix I ndash References 445
Section 21Appendix J ndash Glossary467
Section 22Appendix K ndash About the Global Technology Audit Guides 489
Section 23Appendix L ndash GTAG Partners and Global Project Team 4950
GTAG mdash Table of Contents
ii
GTAG mdash Letter from the President mdash 1
In my previous role as a chief audit executive (CAE) I noted a need for guidance on IT management and control written specifically for executives So one of my first acts as president of The IIA was to initiate a project to produce this ITControls guide This guide is for the executive not the technical staff mdash although it will help those personnel better relateto management and governance perspectives
The purpose of this document is to explain IT controls and audit practice in a format that allows CAEs to understand andcommunicate the need for strong IT controls It is organized to enable the reader to move through the framework for assess-ing IT controls and to address specific topics based on need This document provides an overview of the key components ofIT control assessment with an emphasis on the roles and responsibilities of key constituents within the organization who candrive governance of IT resources You may already be familiar with some aspects of this document while other segments willprovide new perspectives on how to approach this key audit strategy It is our hope that the components can be used to edu-cate others about what IT controls are and why management and internal auditing must ensure proper attention is paid tothis fundamental methodology for good governance
Although technology provides opportunities for growth and development it also provides the means and tools for threatssuch as disruption deception theft and fraud Outside attackers threaten our organizations yet trusted insiders are a fargreater threat Fortunately technology can also provide protection from threats as you will see in this guide Executivesshould know the right questions to ask and what the answers mean For example
bull Why should I understand IT controls One word Assurance Executives play a key role in assuring information reliability Assurance comes primarily from an interdependent set of business controls plus the evidence that controlsare continuous and sufficient Management and governance must weigh the evidence provided by controls and auditsand conclude that it provides reasonable assurance This guide will help you understand the evidence
bull What is to be protected Letrsquos start with trust Trust enables business and efficiency Controls provide the basis for trustalthough they are often unseen Technology provides the foundation for many mdash perhaps most mdash business controlsReliability of financial information and processes mdash now mandated for many companies mdash is all about trust
bull Where are IT controls applied Everywhere IT includes technology components processes people organization andarchitecture mdash collectively known as infrastructure mdash as well as the information itself Many of the infrastructure controls are technical and IT supplies the tools for many business controls
bull Who is responsible Everybody But you must specify control ownership and responsibilities otherwise no one is respon-sible This guide addresses specific responsibilities for IT controls
bull When do we assess IT controls Always IT is a rapidly changing environment fueling business change New risksemerge at a rapid pace Controls must present continuous evidence of their effectiveness and that evidence must beassessed and evaluated constantly
bull How much control is enough You must decide Controls are not the objective controls exist to help meet businessobjectives Controls are a cost of doing business and can be expensive mdash but not nearly as expensive as the probableconsequences of inadequate controls
IT controls are essential to protect assets customers and partners and sensitive information demonstrate safe efficient andethical behavior and preserve brand reputation and trust In todayrsquos global market and regulatory environment these are alltoo easy to lose
Use this guide as a foundation to assess or build your organizationrsquos framework and audit practices for IT business controlcompliance and assurance Use it to help make sense of the conflicting advice you receive Make sure all the elements are inplace to meet the challenges of constant change increasing complexity rapidly evolving threats and the need to improveefficiency constantly
The IIA produced this guide but it is truly a team effort The principal writers are Charles H Le Grand of CHL Globaland Alan S Oliphant FIIA MIIA QiCA of Mair International We owe a great debt of gratitude to our partners IIA inter-national affiliates and members of the Global Technology Audit Guide (GTAG) team We are grateful for their support andencouragement This guide is a testimony to what The IIA does best ldquoProgress Through Sharingrdquo
Sincerely
David A Richards CIA CPAPresident The Institute of Internal Auditors Inc
GTAG Information Technology Controls describes the knowl-edge needed by members of governing bodies executives ITprofessionals and internal auditors to address technologycontrol issues and their impact on business Other profes-sionals may find the guidance useful and relevant The guideprovides information on available frameworks for assessingIT controls and describes how to establish the right frame-work for an organization Moreover it sets the stage forfuture GTAGs that will cover specific IT topics and associ-ated business roles and responsibilities in greater detail
The objectives of the IT Controls guide are tobull Explain IT controls from an executive perspectivebull Explain the importance of IT controls within the
overall system of internal controlsbull Describe the organizational roles and responsibilities
for ensuring IT controls are addressed adequatelywithin the overall system of internal controls
bull Describe the concepts of risk inherent in the use andmanagement of technology by any organization
bull Describe the basic knowledge and understanding of IT controls needed by the CAE to ensure effectiveinternal audit assessments of IT controls
bull Describe the relevant elements of the IT controlsassessment process as provided by the internal auditfunction
21 Introduction to IT ControlsIT controls do not exist in isolation They form an interde-pendent continuum of protection but they may also be sub-ject to compromise due to a weak link They are subject toerror and management override may range from simple tohighly technical and may exist in a dynamic environment
IT controls have two significant elements the automa-tion of business controls and control of IT Thus IT controlssupport business management and governance as well as pro-vide general and technical controls over IT infrastructures
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditing involves significant interaction with the people inpositions of responsibility for controls and requires continu-ous learning and reassessment as new technologies emergeand the organizationrsquos opportunities uses dependenciesstrategies risks and requirements change
22 Understanding IT ControlsIT controls provide for assurance related to the reliability of information and information services IT controls helpmitigate the risks associated with an organizationrsquos use oftechnology They range from corporate policies to theirphysical implementation within coded instructions fromphysical access protection through the ability to traceactions and transactions to responsible individuals and fromautomatic edits to reasonability analysis for large bodies of data
You donrsquot need to ldquoeverythingrdquo about IT controls butremember two key control concepts
bull Assurance must be provided by the IT controls within the system of internal controls This assurancemust be continuous and provide a reliable and continuous trail of evidence
bull The auditorrsquos assurance is an independent and objective assessment of the first assurance Auditorassurance is based on understanding examining andassessing the key controls related to the risks theymanage and performing sufficient testing to ensurethe controls are designed appropriately and function-ing effectively and continuously
Many frameworks exist for categorizing IT controls and theirobjectives This guide recommends that each organizationuse the applicable components of existing frameworks to categorize and assess IT controls and to provide and docu-ment its own framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (reasonable assurance) that activi-ties comply with managementrsquos governance policiesand are consistent with the organizationrsquos riskappetite
23 Importance of IT ControlsMany issues drive the need for IT controls ranging from theneed to control costs and remain competitive through theneed for compliance with internal and external governanceIT controls promote reliability and efficiency and allow theorganization to adapt to changing risk environments Anycontrol that mitigates or detects fraud or cyber attacksenhances the organizationrsquos resiliency because it helps theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsbecause a well-controlled organization has the ability tomanage challenges or disruptions seamlessly
Key indicators of effective IT controls includebull The ability to execute and plan new work such as
IT infrastructure upgrades required to support newproducts and services
bull Development projects that are delivered on time and within budget resulting in cost-effective and better product and service offerings compared tocompetitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of key indicators of effective controls
bull The ability to protect against new vulnerabilities and
iii
GTAG mdash Executive Summary mdash 2
threats and to recover from any disruption of IT services quickly and efficiently
bull The efficient use of a customer support center or help desk
bull Heightened security awareness on the part of the users and a security-conscious culture throughout theorganization
24 IT Roles and ResponsibilitiesMany different roles have emerged in recent years for posi-tions within the organization with IT control responsibilitiesand ownership Each position within the governance management operational and technical levels should havea clear description of its roles responsibilities and owner-ship for IT controls to ensure accountability for specificissues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
25 Analyzing RiskIT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified suit-able risk responses are determined ranging from doing nothingand accepting the risk as a cost of doing business to applying awide range of specific controls including insurance Thissection explains the concepts of when to apply IT controls
26 Monitoring and TechniquesThe implementation of a formal control framework facili-tates the process of identifying and assessing the IT controlsnecessary to address specific risks A control framework is astructured way of categorizing controls to ensure the wholespectrum of control is covered adequately The frameworkcan be informal or formal A formal approach will morereadily satisfy the various regulatory or statutory require-ments for organizations subject to them The process ofchoosing or constructing a control framework shouldinvolve all positions in the organization with direct respon-sibility for controls The control framework should apply toand be used by the whole organization mdash not just internalauditing
27 IT Control AssessmentAssessing IT controls is a continuous process Businessprocesses are changing constantly as technology continuesto evolve Threats emerge as new vulnerabilities are discov-ered Audit methods improve as auditors adopt an approachwhere IT control issues in support of the business objectivesare near the top of the agenda
Management provides IT control metrics and reportingAuditors attest to their validity and opine on their valueThe auditor should liaise with management at all levels andwith the audit committee to agree on the validity and effec-tiveness of the metrics and assurances for reporting
iv
GTAG mdash Executive Summary mdash 2
IT is an integral part of all processes that enable businessesand governments to accomplish their missions and objec-tives IT facilitates local and global communications and fosters international business cooperation IT controls havetwo significant components automation of business controlsand control of IT They support business management andgovernance and they provide general and technical controlsover the policies processes systems and people that comprise IT infrastructures
IT controls do not exist in isolation They form an inter-dependent continuum of protection but they also may besubject to compromise due to a ldquoweak linkrdquo They are subject to error and management override may range fromsimple to highly technical and may exist in a dynamic environment IT controls support the concept of ldquodefense in depthrdquo so a single weakness does not always result in asingle point of failureControls exist to protect stakeholder interests
bull The ownerrsquos equitybull Customer concerns such as privacy and identitybull Employeesrsquo jobs and abilities to prove they did the
right thingbull Managementrsquos comfort with the assurance provided
by automated processesIT control assurance addresses the ability of controls to protect the organization against the most important threatsand provides evidence that remaining risks are unlikely toharm the organization and its stakeholders significantlyThese controls also are essential for assuring the reliability offinancial processes and reporting
1
Introduction ndash 3GTAG mdash Introduction mdash 3
They are all connected
When a security administrator selects the settings in a firewall configuration file (a technical task requiring specificskills and knowledge) he or she implements a policy (which may or may not be documented elsewhere) that when deployed determines the messages that will or will not be allowed into or out of the communications network and establishes the ldquoportsrdquo through which they may travel Your organization gets an element of protection from its firewalls that is vital to the protection of information and the infrastructures where that information is collected processed stored and communicated
When CAEs review and assess the controls over IT theyshould ask
bull What do we mean by IT controlsbull Why do we need IT controlsbull Who is responsible for IT controlsbull When is it appropriate to apply IT controlsbull Where exactly are IT controls appliedbull How do we perform IT control assessments
The audit process provides a formal structure for address-ing IT controls within the overall system of internal controls Figure 1 The Structure of IT Auditing belowdivides the assessment into a logical series of steps
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditors interact with the people responsible for controlsand must pursue continuous learning and reassessment asnew technologies emerge and the organizationrsquos opportuni-ties uses dependencies strategies risks and requirementschange
GTAG mdash Assessing IT Controls mdash An Overview mdash 4
2
ldquoI keep six honest serving-men
(They taught me all I knew)
Their names are
What and Why and When
and How and Where and Whordquo
mdash Rudyard Kipling
from ldquoElephantrsquos Childrdquo
in Just So Stories
Figure 1 - The Structure of IT Auditing
3
COSO1 defines internal control as ldquoA process effected by anorganizationrsquos board of directors management and otherpersonnel designed to provide reasonable assurance regard-ing the achievement of objectives in the following cate-gories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulationsrdquo
IT controls encompass those processes that provide assur-ance for information and information services and help mit-igate the risks associated with an organizationrsquos use oftechnology These controls range from written corporatepolicies to their implementation within coded instructionsfrom physical access protection to the ability to trace actionsand transactions to the individuals who are responsible forthem and from automatic edits to reasonability analysis forlarge bodies of data
51 Control ClassificationsControls may be classified to help understand their purposesand where they fit into the overall system of internal controls(See Figure 3 Some Control Classifications page 4) By under-standing these classifications the control analyst and auditorare better able to establish their positions in the controlframework and answer key questions such as Are the detec-tive controls adequate to identify errors that may get past thepreventive controls Are corrective controls sufficient to fixthe errors once detected A common classification of IT controls is general versus application
General controls (also known as infrastructure controls)apply to all systems components processes and data for agiven organization or systems environment General controls include but are not limited to information security policy administration access and authenticationseparation of key IT functions management of systemsacquisition and implementation change managementbackup recovery and business continuity
Application controls pertain to the scope of individualbusiness processes or application systems They include suchcontrols as data edits separation of business functions (egtransaction initiation versus authorization) balancing ofprocessing totals transaction logging and error reportingThe function of a control is highly relevant to the assessment of its design and effectiveness Controls may be classified as preventive detective or corrective
Preventive controls prevent errors omissions or securityincidents from occurring Examples include simple data-entryedits that block alphabetic characters from being enteredinto numeric fields access controls that protect sensitive dataor system resources from unauthorized people and complexand dynamic technical controls such as antivirus softwarefirewalls and intrusion prevention systems
GTAG mdash Understanding IT Controls mdash 5
1 COSO ndash Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (The Committee of Sponsoring Organizationsof the Treadway Commission) See wwwcosoorg
It is not necessary to know ldquoeverythingrdquo about IT controls
Do not be concerned if you do not understand the full continuum or all the technical intricacies of IT controls Many of these controls are the domain of specialists who manage specific risks associated with individual components of the systems and network infrastructure In keeping with good separation of duties prac-tices some people who have specialized knowledge in a technology such as database management may know littleabout network components or communication protocols and vice versa
There are two key control concepts to remember1 Assurance must be provided by the IT controls within the whole system of internal control and must
be continuous and produce a reliable and continuous trail of evidence2 The auditorrsquos assurance is an independent and objective assessment of the first assurance It is based
on understanding examining and assessing the key controls related to the risks the auditors manage as well as performing sufficient tests to ensure the controls are designed appropriately and function effectively
Figure 2
Detective controls detect errors or incidents that eludepreventive controls For example a detective control mayidentify account numbers of inactive accounts or accountsthat have been flagged for monitoring of suspicious activi-ties Detective controls can also include monitoring andanalysis to uncover activities or events that exceed author-ized limits or violate known patterns in data that may indi-cate improper manipulation For sensitive electroniccommunications detective controls can indicate that a mes-sage has been corrupted or the senderrsquos secure identificationcannot be authenticated
Corrective controls correct errors omissions or inci-dents once they have been detected They vary from simplecorrection of data-entry errors to identifying and removingunauthorized users or software from systems or networks torecovery from incidents disruptions or disasters
Generally it is most efficient to prevent errors or detectthem as close as possible to their source to simplify correc-tion These corrective processes also should be subject topreventive and detective controls because they representanother opportunity for errors omissions or falsification
Many other control classifications described in this guidemay be useful in assessing their effectiveness For exampleautomated controls tend to be more reliable than manualcontrols and nondiscretionary controls are more likely to beapplied consistently than discretionary controls Other control classifications include mandatory voluntary complementary compensating redundant continuous on-demand and event-driven
52 Governance Management TechnicalAnother common classification of controls is by the groupresponsible for ensuring they are implemented and main-tained properly For the purpose of assessing roles andresponsibilities this guide primarily categorizes IT controls
as governance management and technical Information securi-ty program elements for these three categories are describedin Appendix A (page 25) The first two levels mdash gover-nance and management mdash are the most applicable to thescope of this guide although it may also be useful to under-stand how higher-level controls specifically are establishedwithin the technical IT infrastructures Technical controlswill be the subject of more topic-specific GTAGs
521 Governance Controls
The primary responsibility for internal control resides withthe board of directors in its role as keeper of the governanceframework IT control at the governance level involvesensuring that effective information management and security principles policies and processes are in place andperformance and compliance metrics demonstrate ongoingsupport for that framework
Governance controls are those mandated by and controlled by either the entire board of directors or a boardcommittee in conjunction with the organizationrsquos executivemanagement These controls are linked with the concepts of corporate governance which are driven both by organizational goals and strategies and by outside bodiessuch as regulators
An important distinction between governance and management controls is the concept of ldquonoses in fingersoutrdquo The boardrsquos responsibility involves oversight ratherthan actually performing control activities For example theaudit committee of the board does no auditing but it does oversee both the internal and external auditing of theorganization
522 Management Controls
Management responsibility for internal controls typicallyinvolves reaching into all areas of the organization with special attention to critical assets sensitive information andoperational functions Consequently close collaborationamong board members and executive managers is essentialManagement must make sure the IT controls needed toachieve the organizationrsquos established objectives are appliedand ensure reliable and continuous processing These controls are deployed as a result of deliberate actions bymanagement to
bull Recognize risks to the organization its processes and assets
bull Enact mechanisms and processes to mitigate and manage risks (protect monitor and measure results)
523 Technical Controls
Technical controls form the foundation that ensures the reli-ability of virtually every other control in the organizationFor example by protecting against unauthorized access andintrusion they provide the basis for reliance on the integri-ty of information mdash including evidence of all changes andtheir authenticity These controls are specific to the
GTAG ndash Understanding IT Controls ndash 5
4
Figure 3 - Some Control Classifications
GTAG mdash Understanding IT Controls mdash 5
5
technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization
53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems
The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below
531 Policies
All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies
IT policy statements include but are not restricted tobull A general policy on the level of security and privacy
throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of
the system and data processedbull A statement on the classification of information and
the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access
bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems
bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications
bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures
bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of
Figure 4 ndash IT Controls
The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal
Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)
a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS
Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants
532 Standards
Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently
Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for
bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization
bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited
bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls
that should apply to sensitive processes and information
bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly
bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers
As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them
533 Organization and Management
Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented
5331 Separation of Duties
Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information
Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum
GTAG mdash Understanding IT Controls mdash 5
6
GTAG mdash Understanding IT Controls mdash 5
7
Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts
5332 Financial Controls
Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects
5333 Change Management
Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations
5334 Other Management Controls
Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications
534 Physical and Environmental Controls
IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications
Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is
restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data
away from environmental hazards such as low-lyingflood plains or flammable liquid stores
When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable
535 Systems Software Controls
Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2
Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs
IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the
Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability
Some key technical controls the CAE should expect tofind in a well-managed IT environment include
bull Access rights allocated and controlled according tothe organizationrsquos stated policy
bull Division of duties enforced through systems softwareand other configuration controls
bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored
bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a
stated requirementbull Change management processes mdash including patch
management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data
536 Systems Development and
Acquisition Controls
Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner
Some basic control issues should be evident in all systemsdevelopment and acquisition work
bull User requirements should be documented and theirachievement should be measured
bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system
bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct
bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided
bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be
subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls
Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered
537 Application-based Controls
The objective of internal controls over application systems is toensure that
bull All input data is accurate complete authorized and correct
bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data
from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application
bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters
bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized
bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input
bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct
bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources
GTAG mdash Understanding IT Controls mdash 5
8
GTAG mdash Understanding IT Controls mdash 5
9
54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are
bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations
bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting
bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located
55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them
Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite
Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite
Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly
Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)
The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)
Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include
bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services
bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of effectivecontrols
bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services
bull The efficient use of a customer support center or helpdesk
bull A security-conscious culture among end usersthroughout the organization
Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees
The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control
GTAG mdash Importance of IT Controls mdash 6
10
2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley
GTAG mdash IT Roles in the Organization mdash 7
Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained
Overall the objectives for the use of IT within any organization are
bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite
bull To protect stakeholder interestsbull To enable mutually beneficial relationships with
customers business partners and other outside parties that accomplish business objectives
bull To identify and respond to threats and potential violations of control appropriately
Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members
71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires
bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458
bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets
bull Approval of the data classifications structure and therelated access rights
The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important
711 Audit Committee
The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for
bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting
bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting
bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately
bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to
new systems development and acquisitionbull Examining internal and external audit plans and
work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring
the resolution of issues raisedbull Understanding the IT topics that impact ethics
monitoring
712 Compensation Committee
The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves
713 Governance Committee
The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should
bull Ensure that potential and current board membershave a suitable IT knowledge or background
bull Assess board committeesrsquo performance in terms oftheir oversight of IT
bull Review any external regulatory governance assessments in relation to IT topics
bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency
714 Risk Management Committee
The risk management committee is responsible for oversight
11
GTAG mdash IT Roles in the Organization mdash 7
of all risk analysis and assessment risk response and riskmonitoring Its role includes
bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization
bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance
bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash
including IT risks mdash and considering it against the organizationrsquos risk appetite
bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate
bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks
715 Finance Committee
The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data
72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so
that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions
721 Chief Executive Officer
The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will
bull Define corporate objectives and performance measures in relation to IT
bull Act as custodian over the organizationrsquos critical success factors in relation to IT
bull Understand and approve the short-term and long-range strategy for IT
bull Approve IT resources for the organization includingstructure and oversightmonitoring
bull Determine IT issues for periodic management boardand staff discussion
bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas
722 Chief Financial Officer
The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of
bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining
technologically competitivebull The technologies used to implement financial
applicationsbull The operation of specific financial applications
IT Controls and Ethics
As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior
12
GTAG mdash IT Roles in the Organization mdash 7
13
bull The limitations and benefits of ITbull The IT control structure for general controls that
apply to all business systems and data as well as controls that are specific to financial applications
The CFO should operate as the highest-level control ownerfor financial systems and data
723 Chief Information Officer
The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should
bull Understand the business requirements that drive theneed to implement IT
bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business
strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks
bull Design implement and maintain an IT internal control framework
bull Plan source and control IT resourcesbull Explore assess select and implement technology
advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels
of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian
and IT control owner bull Measure the operational performance of IT in support
of business objectives byndash Setting expectationsndash Evaluating results
bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors
724 Chief Security Officer
The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO
bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy
bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks
bull Acts as a key link between the compliance legalCIO and audit functions
bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive
bull Is responsible for business continuity planningincluding incident handling and disaster recovery
bull Ensures that security staff provide support for imple-menting controls at all levels
bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization
725 Chief Information Security Officer (CISO)
Information security is a subset of the overall security roleThe CISO
bull Develops and implements the information security policy in coordination with the CSO
bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives
bull Ensures alignment of information security and busi-ness objectives
bull Manages operational information risks throughoutthe organization
bull Oversees security within the IT organizationbull Provides education and awareness on information
security issues and new best practicesbull Develops end-user policies for the usage of IT
information in conjunction with the humanresources function
bull Coordinates information security work with the chief risk officer (CRO) and CIO
bull Advises the CEO CRO CIO and board on IT risk issues
bull Acts as a key link for the CAE when internal auditing performs IT control-related audits
726 Chief Legal Counsel (CLC)
Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves
bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto
bull Ensuring financial reports and presentations complywith laws and regulations
bull Understanding IT legal issues and advising on legalrisks related to IT
bull Managing organizational reputation in relation tolegal issues compliance and public relations
bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols
regarding suspected criminal activity
727 Chief Risk Officer
The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes
bull Analysis and assessment of IT risk exposures including information compromises such as loss
damage unauthorized disclosure and interruptedaccess
bull Assessment of IT events such as interruptions disasters and changes
bull Analysis and assessment of business risk as it is affected by IT risk
bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks
73 Audit
731 Internal Auditing ndash CAE and Audit Staff
Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves
bull Advising the audit committee and senior management on IT internal control issues
bull Ensuring IT is included in the audit universe andannual plan (selecting topics)
bull Ensuring IT risks are considered when assigningresources and priorities to audit activities
bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff
bull Ensuring that audit planning considers IT issues foreach audit
bull Liaising with audit clients to determine what theywant or need to know
bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable
evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the
audit processesbull During systems development or analysis activities
operating as experts who understand how controlscan be implemented and circumvented
bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks
732 External Auditor
Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include
bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits
bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements
GTAG mdash IT Roles in the Organization mdash 7
14
3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)
81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance
It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization
The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as
ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo
In addition the CAE should consider risk tolerance COSOdefines risk tolerance as
ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo
Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with
the organizationrsquos risk appetitebull The internal control framework is adequate to ensure
that the organizationrsquos performance remains withinthe stated risk tolerances
82 Risk Considerations in Determining the Adequacy of IT Controls
Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness
When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE
should consider the processes established by management to determine
bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for
each business function and processbull IT risks faced by the organization and quality of
service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they
providebull Harmful IT incidents in the past 24 months
The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project
821 The IT Infrastructure
Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems
The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security
The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers
GTAG mdash Analyzing Risk mdash 8
15
822 IT Risks Faced by the Organization
The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls
823 Risk Appetite and Tolerance
Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation
The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite
824 Performing Risk analysis
Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas
There are eight basic questions associated with the riskassessment process The first five include
bull What are the assets at risk and the value of theirconfidentiality integrity and availability
bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets
bull If a threat event happened how bad could its impact be
bull How often might the event be expected to occur (frequency of occurrence)
bull How certain are the answers to the first four questions (uncertainty analysis)
The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient
825 Value of Information
Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security
Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories
bull Exclusive possession ndash cost in the event of a breachof confidentiality
bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability
826 Appropriate IT Controls
Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)
The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework
83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them
In general there are several ways to mitigate the poten-tial impact of risks
bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low
bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors
bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider
bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects
GTAG mdash Analyzing Risk mdash 8
16
84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include
bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective
controls effectivebull Do the controls provide evidence when control
parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken
bull Is evidence retained (audit or management trail)
85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization
IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other
It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls
bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been
defined assigned and acceptedbull Are IT infrastructure equipment and tools
logically and physically securedbull Are access and authentication control
mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance
with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)
bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved
bull Are change and configuration management and quality assurance processes in place
bull Are structured monitoring and service measurementprocesses in place
bull Are specialist IT audit skills available (eitherinternally or outsourced)
Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf
GTAG mdash Analyzing Risk mdash 8
Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management
(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network
and perimeter)5 Malware protection (including worms and viruses)
Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo
1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each
person with computer access8 Dont use vendor-supplied defaults for passwords
and security parameters9 Track all access to data by unique ID
10 Regularly test security systems and processes11 Implement and maintain an information
security policy12 Restrict physical access to data
17
91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation
A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily
Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work
The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process
especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override
Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)
The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
GTAG mdash Monitoring and Techniques mdash 9
COSO Model for Technology Controls
Monitoringbull Monthly metrics from technology
performance bull Technology cost and control
performance analysisbull Periodic technology
management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas
Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to
plan and return on investmentbull Documentation and approval of IT plans
and systems architecturebull Compliance with information and
physical security standardsbull Adherence to business continuity risk
assessmentbull Technology standards
compliance enforcement
Information and Communicationbull Periodic corporate communications (intranet e-mail
meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution
Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business
areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls
considered Importantbull Overall technology policy and Information
security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units
Figure 5 - COSO Model for Technology Controls
18
compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)
92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks
Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows
921 Ongoing Monitoring
bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment
bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered
specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached
bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached
922 Special Reviews
bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances
bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk
GTAG mdash Monitoring and Techniques mdash 9
Suitable Recognized Framework
ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo
mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003
19
101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business
The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems
A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance
Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities
Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample
bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method
bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files
bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach
102 Testing IT Controls and Continuous Assurance
In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data
1021 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-
20
GTAG mdash Assessment mdash 10
How Auditing Contributes to IT Controls
During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management
ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events
1022 Automated Internal Control Analysis Tools
Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use
1023 Automated Risk Analysis
Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools
Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right
103 Audit CommitteeManagementAudit Interfaces
It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues
The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations
ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their
value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting
A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially
Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework
The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist
GTAG mdash Assessment mdash 10
Figure 6 ndash Audit Interfaces
21
Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda
Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process
The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members
22
GTAG mdash Conclusion mdash 11
Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg
121 Governance (Board of Directors)bull Oversee risk management and compliance programs
pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security
bull Strive to protect the interests of all stakeholdersdependent on information security
bull Review information security policies regardingstrategic partners and other third parties
bull Strive to ensure business continuitybull Review provisions for internal and external audits of
the information security programbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
122 Managementbull Establish information security management policies
and controls and monitor compliancebull Assign information security roles responsibilities
and required skills and enforce role-based information access privileges
bull Assess information risks establish risk thresholdsand actively manage risk mitigation
bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties
bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture
during acquisition development operations andmaintenance
bull Protect the physical environmentbull Ensure internal and external audits of the informa-
tion security program with timely follow-upbull Collaborate with security staff to specify the informa-
tion security metrics to be reported to management
123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements
bull User identification and authentication
bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms
and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the
technical metrics to be reported to management
23
GTAG mdash Appendix A mdash Information Security Program Elements mdash 12
There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments
For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries
This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors
131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)
However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of
ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews
Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls
Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant
to IT Controls
The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls
13111 Sections 103 and 802
These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting
One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained
13112 Section 201
This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors
13113 Section 301
Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT
13114 Section 302 and 404
Section 302 of the act requires the CEO and CFO mdash who
24
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
25
are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges
They must disclosebull ldquoAll significant deficiencies in the design or opera-
tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo
bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo
Section 404 requires the CEO and CFO to produce an annual audit report that
bull Assesses the effectiveness of the internal controlstructure over financial reporting
bull Discloses all known internal control weaknessesbull Discloses all known frauds
This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley
13115 Section 409
Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses
132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management
A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means
bull Senior management is actively involvedbull The bank has an OR management system processes
policies and procedures enterprisewidebull The bank has the right governance and sufficient
resources to manage operational risksbull The bank has an OR management function that is
responsible forndash Designing and implementing the OR management
frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement
methodologyndash Designing and implementing an OR management
reporting systemndash Developing strategies to identify measure monitor
and control or mitigate ORbull An OR measurement system is closely integrated into
the day-to-day risk management processbull The OR exposures and loss experiences are regularly
reportedbull The OR management system is documentedbull Internal and external auditors regularly review the
OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function
The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required
First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy
Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange
The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA
bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
bull Internal loss data must be linked to the bankrsquos current business activities
bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA
bull According to the internal loss collection processndash OR losses related to credit risk and historically
included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately
ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge
bull The OR measurement system must use relevantexternal data
Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including
bull Strategies and processesbull Structure and organization of the risk management
functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including
operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)
133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)
The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)
134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999
The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)
135 US Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg
136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)
Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers
26
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
GTAG ndash Appendix B - Compliance with Laws and Regulations - 13
27
137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls
GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14
28
141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors
1411 Category 1 ndash All Auditors
Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge
1412 Category 2 ndash Audit Supervisors
Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must
bull Understand the threats and vulnerabilities associatedwith automated business processes
bull Understand business controls and risk mitigation thatshould be provided by IT
bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments
bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits
bull Ensure the effective use of IT tools in audit assess-ments and testing
bull Approve plans and techniques for testing controlsand information
bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses
bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas
bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected
1413 Category 3 ndash Technical IT Audit Specialists
Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology
IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence
The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications
Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals
4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
29
151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg
152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control
In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience
153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language
154 ITGI Control Objectives for Information and Related Technology (CobiT)
Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance
155 ISO 17799 (Code of Practice for Information Security Management)
ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading
The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to
ISOIEC 177992000 bull Part 2 is a specification for implementing an
information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002
1551 What Is Information Security
BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities
Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately
Information security is characterized within BS 7799 asthe preservation of
bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access
bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods
bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired
Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met
1552 How to Establish Security Requirements
BS 7799 states that it is essential that an organization
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
30
identify its security requirements There are three mainsources
bull Assessing risks to the organization BS 7799 does notprescribe a methodology
bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy
bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations
1553 Assessing Security Risks
BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically
1554 Selecting Controls
Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com
1555 Topics Addressed in BS 7799
1 Scope2 Terms and definitions3 Security policy
31 Information security policy document32 Review and evaluation
4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing
5 Asset classification and control51 Accountability for assets52 Information classification
6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions
7 Physical and environmental security71 Secure areas72 Equipment security73 General control
8 Communications and operations management
81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software
9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking
10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes
11 Business continuity management111 Business continuity management process
12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations
156 ISF Standard of Good Practice for Information Security
The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom
157 Generally Accepted Information Security Principles (GAISP)
The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including
bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-
tive-level information management (exposure draft distributed September 1999)
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
bull Detailed Principles ndash guidance for operational infor-mation security management (under development)
GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details
1571 Pervasive Principles
The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology
bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable
bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-
trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties
bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations
bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance
bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance
bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information
bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat
Figure 7 ndash Security Management
31
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
32
events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents
bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness
bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives
158 AICPACICA Trust Services Principles and Criteria
The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas
bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple
bull Communications ndash The organization has communi-cated its defined policies to authorized users
bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies
bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies
Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices
1581 Security Principle ndash The system is protected
against unauthorized access (both physical
and logical)
In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components
1582 Availability Principle ndash The system is
available for operation and use as
committed or agreed
The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties
Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does
5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties
6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
33
address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance
1583 Processing Integrity Principle ndash System
processing is complete accurate timely
and authorized
Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing
The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems
Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond
the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed
1584 Privacy Principle and Components ndash
Personal information is collected used
retained and disclosed in conformity with the
commitments in the organizationrsquos privacy
notice and with the AICPACICA Trust
Services Privacy Criteria
The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are
bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures
bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed
bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information
bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice
bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes
bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate
bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual
bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical
bull Quality ndash The organization maintains accurate
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
34
complete and relevant personal information for thepurposes identified in the notice
bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes
1585 Confidentiality Principle ndash Information
designated as ldquoconfidentialrdquo is protected as
committed or agreed
The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential
Information that may be subject to confidentialityincludes
bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry
Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness
Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous
access controls can help protect the information while it isstored on computer systems
1586 Certification Authority (CA) Principle
The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols
159 IIA Systems Assurance and Control (SAC)
The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411
1510 Corporate Governance
15101 OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy
15102 EU Commission
The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society
GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16
35
The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states
ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo
The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework
161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations
These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT
The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control
The third category deals with complying with those lawsand regulations to which the entity is subject
Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that
bull They understand the extent to which the entityrsquosoperations objectives are being achieved
bull Published financial statements are being preparedreliably
bull There is compliance with applicable laws and regulations
Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time
162 COSO Internal Control mdash Integrated Framework
Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are
1621 Control Environment
The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors
1622 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change
1623 Control Activities
Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties
1624 Information and Communication
Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and
GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16
36
control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders
1625 Monitoring
Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board
There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions
There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective
The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework
GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
37
Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems
Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes
CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives
1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks
10 Manage projects11 Manage quality
Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as
well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems
12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes
Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems
18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations
Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources
31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit
This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment
CobiT is comprised ofbull An executive summary which provides an overview
of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-
level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective
bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives
bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives
Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work
GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
38
bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources
bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective
Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg
CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise
39
The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7
that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations
The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security
These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the
ldquoTechnologyrdquo section of httpwwwtheiiaorg
The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement
181 Metrics for Boards of DirectorsTrustees
Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident
bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a
comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program
principles for which approved policies and controls have been implemented by management
ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified
bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated
committee meetings for which information security is on the agenda
ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders
ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods
bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-
party relationships for which information security requirements have been implemented in agreements
bull Strive to ensure business continuityndash Percentage of organizational units with an
established business-continuity planbull Review provisions for internal and external audits of
the information security programndash Percentage of required internal and external audits
completed and reviewed by the boardndash Percentage of audit findings that have not
been resolvedbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
7 httpreformhousegovTIPRC
GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18
40
and policies established by the board as part of an effectiveinformation security program
bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program
elements for which approved policies and controls are operational
ndash Percentage of staff assigned responsibilities for information security policies and controls who have
acknowledged accountability for their responsibili-ties in connection with those policies and controls
ndash Percentage of information security policy compliance reviews that noted violations
ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls
bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting
period who satisfactorily completed security-awareness training before being granted network access
ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy
ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users
ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance
ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle
bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators
bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have
been reviewed this reporting period including+ Employees with high-level system and application
privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors
ndash Percentage of users who have undergone back-ground checks
bull Assess information risks establish risk thresholds and
actively manage risk mitigationndash Percentage of critical information assets and
information-dependent functions for which some form of risk assessment has been performed and documented as required by policy
ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified
ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy
bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that
are related to third-party relationshipsndash Percentage of critical information assets or
functions to which third-party personnel have been given access
ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy
ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically
ndash Percentage of security incidents that involve third-party personnel
ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures
ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements
ndash Percentage of out-of-compliance review findings that have been corrected since the last review
bull Identify and classify information assetsndash Percentage of information assets that have been
reviewed and classified by the designated owner in accordance with the classification scheme established by policy
ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy
ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans
ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned
ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy
bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to
systems architecture identified in the most recent risk assessment that have been mitigated adequately
ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms
ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture
bull Protect the physical environmentndash Percentage of critical organizational information
assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media
ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented
ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding
ndash Percentage of servers in locations with controlled physical access
ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule
ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule
ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness
bull Collaborate with security personnel to specify theinformation security metrics to be reported to management
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
41
GTAG mdash Appendix H mdash CAE Checklist mdash 19
42
1 Identify the IT control environment of the organization including
a Values
b Philosophy
c Management style
d IT awareness
e Organisation
f Policies
g Standards
2 Identify relevant legislation and regulation impactingIT control such as
a Governance
b Reporting
c Data protection
d Compliance
3 Identify the roles and responsibilities for IT control inrelation to
a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee
b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO
c Auditi Internal Auditii External Audit
Action Questions
1 Do corporate policies and standards that describe theneed for IT controls exist
2 What legislation exists that impacts on the need forIT controls
3 Has management taken steps to ensure compliancewith this legislation
4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles
5 Is the allocation of responsibilities compatible withthe need to apply division of duties
6 Are IT responsibilities documented
7 Are IT control responsibilities communicated to thewhole organization
8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls
9 What evidence is there of individual role holdersexercising their responsibilities
10Does internal auditing employ sufficient IT audit specialists to address the IT control issues
CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas
GTAG mdash Appendix H mdash CAE Checklist mdash 19
43
4 Identify the risk assessment process Does it cover
a Risk appetite
b Risk tolerances
c Risk analysis
d Matching risks to IT controls
5 Identify all monitoring processes including
a Regulatory
b Normal in-house
c Other than internal auditing
6 Identify information and communication mechanisms
a Control information
b Control failures
11 How is the risk appetite and tolerance of the organization determined
12 Is the risk appetite and tolerance of the organization authorized at board level
13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control
14 Is a formal risk analysis process used by theorganization
15 Is the process understood by all those with responsibility for IT control
16 Is the process used consistently throughout theorganization
17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards
18 Are there monitoring processes carried out bymanagement outside of internal audit
19 What metrics are provided to the board of directors its committees and management inrelation to IT security
20 What additional reports are provided to theboard of directors and to management on a regular basis
21 Is management always provided with reportswhen there are IT control failures
22 Do the board of directors and its committeesreceive similar reports of IT control failures
Action Questions
GTAG mdash Appendix I mdash References mdash 20
44
The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT
echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues
201 Governance
Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm
Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg
Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap
Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716
IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503
Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896
202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk
Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg
Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity
Generally Accepted Information Security Principles(GAISP) Information Systems Security Association
Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml
Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml
ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg
Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3
OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html
Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm
Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices
203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg
DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml
GTAG mdash Appendix I mdash References mdash 20
45
ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm
ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler
IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm
ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca
NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml
NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml
NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml
NSA Configuration Guides httpwwwnsagovsnac
SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg
204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg
Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov
Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca
Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
46
GTAG mdash Appendix J mdash Glossary mdash 21
A listing of technical terms used in the guide with a simpleplain English definition
Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases
Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence
CAE ndash Chief audit executive
CEO ndash Chief executive officer
CFO ndash Chief financial officer (and controller)
CIO ndash Chief information officer
CISO ndash Chief information security officer
CLC ndash Chief legal council
COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg
CRM ndash Customer resource management
CSO ndash Chief Security Officer
Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda
Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders
Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable
efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms
Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices
General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)
GLBA ndash US Gramm-Leach-Bliley Act
Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives
GTAG ndash Global Technology Audit Guide
HIPAA ndash US Health Information Portability andAccountability Act
Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization
Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel
Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use
Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology
ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg
IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information
IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures
ITPI ndash IT Process Institute See httpwwwitpiorg
Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing
Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo
Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely
Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo
47
GTAG mdash Appendix J mdash Glossary mdash 21
GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22
48
This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control
The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication
221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects
The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide
231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role
Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute
Michael R Dickson Business Technology Group LLC
Clint Kreitner PresidentCEO CIS The Center forInternet Security
Alex Lajoux NACD National Association of CorporateDirectors
Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA
Mark Salamasick CIA University of Texas at Dallas
Karyn Waller AICPA American Institute of CertifiedPublic Accountants
232 Partner Organizations
AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants
CIS ndash Clint Kreitner Center for Internet Security
CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute
ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association
NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors
SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO
233 Project Review Team
Peter Allor ISS Internet Security Systems
Jack Antonelli ADP
Ken D Askelson CIA JC Penney Co Inc
Becky Bace Infidel Inc
Kevin Behr IPSI Institute for Integrated Publication andInformation Systems
Jeff Benson BearingPoint
Robert S Block Chairman 3D Business Tools USA
Sylvia Boyd The IIA
Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA
Larry Brown Options Clearing Corp
Stephanie Bryant University of South Florida
Phil Campbell Specialized IT LLC USA
John Carlson BITS Banking Industry TechnologySecretariat
Chris Compton Intrusion Labs
Guy Copeland CSC Computer Sciences Corp
Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA
Bob Daniels EDS
Bob Dix US House of Representatives
49
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
50
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
5
Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA
Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program
Greg Garcia ITAA Information Technology Association ofAmerica
Russ Gates Dupage Consulting LLC
Lou Giles Chevron Phillips Chemical Co
Doug Guerrero EDS
Kai Tamara Hare Nuserve
Michael S Hines CIA Purdue University
Bob Hirth Protiviti
Don Holden CISSP Concordant Inc USA
Dave Kern Ethentica
Gene Kim CTO Tripwire Inc USA
Jim Kolouch BearingPoint
David Kowal VP JP Morgan Chase
Paul Kurtz CSIA Cyber Security Industry Alliance
Cindy LeRouge PhD Decision SciencesMIS Department
John Cook School of Business St Louis University USA
Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants
Debbie Lew Guidance Software
Brenda Lovell CIA CCSA CGAP The IIA
Warren Malmquist Adolph Coors Co
Stacy Mantzaris CIA IIA
Dennis Miller Heritage Bank
Patrick Morrissey Auditwire
Bruce Moulton Symantec
Paul Moxey ACCA Association of Chartered CertifiedAccountants
Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA
Fred Palmer Palmer Associates
Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc
Bernie Plagman TechPar Group
Heriot Prentice MIIA FIIA QiCA The IIA
Dick Price Beacon IT Ltd BS 7799 Consultancy USA
Michael Quint Corporate Compliance Officer EDSCorporate Audit USA
Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA
Amy Ray Bentley College
Martin Ross GSC Global Security Consortium
Chip Schilb EDS USA
Howard Schmidt eBay
Mark Silver Symantec
George Spafford President Spafford Global ConsultingSaint Joseph IL USA
Adam Stone Assurant
Jay H Stott CIA Fidelity Investments
Dan Swanson CIA IIA
Jay R Taylor CIA CISA CFE General MotorsCorporation
Bill Tener University amp Community College System ofNevada
Archie Thomas
Fred Tompkins BearingPoint
Don Warren Rutgers University
Dominique Vincenti CIA The IIA
Mark Winn Intrusec
Amit Yoran
234 IIA International Affiliates
Frank Alvern CIA CCSA Nordea Bank Norway
Alexandre Alves Apparecido Brazil
Dror Aviv Israel
David F Bentley England UK and Ireland
Gerardo Carstens CIA IIA Argentina
Richard Cascarino South Africa
Iftikhar Chaudry Pakistan
Hisham T El Gindy Manager KPMG Hazem Hassan Egypt
Dr Ulrich Hahn CIA Switzerland
Rossana S Javier Makati City Philippines
Andras Kovacks Hungary
Christopher McRostie Australia
Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan
Kyoko Shimizu CIA Japan
John Silltow Security Control and Audit Ltd UnitedKingdom
Ken Siong International Federation of Accountants
Anton van Wyk PwC South Africa
Nick Wolanin Adjunt Senior Lecturer Australian Graduate
Julie Young Australia
235 Other International
Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada
P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates
Ariel Peled President ISSA Israeli Chapter
P Shreekanth India
Karen Woo Selangor Malaysia
236 IIA International Advanced Technology Committee
Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa
Alexandre Alves Apparecido Brasil Telecom Brazil
Ken D Askelson CIA JC Penney Co Inc USA
Dror Aviv CFSA IIA Israel
Donald L Bailey Grant Thornton LLP USA
EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)
Norman F Barber Microsoft Corp USA
David F Bentley QiCA Consultant England
Claude Cargou GIE AXA France
Michael P Fabrizius CIA Bon Secours Health SystemInc USA
Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan
Douglas Guerrero EDS Corp USA
Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland
David J Hill IBM Corp USA
Michael S Hines CIA Purdue University USA
Mark J Hornung Ernst amp Young LLP USA
Gene Kim CTO Tripwire Inc USA
David S Lione KPMG LLP Southeast Region USA
Peter B Millar ACL Services Ltd Canada
Allan M Newstadt CIA World BankInternationalFinance Corp USA
Brenda J S Putman CIA City Utilities of Springfield USA
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
51
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23
52
Kyoko Shimizu CIA Shin Nihon amp Co Japan
Brian M Spindel CIA SecurePipe Inc USA
Rajendra P Srivastava University of Kansas USA
Jay Stott CIA Fidelity Investments USA
Jay R Taylor CIA CISA CFE General Motors Corp USA
Thomas Jason Wood CIA Ernst amp Young LLP USA
Akitomo Yamamoto IIA Japan
237 The Writing Team
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR International
Charles H Le Grand CIA CHL Global
238 IIA Headquarters Staff Production Team
Michael Feland
Trish Harris
Tim McCollum
Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business
Contin
u
ity Manag
ement
Th
is G
TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization
could potentially encounter if a natural or
man-made disruptive event t
hat affects the exte
nded ope
ra
bility of the organization were to occur The guide includes disaster rec
o
very
planning for continuity of critical information technology infrastructure and business application systems
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an
d su
pport management in
its
deve
lopm
ent and maintenance
of a
BCM pr
o
gram
Vis
it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme
nts
Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250
wwwtheiiaorg
ISBN 0-89413-570-8ISBN 978-0-89413-623-8
ii
GTAG mdash Letter from the President mdash 1
In my previous role as a chief audit executive (CAE) I noted a need for guidance on IT management and control written specifically for executives So one of my first acts as president of The IIA was to initiate a project to produce this ITControls guide This guide is for the executive not the technical staff mdash although it will help those personnel better relateto management and governance perspectives
The purpose of this document is to explain IT controls and audit practice in a format that allows CAEs to understand andcommunicate the need for strong IT controls It is organized to enable the reader to move through the framework for assess-ing IT controls and to address specific topics based on need This document provides an overview of the key components ofIT control assessment with an emphasis on the roles and responsibilities of key constituents within the organization who candrive governance of IT resources You may already be familiar with some aspects of this document while other segments willprovide new perspectives on how to approach this key audit strategy It is our hope that the components can be used to edu-cate others about what IT controls are and why management and internal auditing must ensure proper attention is paid tothis fundamental methodology for good governance
Although technology provides opportunities for growth and development it also provides the means and tools for threatssuch as disruption deception theft and fraud Outside attackers threaten our organizations yet trusted insiders are a fargreater threat Fortunately technology can also provide protection from threats as you will see in this guide Executivesshould know the right questions to ask and what the answers mean For example
bull Why should I understand IT controls One word Assurance Executives play a key role in assuring information reliability Assurance comes primarily from an interdependent set of business controls plus the evidence that controlsare continuous and sufficient Management and governance must weigh the evidence provided by controls and auditsand conclude that it provides reasonable assurance This guide will help you understand the evidence
bull What is to be protected Letrsquos start with trust Trust enables business and efficiency Controls provide the basis for trustalthough they are often unseen Technology provides the foundation for many mdash perhaps most mdash business controlsReliability of financial information and processes mdash now mandated for many companies mdash is all about trust
bull Where are IT controls applied Everywhere IT includes technology components processes people organization andarchitecture mdash collectively known as infrastructure mdash as well as the information itself Many of the infrastructure controls are technical and IT supplies the tools for many business controls
bull Who is responsible Everybody But you must specify control ownership and responsibilities otherwise no one is respon-sible This guide addresses specific responsibilities for IT controls
bull When do we assess IT controls Always IT is a rapidly changing environment fueling business change New risksemerge at a rapid pace Controls must present continuous evidence of their effectiveness and that evidence must beassessed and evaluated constantly
bull How much control is enough You must decide Controls are not the objective controls exist to help meet businessobjectives Controls are a cost of doing business and can be expensive mdash but not nearly as expensive as the probableconsequences of inadequate controls
IT controls are essential to protect assets customers and partners and sensitive information demonstrate safe efficient andethical behavior and preserve brand reputation and trust In todayrsquos global market and regulatory environment these are alltoo easy to lose
Use this guide as a foundation to assess or build your organizationrsquos framework and audit practices for IT business controlcompliance and assurance Use it to help make sense of the conflicting advice you receive Make sure all the elements are inplace to meet the challenges of constant change increasing complexity rapidly evolving threats and the need to improveefficiency constantly
The IIA produced this guide but it is truly a team effort The principal writers are Charles H Le Grand of CHL Globaland Alan S Oliphant FIIA MIIA QiCA of Mair International We owe a great debt of gratitude to our partners IIA inter-national affiliates and members of the Global Technology Audit Guide (GTAG) team We are grateful for their support andencouragement This guide is a testimony to what The IIA does best ldquoProgress Through Sharingrdquo
Sincerely
David A Richards CIA CPAPresident The Institute of Internal Auditors Inc
GTAG Information Technology Controls describes the knowl-edge needed by members of governing bodies executives ITprofessionals and internal auditors to address technologycontrol issues and their impact on business Other profes-sionals may find the guidance useful and relevant The guideprovides information on available frameworks for assessingIT controls and describes how to establish the right frame-work for an organization Moreover it sets the stage forfuture GTAGs that will cover specific IT topics and associ-ated business roles and responsibilities in greater detail
The objectives of the IT Controls guide are tobull Explain IT controls from an executive perspectivebull Explain the importance of IT controls within the
overall system of internal controlsbull Describe the organizational roles and responsibilities
for ensuring IT controls are addressed adequatelywithin the overall system of internal controls
bull Describe the concepts of risk inherent in the use andmanagement of technology by any organization
bull Describe the basic knowledge and understanding of IT controls needed by the CAE to ensure effectiveinternal audit assessments of IT controls
bull Describe the relevant elements of the IT controlsassessment process as provided by the internal auditfunction
21 Introduction to IT ControlsIT controls do not exist in isolation They form an interde-pendent continuum of protection but they may also be sub-ject to compromise due to a weak link They are subject toerror and management override may range from simple tohighly technical and may exist in a dynamic environment
IT controls have two significant elements the automa-tion of business controls and control of IT Thus IT controlssupport business management and governance as well as pro-vide general and technical controls over IT infrastructures
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditing involves significant interaction with the people inpositions of responsibility for controls and requires continu-ous learning and reassessment as new technologies emergeand the organizationrsquos opportunities uses dependenciesstrategies risks and requirements change
22 Understanding IT ControlsIT controls provide for assurance related to the reliability of information and information services IT controls helpmitigate the risks associated with an organizationrsquos use oftechnology They range from corporate policies to theirphysical implementation within coded instructions fromphysical access protection through the ability to traceactions and transactions to responsible individuals and fromautomatic edits to reasonability analysis for large bodies of data
You donrsquot need to ldquoeverythingrdquo about IT controls butremember two key control concepts
bull Assurance must be provided by the IT controls within the system of internal controls This assurancemust be continuous and provide a reliable and continuous trail of evidence
bull The auditorrsquos assurance is an independent and objective assessment of the first assurance Auditorassurance is based on understanding examining andassessing the key controls related to the risks theymanage and performing sufficient testing to ensurethe controls are designed appropriately and function-ing effectively and continuously
Many frameworks exist for categorizing IT controls and theirobjectives This guide recommends that each organizationuse the applicable components of existing frameworks to categorize and assess IT controls and to provide and docu-ment its own framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (reasonable assurance) that activi-ties comply with managementrsquos governance policiesand are consistent with the organizationrsquos riskappetite
23 Importance of IT ControlsMany issues drive the need for IT controls ranging from theneed to control costs and remain competitive through theneed for compliance with internal and external governanceIT controls promote reliability and efficiency and allow theorganization to adapt to changing risk environments Anycontrol that mitigates or detects fraud or cyber attacksenhances the organizationrsquos resiliency because it helps theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsbecause a well-controlled organization has the ability tomanage challenges or disruptions seamlessly
Key indicators of effective IT controls includebull The ability to execute and plan new work such as
IT infrastructure upgrades required to support newproducts and services
bull Development projects that are delivered on time and within budget resulting in cost-effective and better product and service offerings compared tocompetitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of key indicators of effective controls
bull The ability to protect against new vulnerabilities and
iii
GTAG mdash Executive Summary mdash 2
threats and to recover from any disruption of IT services quickly and efficiently
bull The efficient use of a customer support center or help desk
bull Heightened security awareness on the part of the users and a security-conscious culture throughout theorganization
24 IT Roles and ResponsibilitiesMany different roles have emerged in recent years for posi-tions within the organization with IT control responsibilitiesand ownership Each position within the governance management operational and technical levels should havea clear description of its roles responsibilities and owner-ship for IT controls to ensure accountability for specificissues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
25 Analyzing RiskIT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified suit-able risk responses are determined ranging from doing nothingand accepting the risk as a cost of doing business to applying awide range of specific controls including insurance Thissection explains the concepts of when to apply IT controls
26 Monitoring and TechniquesThe implementation of a formal control framework facili-tates the process of identifying and assessing the IT controlsnecessary to address specific risks A control framework is astructured way of categorizing controls to ensure the wholespectrum of control is covered adequately The frameworkcan be informal or formal A formal approach will morereadily satisfy the various regulatory or statutory require-ments for organizations subject to them The process ofchoosing or constructing a control framework shouldinvolve all positions in the organization with direct respon-sibility for controls The control framework should apply toand be used by the whole organization mdash not just internalauditing
27 IT Control AssessmentAssessing IT controls is a continuous process Businessprocesses are changing constantly as technology continuesto evolve Threats emerge as new vulnerabilities are discov-ered Audit methods improve as auditors adopt an approachwhere IT control issues in support of the business objectivesare near the top of the agenda
Management provides IT control metrics and reportingAuditors attest to their validity and opine on their valueThe auditor should liaise with management at all levels andwith the audit committee to agree on the validity and effec-tiveness of the metrics and assurances for reporting
iv
GTAG mdash Executive Summary mdash 2
IT is an integral part of all processes that enable businessesand governments to accomplish their missions and objec-tives IT facilitates local and global communications and fosters international business cooperation IT controls havetwo significant components automation of business controlsand control of IT They support business management andgovernance and they provide general and technical controlsover the policies processes systems and people that comprise IT infrastructures
IT controls do not exist in isolation They form an inter-dependent continuum of protection but they also may besubject to compromise due to a ldquoweak linkrdquo They are subject to error and management override may range fromsimple to highly technical and may exist in a dynamic environment IT controls support the concept of ldquodefense in depthrdquo so a single weakness does not always result in asingle point of failureControls exist to protect stakeholder interests
bull The ownerrsquos equitybull Customer concerns such as privacy and identitybull Employeesrsquo jobs and abilities to prove they did the
right thingbull Managementrsquos comfort with the assurance provided
by automated processesIT control assurance addresses the ability of controls to protect the organization against the most important threatsand provides evidence that remaining risks are unlikely toharm the organization and its stakeholders significantlyThese controls also are essential for assuring the reliability offinancial processes and reporting
1
Introduction ndash 3GTAG mdash Introduction mdash 3
They are all connected
When a security administrator selects the settings in a firewall configuration file (a technical task requiring specificskills and knowledge) he or she implements a policy (which may or may not be documented elsewhere) that when deployed determines the messages that will or will not be allowed into or out of the communications network and establishes the ldquoportsrdquo through which they may travel Your organization gets an element of protection from its firewalls that is vital to the protection of information and the infrastructures where that information is collected processed stored and communicated
When CAEs review and assess the controls over IT theyshould ask
bull What do we mean by IT controlsbull Why do we need IT controlsbull Who is responsible for IT controlsbull When is it appropriate to apply IT controlsbull Where exactly are IT controls appliedbull How do we perform IT control assessments
The audit process provides a formal structure for address-ing IT controls within the overall system of internal controls Figure 1 The Structure of IT Auditing belowdivides the assessment into a logical series of steps
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditors interact with the people responsible for controlsand must pursue continuous learning and reassessment asnew technologies emerge and the organizationrsquos opportuni-ties uses dependencies strategies risks and requirementschange
GTAG mdash Assessing IT Controls mdash An Overview mdash 4
2
ldquoI keep six honest serving-men
(They taught me all I knew)
Their names are
What and Why and When
and How and Where and Whordquo
mdash Rudyard Kipling
from ldquoElephantrsquos Childrdquo
in Just So Stories
Figure 1 - The Structure of IT Auditing
3
COSO1 defines internal control as ldquoA process effected by anorganizationrsquos board of directors management and otherpersonnel designed to provide reasonable assurance regard-ing the achievement of objectives in the following cate-gories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulationsrdquo
IT controls encompass those processes that provide assur-ance for information and information services and help mit-igate the risks associated with an organizationrsquos use oftechnology These controls range from written corporatepolicies to their implementation within coded instructionsfrom physical access protection to the ability to trace actionsand transactions to the individuals who are responsible forthem and from automatic edits to reasonability analysis forlarge bodies of data
51 Control ClassificationsControls may be classified to help understand their purposesand where they fit into the overall system of internal controls(See Figure 3 Some Control Classifications page 4) By under-standing these classifications the control analyst and auditorare better able to establish their positions in the controlframework and answer key questions such as Are the detec-tive controls adequate to identify errors that may get past thepreventive controls Are corrective controls sufficient to fixthe errors once detected A common classification of IT controls is general versus application
General controls (also known as infrastructure controls)apply to all systems components processes and data for agiven organization or systems environment General controls include but are not limited to information security policy administration access and authenticationseparation of key IT functions management of systemsacquisition and implementation change managementbackup recovery and business continuity
Application controls pertain to the scope of individualbusiness processes or application systems They include suchcontrols as data edits separation of business functions (egtransaction initiation versus authorization) balancing ofprocessing totals transaction logging and error reportingThe function of a control is highly relevant to the assessment of its design and effectiveness Controls may be classified as preventive detective or corrective
Preventive controls prevent errors omissions or securityincidents from occurring Examples include simple data-entryedits that block alphabetic characters from being enteredinto numeric fields access controls that protect sensitive dataor system resources from unauthorized people and complexand dynamic technical controls such as antivirus softwarefirewalls and intrusion prevention systems
GTAG mdash Understanding IT Controls mdash 5
1 COSO ndash Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (The Committee of Sponsoring Organizationsof the Treadway Commission) See wwwcosoorg
It is not necessary to know ldquoeverythingrdquo about IT controls
Do not be concerned if you do not understand the full continuum or all the technical intricacies of IT controls Many of these controls are the domain of specialists who manage specific risks associated with individual components of the systems and network infrastructure In keeping with good separation of duties prac-tices some people who have specialized knowledge in a technology such as database management may know littleabout network components or communication protocols and vice versa
There are two key control concepts to remember1 Assurance must be provided by the IT controls within the whole system of internal control and must
be continuous and produce a reliable and continuous trail of evidence2 The auditorrsquos assurance is an independent and objective assessment of the first assurance It is based
on understanding examining and assessing the key controls related to the risks the auditors manage as well as performing sufficient tests to ensure the controls are designed appropriately and function effectively
Figure 2
Detective controls detect errors or incidents that eludepreventive controls For example a detective control mayidentify account numbers of inactive accounts or accountsthat have been flagged for monitoring of suspicious activi-ties Detective controls can also include monitoring andanalysis to uncover activities or events that exceed author-ized limits or violate known patterns in data that may indi-cate improper manipulation For sensitive electroniccommunications detective controls can indicate that a mes-sage has been corrupted or the senderrsquos secure identificationcannot be authenticated
Corrective controls correct errors omissions or inci-dents once they have been detected They vary from simplecorrection of data-entry errors to identifying and removingunauthorized users or software from systems or networks torecovery from incidents disruptions or disasters
Generally it is most efficient to prevent errors or detectthem as close as possible to their source to simplify correc-tion These corrective processes also should be subject topreventive and detective controls because they representanother opportunity for errors omissions or falsification
Many other control classifications described in this guidemay be useful in assessing their effectiveness For exampleautomated controls tend to be more reliable than manualcontrols and nondiscretionary controls are more likely to beapplied consistently than discretionary controls Other control classifications include mandatory voluntary complementary compensating redundant continuous on-demand and event-driven
52 Governance Management TechnicalAnother common classification of controls is by the groupresponsible for ensuring they are implemented and main-tained properly For the purpose of assessing roles andresponsibilities this guide primarily categorizes IT controls
as governance management and technical Information securi-ty program elements for these three categories are describedin Appendix A (page 25) The first two levels mdash gover-nance and management mdash are the most applicable to thescope of this guide although it may also be useful to under-stand how higher-level controls specifically are establishedwithin the technical IT infrastructures Technical controlswill be the subject of more topic-specific GTAGs
521 Governance Controls
The primary responsibility for internal control resides withthe board of directors in its role as keeper of the governanceframework IT control at the governance level involvesensuring that effective information management and security principles policies and processes are in place andperformance and compliance metrics demonstrate ongoingsupport for that framework
Governance controls are those mandated by and controlled by either the entire board of directors or a boardcommittee in conjunction with the organizationrsquos executivemanagement These controls are linked with the concepts of corporate governance which are driven both by organizational goals and strategies and by outside bodiessuch as regulators
An important distinction between governance and management controls is the concept of ldquonoses in fingersoutrdquo The boardrsquos responsibility involves oversight ratherthan actually performing control activities For example theaudit committee of the board does no auditing but it does oversee both the internal and external auditing of theorganization
522 Management Controls
Management responsibility for internal controls typicallyinvolves reaching into all areas of the organization with special attention to critical assets sensitive information andoperational functions Consequently close collaborationamong board members and executive managers is essentialManagement must make sure the IT controls needed toachieve the organizationrsquos established objectives are appliedand ensure reliable and continuous processing These controls are deployed as a result of deliberate actions bymanagement to
bull Recognize risks to the organization its processes and assets
bull Enact mechanisms and processes to mitigate and manage risks (protect monitor and measure results)
523 Technical Controls
Technical controls form the foundation that ensures the reli-ability of virtually every other control in the organizationFor example by protecting against unauthorized access andintrusion they provide the basis for reliance on the integri-ty of information mdash including evidence of all changes andtheir authenticity These controls are specific to the
GTAG ndash Understanding IT Controls ndash 5
4
Figure 3 - Some Control Classifications
GTAG mdash Understanding IT Controls mdash 5
5
technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization
53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems
The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below
531 Policies
All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies
IT policy statements include but are not restricted tobull A general policy on the level of security and privacy
throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of
the system and data processedbull A statement on the classification of information and
the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access
bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems
bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications
bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures
bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of
Figure 4 ndash IT Controls
The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal
Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)
a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS
Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants
532 Standards
Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently
Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for
bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization
bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited
bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls
that should apply to sensitive processes and information
bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly
bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers
As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them
533 Organization and Management
Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented
5331 Separation of Duties
Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information
Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum
GTAG mdash Understanding IT Controls mdash 5
6
GTAG mdash Understanding IT Controls mdash 5
7
Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts
5332 Financial Controls
Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects
5333 Change Management
Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations
5334 Other Management Controls
Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications
534 Physical and Environmental Controls
IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications
Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is
restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data
away from environmental hazards such as low-lyingflood plains or flammable liquid stores
When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable
535 Systems Software Controls
Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2
Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs
IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the
Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability
Some key technical controls the CAE should expect tofind in a well-managed IT environment include
bull Access rights allocated and controlled according tothe organizationrsquos stated policy
bull Division of duties enforced through systems softwareand other configuration controls
bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored
bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a
stated requirementbull Change management processes mdash including patch
management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data
536 Systems Development and
Acquisition Controls
Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner
Some basic control issues should be evident in all systemsdevelopment and acquisition work
bull User requirements should be documented and theirachievement should be measured
bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system
bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct
bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided
bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be
subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls
Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered
537 Application-based Controls
The objective of internal controls over application systems is toensure that
bull All input data is accurate complete authorized and correct
bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data
from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application
bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters
bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized
bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input
bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct
bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources
GTAG mdash Understanding IT Controls mdash 5
8
GTAG mdash Understanding IT Controls mdash 5
9
54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are
bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations
bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting
bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located
55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them
Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite
Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite
Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly
Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)
The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)
Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include
bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services
bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of effectivecontrols
bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services
bull The efficient use of a customer support center or helpdesk
bull A security-conscious culture among end usersthroughout the organization
Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees
The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control
GTAG mdash Importance of IT Controls mdash 6
10
2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley
GTAG mdash IT Roles in the Organization mdash 7
Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained
Overall the objectives for the use of IT within any organization are
bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite
bull To protect stakeholder interestsbull To enable mutually beneficial relationships with
customers business partners and other outside parties that accomplish business objectives
bull To identify and respond to threats and potential violations of control appropriately
Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members
71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires
bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458
bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets
bull Approval of the data classifications structure and therelated access rights
The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important
711 Audit Committee
The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for
bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting
bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting
bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately
bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to
new systems development and acquisitionbull Examining internal and external audit plans and
work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring
the resolution of issues raisedbull Understanding the IT topics that impact ethics
monitoring
712 Compensation Committee
The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves
713 Governance Committee
The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should
bull Ensure that potential and current board membershave a suitable IT knowledge or background
bull Assess board committeesrsquo performance in terms oftheir oversight of IT
bull Review any external regulatory governance assessments in relation to IT topics
bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency
714 Risk Management Committee
The risk management committee is responsible for oversight
11
GTAG mdash IT Roles in the Organization mdash 7
of all risk analysis and assessment risk response and riskmonitoring Its role includes
bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization
bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance
bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash
including IT risks mdash and considering it against the organizationrsquos risk appetite
bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate
bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks
715 Finance Committee
The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data
72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so
that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions
721 Chief Executive Officer
The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will
bull Define corporate objectives and performance measures in relation to IT
bull Act as custodian over the organizationrsquos critical success factors in relation to IT
bull Understand and approve the short-term and long-range strategy for IT
bull Approve IT resources for the organization includingstructure and oversightmonitoring
bull Determine IT issues for periodic management boardand staff discussion
bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas
722 Chief Financial Officer
The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of
bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining
technologically competitivebull The technologies used to implement financial
applicationsbull The operation of specific financial applications
IT Controls and Ethics
As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior
12
GTAG mdash IT Roles in the Organization mdash 7
13
bull The limitations and benefits of ITbull The IT control structure for general controls that
apply to all business systems and data as well as controls that are specific to financial applications
The CFO should operate as the highest-level control ownerfor financial systems and data
723 Chief Information Officer
The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should
bull Understand the business requirements that drive theneed to implement IT
bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business
strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks
bull Design implement and maintain an IT internal control framework
bull Plan source and control IT resourcesbull Explore assess select and implement technology
advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels
of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian
and IT control owner bull Measure the operational performance of IT in support
of business objectives byndash Setting expectationsndash Evaluating results
bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors
724 Chief Security Officer
The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO
bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy
bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks
bull Acts as a key link between the compliance legalCIO and audit functions
bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive
bull Is responsible for business continuity planningincluding incident handling and disaster recovery
bull Ensures that security staff provide support for imple-menting controls at all levels
bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization
725 Chief Information Security Officer (CISO)
Information security is a subset of the overall security roleThe CISO
bull Develops and implements the information security policy in coordination with the CSO
bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives
bull Ensures alignment of information security and busi-ness objectives
bull Manages operational information risks throughoutthe organization
bull Oversees security within the IT organizationbull Provides education and awareness on information
security issues and new best practicesbull Develops end-user policies for the usage of IT
information in conjunction with the humanresources function
bull Coordinates information security work with the chief risk officer (CRO) and CIO
bull Advises the CEO CRO CIO and board on IT risk issues
bull Acts as a key link for the CAE when internal auditing performs IT control-related audits
726 Chief Legal Counsel (CLC)
Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves
bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto
bull Ensuring financial reports and presentations complywith laws and regulations
bull Understanding IT legal issues and advising on legalrisks related to IT
bull Managing organizational reputation in relation tolegal issues compliance and public relations
bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols
regarding suspected criminal activity
727 Chief Risk Officer
The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes
bull Analysis and assessment of IT risk exposures including information compromises such as loss
damage unauthorized disclosure and interruptedaccess
bull Assessment of IT events such as interruptions disasters and changes
bull Analysis and assessment of business risk as it is affected by IT risk
bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks
73 Audit
731 Internal Auditing ndash CAE and Audit Staff
Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves
bull Advising the audit committee and senior management on IT internal control issues
bull Ensuring IT is included in the audit universe andannual plan (selecting topics)
bull Ensuring IT risks are considered when assigningresources and priorities to audit activities
bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff
bull Ensuring that audit planning considers IT issues foreach audit
bull Liaising with audit clients to determine what theywant or need to know
bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable
evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the
audit processesbull During systems development or analysis activities
operating as experts who understand how controlscan be implemented and circumvented
bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks
732 External Auditor
Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include
bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits
bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements
GTAG mdash IT Roles in the Organization mdash 7
14
3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)
81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance
It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization
The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as
ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo
In addition the CAE should consider risk tolerance COSOdefines risk tolerance as
ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo
Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with
the organizationrsquos risk appetitebull The internal control framework is adequate to ensure
that the organizationrsquos performance remains withinthe stated risk tolerances
82 Risk Considerations in Determining the Adequacy of IT Controls
Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness
When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE
should consider the processes established by management to determine
bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for
each business function and processbull IT risks faced by the organization and quality of
service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they
providebull Harmful IT incidents in the past 24 months
The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project
821 The IT Infrastructure
Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems
The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security
The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers
GTAG mdash Analyzing Risk mdash 8
15
822 IT Risks Faced by the Organization
The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls
823 Risk Appetite and Tolerance
Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation
The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite
824 Performing Risk analysis
Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas
There are eight basic questions associated with the riskassessment process The first five include
bull What are the assets at risk and the value of theirconfidentiality integrity and availability
bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets
bull If a threat event happened how bad could its impact be
bull How often might the event be expected to occur (frequency of occurrence)
bull How certain are the answers to the first four questions (uncertainty analysis)
The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient
825 Value of Information
Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security
Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories
bull Exclusive possession ndash cost in the event of a breachof confidentiality
bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability
826 Appropriate IT Controls
Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)
The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework
83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them
In general there are several ways to mitigate the poten-tial impact of risks
bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low
bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors
bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider
bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects
GTAG mdash Analyzing Risk mdash 8
16
84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include
bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective
controls effectivebull Do the controls provide evidence when control
parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken
bull Is evidence retained (audit or management trail)
85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization
IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other
It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls
bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been
defined assigned and acceptedbull Are IT infrastructure equipment and tools
logically and physically securedbull Are access and authentication control
mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance
with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)
bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved
bull Are change and configuration management and quality assurance processes in place
bull Are structured monitoring and service measurementprocesses in place
bull Are specialist IT audit skills available (eitherinternally or outsourced)
Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf
GTAG mdash Analyzing Risk mdash 8
Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management
(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network
and perimeter)5 Malware protection (including worms and viruses)
Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo
1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each
person with computer access8 Dont use vendor-supplied defaults for passwords
and security parameters9 Track all access to data by unique ID
10 Regularly test security systems and processes11 Implement and maintain an information
security policy12 Restrict physical access to data
17
91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation
A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily
Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work
The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process
especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override
Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)
The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
GTAG mdash Monitoring and Techniques mdash 9
COSO Model for Technology Controls
Monitoringbull Monthly metrics from technology
performance bull Technology cost and control
performance analysisbull Periodic technology
management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas
Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to
plan and return on investmentbull Documentation and approval of IT plans
and systems architecturebull Compliance with information and
physical security standardsbull Adherence to business continuity risk
assessmentbull Technology standards
compliance enforcement
Information and Communicationbull Periodic corporate communications (intranet e-mail
meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution
Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business
areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls
considered Importantbull Overall technology policy and Information
security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units
Figure 5 - COSO Model for Technology Controls
18
compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)
92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks
Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows
921 Ongoing Monitoring
bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment
bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered
specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached
bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached
922 Special Reviews
bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances
bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk
GTAG mdash Monitoring and Techniques mdash 9
Suitable Recognized Framework
ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo
mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003
19
101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business
The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems
A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance
Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities
Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample
bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method
bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files
bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach
102 Testing IT Controls and Continuous Assurance
In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data
1021 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-
20
GTAG mdash Assessment mdash 10
How Auditing Contributes to IT Controls
During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management
ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events
1022 Automated Internal Control Analysis Tools
Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use
1023 Automated Risk Analysis
Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools
Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right
103 Audit CommitteeManagementAudit Interfaces
It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues
The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations
ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their
value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting
A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially
Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework
The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist
GTAG mdash Assessment mdash 10
Figure 6 ndash Audit Interfaces
21
Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda
Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process
The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members
22
GTAG mdash Conclusion mdash 11
Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg
121 Governance (Board of Directors)bull Oversee risk management and compliance programs
pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security
bull Strive to protect the interests of all stakeholdersdependent on information security
bull Review information security policies regardingstrategic partners and other third parties
bull Strive to ensure business continuitybull Review provisions for internal and external audits of
the information security programbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
122 Managementbull Establish information security management policies
and controls and monitor compliancebull Assign information security roles responsibilities
and required skills and enforce role-based information access privileges
bull Assess information risks establish risk thresholdsand actively manage risk mitigation
bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties
bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture
during acquisition development operations andmaintenance
bull Protect the physical environmentbull Ensure internal and external audits of the informa-
tion security program with timely follow-upbull Collaborate with security staff to specify the informa-
tion security metrics to be reported to management
123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements
bull User identification and authentication
bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms
and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the
technical metrics to be reported to management
23
GTAG mdash Appendix A mdash Information Security Program Elements mdash 12
There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments
For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries
This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors
131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)
However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of
ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews
Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls
Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant
to IT Controls
The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls
13111 Sections 103 and 802
These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting
One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained
13112 Section 201
This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors
13113 Section 301
Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT
13114 Section 302 and 404
Section 302 of the act requires the CEO and CFO mdash who
24
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
25
are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges
They must disclosebull ldquoAll significant deficiencies in the design or opera-
tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo
bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo
Section 404 requires the CEO and CFO to produce an annual audit report that
bull Assesses the effectiveness of the internal controlstructure over financial reporting
bull Discloses all known internal control weaknessesbull Discloses all known frauds
This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley
13115 Section 409
Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses
132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management
A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means
bull Senior management is actively involvedbull The bank has an OR management system processes
policies and procedures enterprisewidebull The bank has the right governance and sufficient
resources to manage operational risksbull The bank has an OR management function that is
responsible forndash Designing and implementing the OR management
frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement
methodologyndash Designing and implementing an OR management
reporting systemndash Developing strategies to identify measure monitor
and control or mitigate ORbull An OR measurement system is closely integrated into
the day-to-day risk management processbull The OR exposures and loss experiences are regularly
reportedbull The OR management system is documentedbull Internal and external auditors regularly review the
OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function
The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required
First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy
Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange
The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA
bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
bull Internal loss data must be linked to the bankrsquos current business activities
bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA
bull According to the internal loss collection processndash OR losses related to credit risk and historically
included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately
ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge
bull The OR measurement system must use relevantexternal data
Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including
bull Strategies and processesbull Structure and organization of the risk management
functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including
operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)
133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)
The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)
134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999
The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)
135 US Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg
136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)
Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers
26
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
GTAG ndash Appendix B - Compliance with Laws and Regulations - 13
27
137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls
GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14
28
141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors
1411 Category 1 ndash All Auditors
Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge
1412 Category 2 ndash Audit Supervisors
Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must
bull Understand the threats and vulnerabilities associatedwith automated business processes
bull Understand business controls and risk mitigation thatshould be provided by IT
bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments
bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits
bull Ensure the effective use of IT tools in audit assess-ments and testing
bull Approve plans and techniques for testing controlsand information
bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses
bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas
bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected
1413 Category 3 ndash Technical IT Audit Specialists
Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology
IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence
The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications
Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals
4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
29
151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg
152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control
In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience
153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language
154 ITGI Control Objectives for Information and Related Technology (CobiT)
Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance
155 ISO 17799 (Code of Practice for Information Security Management)
ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading
The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to
ISOIEC 177992000 bull Part 2 is a specification for implementing an
information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002
1551 What Is Information Security
BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities
Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately
Information security is characterized within BS 7799 asthe preservation of
bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access
bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods
bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired
Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met
1552 How to Establish Security Requirements
BS 7799 states that it is essential that an organization
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
30
identify its security requirements There are three mainsources
bull Assessing risks to the organization BS 7799 does notprescribe a methodology
bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy
bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations
1553 Assessing Security Risks
BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically
1554 Selecting Controls
Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com
1555 Topics Addressed in BS 7799
1 Scope2 Terms and definitions3 Security policy
31 Information security policy document32 Review and evaluation
4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing
5 Asset classification and control51 Accountability for assets52 Information classification
6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions
7 Physical and environmental security71 Secure areas72 Equipment security73 General control
8 Communications and operations management
81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software
9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking
10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes
11 Business continuity management111 Business continuity management process
12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations
156 ISF Standard of Good Practice for Information Security
The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom
157 Generally Accepted Information Security Principles (GAISP)
The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including
bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-
tive-level information management (exposure draft distributed September 1999)
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
bull Detailed Principles ndash guidance for operational infor-mation security management (under development)
GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details
1571 Pervasive Principles
The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology
bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable
bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-
trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties
bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations
bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance
bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance
bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information
bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat
Figure 7 ndash Security Management
31
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
32
events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents
bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness
bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives
158 AICPACICA Trust Services Principles and Criteria
The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas
bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple
bull Communications ndash The organization has communi-cated its defined policies to authorized users
bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies
bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies
Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices
1581 Security Principle ndash The system is protected
against unauthorized access (both physical
and logical)
In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components
1582 Availability Principle ndash The system is
available for operation and use as
committed or agreed
The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties
Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does
5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties
6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
33
address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance
1583 Processing Integrity Principle ndash System
processing is complete accurate timely
and authorized
Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing
The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems
Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond
the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed
1584 Privacy Principle and Components ndash
Personal information is collected used
retained and disclosed in conformity with the
commitments in the organizationrsquos privacy
notice and with the AICPACICA Trust
Services Privacy Criteria
The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are
bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures
bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed
bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information
bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice
bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes
bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate
bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual
bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical
bull Quality ndash The organization maintains accurate
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
34
complete and relevant personal information for thepurposes identified in the notice
bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes
1585 Confidentiality Principle ndash Information
designated as ldquoconfidentialrdquo is protected as
committed or agreed
The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential
Information that may be subject to confidentialityincludes
bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry
Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness
Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous
access controls can help protect the information while it isstored on computer systems
1586 Certification Authority (CA) Principle
The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols
159 IIA Systems Assurance and Control (SAC)
The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411
1510 Corporate Governance
15101 OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy
15102 EU Commission
The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society
GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16
35
The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states
ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo
The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework
161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations
These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT
The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control
The third category deals with complying with those lawsand regulations to which the entity is subject
Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that
bull They understand the extent to which the entityrsquosoperations objectives are being achieved
bull Published financial statements are being preparedreliably
bull There is compliance with applicable laws and regulations
Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time
162 COSO Internal Control mdash Integrated Framework
Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are
1621 Control Environment
The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors
1622 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change
1623 Control Activities
Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties
1624 Information and Communication
Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and
GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16
36
control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders
1625 Monitoring
Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board
There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions
There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective
The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework
GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
37
Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems
Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes
CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives
1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks
10 Manage projects11 Manage quality
Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as
well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems
12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes
Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems
18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations
Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources
31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit
This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment
CobiT is comprised ofbull An executive summary which provides an overview
of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-
level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective
bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives
bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives
Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work
GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
38
bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources
bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective
Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg
CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise
39
The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7
that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations
The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security
These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the
ldquoTechnologyrdquo section of httpwwwtheiiaorg
The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement
181 Metrics for Boards of DirectorsTrustees
Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident
bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a
comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program
principles for which approved policies and controls have been implemented by management
ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified
bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated
committee meetings for which information security is on the agenda
ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders
ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods
bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-
party relationships for which information security requirements have been implemented in agreements
bull Strive to ensure business continuityndash Percentage of organizational units with an
established business-continuity planbull Review provisions for internal and external audits of
the information security programndash Percentage of required internal and external audits
completed and reviewed by the boardndash Percentage of audit findings that have not
been resolvedbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
7 httpreformhousegovTIPRC
GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18
40
and policies established by the board as part of an effectiveinformation security program
bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program
elements for which approved policies and controls are operational
ndash Percentage of staff assigned responsibilities for information security policies and controls who have
acknowledged accountability for their responsibili-ties in connection with those policies and controls
ndash Percentage of information security policy compliance reviews that noted violations
ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls
bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting
period who satisfactorily completed security-awareness training before being granted network access
ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy
ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users
ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance
ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle
bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators
bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have
been reviewed this reporting period including+ Employees with high-level system and application
privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors
ndash Percentage of users who have undergone back-ground checks
bull Assess information risks establish risk thresholds and
actively manage risk mitigationndash Percentage of critical information assets and
information-dependent functions for which some form of risk assessment has been performed and documented as required by policy
ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified
ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy
bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that
are related to third-party relationshipsndash Percentage of critical information assets or
functions to which third-party personnel have been given access
ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy
ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically
ndash Percentage of security incidents that involve third-party personnel
ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures
ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements
ndash Percentage of out-of-compliance review findings that have been corrected since the last review
bull Identify and classify information assetsndash Percentage of information assets that have been
reviewed and classified by the designated owner in accordance with the classification scheme established by policy
ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy
ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans
ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned
ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy
bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to
systems architecture identified in the most recent risk assessment that have been mitigated adequately
ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms
ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture
bull Protect the physical environmentndash Percentage of critical organizational information
assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media
ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented
ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding
ndash Percentage of servers in locations with controlled physical access
ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule
ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule
ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness
bull Collaborate with security personnel to specify theinformation security metrics to be reported to management
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
41
GTAG mdash Appendix H mdash CAE Checklist mdash 19
42
1 Identify the IT control environment of the organization including
a Values
b Philosophy
c Management style
d IT awareness
e Organisation
f Policies
g Standards
2 Identify relevant legislation and regulation impactingIT control such as
a Governance
b Reporting
c Data protection
d Compliance
3 Identify the roles and responsibilities for IT control inrelation to
a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee
b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO
c Auditi Internal Auditii External Audit
Action Questions
1 Do corporate policies and standards that describe theneed for IT controls exist
2 What legislation exists that impacts on the need forIT controls
3 Has management taken steps to ensure compliancewith this legislation
4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles
5 Is the allocation of responsibilities compatible withthe need to apply division of duties
6 Are IT responsibilities documented
7 Are IT control responsibilities communicated to thewhole organization
8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls
9 What evidence is there of individual role holdersexercising their responsibilities
10Does internal auditing employ sufficient IT audit specialists to address the IT control issues
CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas
GTAG mdash Appendix H mdash CAE Checklist mdash 19
43
4 Identify the risk assessment process Does it cover
a Risk appetite
b Risk tolerances
c Risk analysis
d Matching risks to IT controls
5 Identify all monitoring processes including
a Regulatory
b Normal in-house
c Other than internal auditing
6 Identify information and communication mechanisms
a Control information
b Control failures
11 How is the risk appetite and tolerance of the organization determined
12 Is the risk appetite and tolerance of the organization authorized at board level
13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control
14 Is a formal risk analysis process used by theorganization
15 Is the process understood by all those with responsibility for IT control
16 Is the process used consistently throughout theorganization
17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards
18 Are there monitoring processes carried out bymanagement outside of internal audit
19 What metrics are provided to the board of directors its committees and management inrelation to IT security
20 What additional reports are provided to theboard of directors and to management on a regular basis
21 Is management always provided with reportswhen there are IT control failures
22 Do the board of directors and its committeesreceive similar reports of IT control failures
Action Questions
GTAG mdash Appendix I mdash References mdash 20
44
The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT
echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues
201 Governance
Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm
Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg
Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap
Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716
IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503
Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896
202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk
Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg
Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity
Generally Accepted Information Security Principles(GAISP) Information Systems Security Association
Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml
Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml
ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg
Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3
OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html
Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm
Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices
203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg
DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml
GTAG mdash Appendix I mdash References mdash 20
45
ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm
ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler
IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm
ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca
NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml
NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml
NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml
NSA Configuration Guides httpwwwnsagovsnac
SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg
204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg
Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov
Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca
Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
46
GTAG mdash Appendix J mdash Glossary mdash 21
A listing of technical terms used in the guide with a simpleplain English definition
Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases
Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence
CAE ndash Chief audit executive
CEO ndash Chief executive officer
CFO ndash Chief financial officer (and controller)
CIO ndash Chief information officer
CISO ndash Chief information security officer
CLC ndash Chief legal council
COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg
CRM ndash Customer resource management
CSO ndash Chief Security Officer
Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda
Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders
Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable
efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms
Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices
General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)
GLBA ndash US Gramm-Leach-Bliley Act
Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives
GTAG ndash Global Technology Audit Guide
HIPAA ndash US Health Information Portability andAccountability Act
Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization
Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel
Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use
Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology
ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg
IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information
IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures
ITPI ndash IT Process Institute See httpwwwitpiorg
Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing
Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo
Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely
Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo
47
GTAG mdash Appendix J mdash Glossary mdash 21
GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22
48
This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control
The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication
221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects
The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide
231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role
Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute
Michael R Dickson Business Technology Group LLC
Clint Kreitner PresidentCEO CIS The Center forInternet Security
Alex Lajoux NACD National Association of CorporateDirectors
Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA
Mark Salamasick CIA University of Texas at Dallas
Karyn Waller AICPA American Institute of CertifiedPublic Accountants
232 Partner Organizations
AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants
CIS ndash Clint Kreitner Center for Internet Security
CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute
ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association
NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors
SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO
233 Project Review Team
Peter Allor ISS Internet Security Systems
Jack Antonelli ADP
Ken D Askelson CIA JC Penney Co Inc
Becky Bace Infidel Inc
Kevin Behr IPSI Institute for Integrated Publication andInformation Systems
Jeff Benson BearingPoint
Robert S Block Chairman 3D Business Tools USA
Sylvia Boyd The IIA
Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA
Larry Brown Options Clearing Corp
Stephanie Bryant University of South Florida
Phil Campbell Specialized IT LLC USA
John Carlson BITS Banking Industry TechnologySecretariat
Chris Compton Intrusion Labs
Guy Copeland CSC Computer Sciences Corp
Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA
Bob Daniels EDS
Bob Dix US House of Representatives
49
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
50
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
5
Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA
Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program
Greg Garcia ITAA Information Technology Association ofAmerica
Russ Gates Dupage Consulting LLC
Lou Giles Chevron Phillips Chemical Co
Doug Guerrero EDS
Kai Tamara Hare Nuserve
Michael S Hines CIA Purdue University
Bob Hirth Protiviti
Don Holden CISSP Concordant Inc USA
Dave Kern Ethentica
Gene Kim CTO Tripwire Inc USA
Jim Kolouch BearingPoint
David Kowal VP JP Morgan Chase
Paul Kurtz CSIA Cyber Security Industry Alliance
Cindy LeRouge PhD Decision SciencesMIS Department
John Cook School of Business St Louis University USA
Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants
Debbie Lew Guidance Software
Brenda Lovell CIA CCSA CGAP The IIA
Warren Malmquist Adolph Coors Co
Stacy Mantzaris CIA IIA
Dennis Miller Heritage Bank
Patrick Morrissey Auditwire
Bruce Moulton Symantec
Paul Moxey ACCA Association of Chartered CertifiedAccountants
Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA
Fred Palmer Palmer Associates
Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc
Bernie Plagman TechPar Group
Heriot Prentice MIIA FIIA QiCA The IIA
Dick Price Beacon IT Ltd BS 7799 Consultancy USA
Michael Quint Corporate Compliance Officer EDSCorporate Audit USA
Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA
Amy Ray Bentley College
Martin Ross GSC Global Security Consortium
Chip Schilb EDS USA
Howard Schmidt eBay
Mark Silver Symantec
George Spafford President Spafford Global ConsultingSaint Joseph IL USA
Adam Stone Assurant
Jay H Stott CIA Fidelity Investments
Dan Swanson CIA IIA
Jay R Taylor CIA CISA CFE General MotorsCorporation
Bill Tener University amp Community College System ofNevada
Archie Thomas
Fred Tompkins BearingPoint
Don Warren Rutgers University
Dominique Vincenti CIA The IIA
Mark Winn Intrusec
Amit Yoran
234 IIA International Affiliates
Frank Alvern CIA CCSA Nordea Bank Norway
Alexandre Alves Apparecido Brazil
Dror Aviv Israel
David F Bentley England UK and Ireland
Gerardo Carstens CIA IIA Argentina
Richard Cascarino South Africa
Iftikhar Chaudry Pakistan
Hisham T El Gindy Manager KPMG Hazem Hassan Egypt
Dr Ulrich Hahn CIA Switzerland
Rossana S Javier Makati City Philippines
Andras Kovacks Hungary
Christopher McRostie Australia
Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan
Kyoko Shimizu CIA Japan
John Silltow Security Control and Audit Ltd UnitedKingdom
Ken Siong International Federation of Accountants
Anton van Wyk PwC South Africa
Nick Wolanin Adjunt Senior Lecturer Australian Graduate
Julie Young Australia
235 Other International
Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada
P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates
Ariel Peled President ISSA Israeli Chapter
P Shreekanth India
Karen Woo Selangor Malaysia
236 IIA International Advanced Technology Committee
Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa
Alexandre Alves Apparecido Brasil Telecom Brazil
Ken D Askelson CIA JC Penney Co Inc USA
Dror Aviv CFSA IIA Israel
Donald L Bailey Grant Thornton LLP USA
EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)
Norman F Barber Microsoft Corp USA
David F Bentley QiCA Consultant England
Claude Cargou GIE AXA France
Michael P Fabrizius CIA Bon Secours Health SystemInc USA
Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan
Douglas Guerrero EDS Corp USA
Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland
David J Hill IBM Corp USA
Michael S Hines CIA Purdue University USA
Mark J Hornung Ernst amp Young LLP USA
Gene Kim CTO Tripwire Inc USA
David S Lione KPMG LLP Southeast Region USA
Peter B Millar ACL Services Ltd Canada
Allan M Newstadt CIA World BankInternationalFinance Corp USA
Brenda J S Putman CIA City Utilities of Springfield USA
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
51
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23
52
Kyoko Shimizu CIA Shin Nihon amp Co Japan
Brian M Spindel CIA SecurePipe Inc USA
Rajendra P Srivastava University of Kansas USA
Jay Stott CIA Fidelity Investments USA
Jay R Taylor CIA CISA CFE General Motors Corp USA
Thomas Jason Wood CIA Ernst amp Young LLP USA
Akitomo Yamamoto IIA Japan
237 The Writing Team
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR International
Charles H Le Grand CIA CHL Global
238 IIA Headquarters Staff Production Team
Michael Feland
Trish Harris
Tim McCollum
Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business
Contin
u
ity Manag
ement
Th
is G
TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization
could potentially encounter if a natural or
man-made disruptive event t
hat affects the exte
nded ope
ra
bility of the organization were to occur The guide includes disaster rec
o
very
planning for continuity of critical information technology infrastructure and business application systems
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an
d su
pport management in
its
deve
lopm
ent and maintenance
of a
BCM pr
o
gram
Vis
it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme
nts
Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250
wwwtheiiaorg
ISBN 0-89413-570-8ISBN 978-0-89413-623-8
GTAG Information Technology Controls describes the knowl-edge needed by members of governing bodies executives ITprofessionals and internal auditors to address technologycontrol issues and their impact on business Other profes-sionals may find the guidance useful and relevant The guideprovides information on available frameworks for assessingIT controls and describes how to establish the right frame-work for an organization Moreover it sets the stage forfuture GTAGs that will cover specific IT topics and associ-ated business roles and responsibilities in greater detail
The objectives of the IT Controls guide are tobull Explain IT controls from an executive perspectivebull Explain the importance of IT controls within the
overall system of internal controlsbull Describe the organizational roles and responsibilities
for ensuring IT controls are addressed adequatelywithin the overall system of internal controls
bull Describe the concepts of risk inherent in the use andmanagement of technology by any organization
bull Describe the basic knowledge and understanding of IT controls needed by the CAE to ensure effectiveinternal audit assessments of IT controls
bull Describe the relevant elements of the IT controlsassessment process as provided by the internal auditfunction
21 Introduction to IT ControlsIT controls do not exist in isolation They form an interde-pendent continuum of protection but they may also be sub-ject to compromise due to a weak link They are subject toerror and management override may range from simple tohighly technical and may exist in a dynamic environment
IT controls have two significant elements the automa-tion of business controls and control of IT Thus IT controlssupport business management and governance as well as pro-vide general and technical controls over IT infrastructures
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditing involves significant interaction with the people inpositions of responsibility for controls and requires continu-ous learning and reassessment as new technologies emergeand the organizationrsquos opportunities uses dependenciesstrategies risks and requirements change
22 Understanding IT ControlsIT controls provide for assurance related to the reliability of information and information services IT controls helpmitigate the risks associated with an organizationrsquos use oftechnology They range from corporate policies to theirphysical implementation within coded instructions fromphysical access protection through the ability to traceactions and transactions to responsible individuals and fromautomatic edits to reasonability analysis for large bodies of data
You donrsquot need to ldquoeverythingrdquo about IT controls butremember two key control concepts
bull Assurance must be provided by the IT controls within the system of internal controls This assurancemust be continuous and provide a reliable and continuous trail of evidence
bull The auditorrsquos assurance is an independent and objective assessment of the first assurance Auditorassurance is based on understanding examining andassessing the key controls related to the risks theymanage and performing sufficient testing to ensurethe controls are designed appropriately and function-ing effectively and continuously
Many frameworks exist for categorizing IT controls and theirobjectives This guide recommends that each organizationuse the applicable components of existing frameworks to categorize and assess IT controls and to provide and docu-ment its own framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (reasonable assurance) that activi-ties comply with managementrsquos governance policiesand are consistent with the organizationrsquos riskappetite
23 Importance of IT ControlsMany issues drive the need for IT controls ranging from theneed to control costs and remain competitive through theneed for compliance with internal and external governanceIT controls promote reliability and efficiency and allow theorganization to adapt to changing risk environments Anycontrol that mitigates or detects fraud or cyber attacksenhances the organizationrsquos resiliency because it helps theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsbecause a well-controlled organization has the ability tomanage challenges or disruptions seamlessly
Key indicators of effective IT controls includebull The ability to execute and plan new work such as
IT infrastructure upgrades required to support newproducts and services
bull Development projects that are delivered on time and within budget resulting in cost-effective and better product and service offerings compared tocompetitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of key indicators of effective controls
bull The ability to protect against new vulnerabilities and
iii
GTAG mdash Executive Summary mdash 2
threats and to recover from any disruption of IT services quickly and efficiently
bull The efficient use of a customer support center or help desk
bull Heightened security awareness on the part of the users and a security-conscious culture throughout theorganization
24 IT Roles and ResponsibilitiesMany different roles have emerged in recent years for posi-tions within the organization with IT control responsibilitiesand ownership Each position within the governance management operational and technical levels should havea clear description of its roles responsibilities and owner-ship for IT controls to ensure accountability for specificissues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
25 Analyzing RiskIT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified suit-able risk responses are determined ranging from doing nothingand accepting the risk as a cost of doing business to applying awide range of specific controls including insurance Thissection explains the concepts of when to apply IT controls
26 Monitoring and TechniquesThe implementation of a formal control framework facili-tates the process of identifying and assessing the IT controlsnecessary to address specific risks A control framework is astructured way of categorizing controls to ensure the wholespectrum of control is covered adequately The frameworkcan be informal or formal A formal approach will morereadily satisfy the various regulatory or statutory require-ments for organizations subject to them The process ofchoosing or constructing a control framework shouldinvolve all positions in the organization with direct respon-sibility for controls The control framework should apply toand be used by the whole organization mdash not just internalauditing
27 IT Control AssessmentAssessing IT controls is a continuous process Businessprocesses are changing constantly as technology continuesto evolve Threats emerge as new vulnerabilities are discov-ered Audit methods improve as auditors adopt an approachwhere IT control issues in support of the business objectivesare near the top of the agenda
Management provides IT control metrics and reportingAuditors attest to their validity and opine on their valueThe auditor should liaise with management at all levels andwith the audit committee to agree on the validity and effec-tiveness of the metrics and assurances for reporting
iv
GTAG mdash Executive Summary mdash 2
IT is an integral part of all processes that enable businessesand governments to accomplish their missions and objec-tives IT facilitates local and global communications and fosters international business cooperation IT controls havetwo significant components automation of business controlsand control of IT They support business management andgovernance and they provide general and technical controlsover the policies processes systems and people that comprise IT infrastructures
IT controls do not exist in isolation They form an inter-dependent continuum of protection but they also may besubject to compromise due to a ldquoweak linkrdquo They are subject to error and management override may range fromsimple to highly technical and may exist in a dynamic environment IT controls support the concept of ldquodefense in depthrdquo so a single weakness does not always result in asingle point of failureControls exist to protect stakeholder interests
bull The ownerrsquos equitybull Customer concerns such as privacy and identitybull Employeesrsquo jobs and abilities to prove they did the
right thingbull Managementrsquos comfort with the assurance provided
by automated processesIT control assurance addresses the ability of controls to protect the organization against the most important threatsand provides evidence that remaining risks are unlikely toharm the organization and its stakeholders significantlyThese controls also are essential for assuring the reliability offinancial processes and reporting
1
Introduction ndash 3GTAG mdash Introduction mdash 3
They are all connected
When a security administrator selects the settings in a firewall configuration file (a technical task requiring specificskills and knowledge) he or she implements a policy (which may or may not be documented elsewhere) that when deployed determines the messages that will or will not be allowed into or out of the communications network and establishes the ldquoportsrdquo through which they may travel Your organization gets an element of protection from its firewalls that is vital to the protection of information and the infrastructures where that information is collected processed stored and communicated
When CAEs review and assess the controls over IT theyshould ask
bull What do we mean by IT controlsbull Why do we need IT controlsbull Who is responsible for IT controlsbull When is it appropriate to apply IT controlsbull Where exactly are IT controls appliedbull How do we perform IT control assessments
The audit process provides a formal structure for address-ing IT controls within the overall system of internal controls Figure 1 The Structure of IT Auditing belowdivides the assessment into a logical series of steps
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditors interact with the people responsible for controlsand must pursue continuous learning and reassessment asnew technologies emerge and the organizationrsquos opportuni-ties uses dependencies strategies risks and requirementschange
GTAG mdash Assessing IT Controls mdash An Overview mdash 4
2
ldquoI keep six honest serving-men
(They taught me all I knew)
Their names are
What and Why and When
and How and Where and Whordquo
mdash Rudyard Kipling
from ldquoElephantrsquos Childrdquo
in Just So Stories
Figure 1 - The Structure of IT Auditing
3
COSO1 defines internal control as ldquoA process effected by anorganizationrsquos board of directors management and otherpersonnel designed to provide reasonable assurance regard-ing the achievement of objectives in the following cate-gories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulationsrdquo
IT controls encompass those processes that provide assur-ance for information and information services and help mit-igate the risks associated with an organizationrsquos use oftechnology These controls range from written corporatepolicies to their implementation within coded instructionsfrom physical access protection to the ability to trace actionsand transactions to the individuals who are responsible forthem and from automatic edits to reasonability analysis forlarge bodies of data
51 Control ClassificationsControls may be classified to help understand their purposesand where they fit into the overall system of internal controls(See Figure 3 Some Control Classifications page 4) By under-standing these classifications the control analyst and auditorare better able to establish their positions in the controlframework and answer key questions such as Are the detec-tive controls adequate to identify errors that may get past thepreventive controls Are corrective controls sufficient to fixthe errors once detected A common classification of IT controls is general versus application
General controls (also known as infrastructure controls)apply to all systems components processes and data for agiven organization or systems environment General controls include but are not limited to information security policy administration access and authenticationseparation of key IT functions management of systemsacquisition and implementation change managementbackup recovery and business continuity
Application controls pertain to the scope of individualbusiness processes or application systems They include suchcontrols as data edits separation of business functions (egtransaction initiation versus authorization) balancing ofprocessing totals transaction logging and error reportingThe function of a control is highly relevant to the assessment of its design and effectiveness Controls may be classified as preventive detective or corrective
Preventive controls prevent errors omissions or securityincidents from occurring Examples include simple data-entryedits that block alphabetic characters from being enteredinto numeric fields access controls that protect sensitive dataor system resources from unauthorized people and complexand dynamic technical controls such as antivirus softwarefirewalls and intrusion prevention systems
GTAG mdash Understanding IT Controls mdash 5
1 COSO ndash Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (The Committee of Sponsoring Organizationsof the Treadway Commission) See wwwcosoorg
It is not necessary to know ldquoeverythingrdquo about IT controls
Do not be concerned if you do not understand the full continuum or all the technical intricacies of IT controls Many of these controls are the domain of specialists who manage specific risks associated with individual components of the systems and network infrastructure In keeping with good separation of duties prac-tices some people who have specialized knowledge in a technology such as database management may know littleabout network components or communication protocols and vice versa
There are two key control concepts to remember1 Assurance must be provided by the IT controls within the whole system of internal control and must
be continuous and produce a reliable and continuous trail of evidence2 The auditorrsquos assurance is an independent and objective assessment of the first assurance It is based
on understanding examining and assessing the key controls related to the risks the auditors manage as well as performing sufficient tests to ensure the controls are designed appropriately and function effectively
Figure 2
Detective controls detect errors or incidents that eludepreventive controls For example a detective control mayidentify account numbers of inactive accounts or accountsthat have been flagged for monitoring of suspicious activi-ties Detective controls can also include monitoring andanalysis to uncover activities or events that exceed author-ized limits or violate known patterns in data that may indi-cate improper manipulation For sensitive electroniccommunications detective controls can indicate that a mes-sage has been corrupted or the senderrsquos secure identificationcannot be authenticated
Corrective controls correct errors omissions or inci-dents once they have been detected They vary from simplecorrection of data-entry errors to identifying and removingunauthorized users or software from systems or networks torecovery from incidents disruptions or disasters
Generally it is most efficient to prevent errors or detectthem as close as possible to their source to simplify correc-tion These corrective processes also should be subject topreventive and detective controls because they representanother opportunity for errors omissions or falsification
Many other control classifications described in this guidemay be useful in assessing their effectiveness For exampleautomated controls tend to be more reliable than manualcontrols and nondiscretionary controls are more likely to beapplied consistently than discretionary controls Other control classifications include mandatory voluntary complementary compensating redundant continuous on-demand and event-driven
52 Governance Management TechnicalAnother common classification of controls is by the groupresponsible for ensuring they are implemented and main-tained properly For the purpose of assessing roles andresponsibilities this guide primarily categorizes IT controls
as governance management and technical Information securi-ty program elements for these three categories are describedin Appendix A (page 25) The first two levels mdash gover-nance and management mdash are the most applicable to thescope of this guide although it may also be useful to under-stand how higher-level controls specifically are establishedwithin the technical IT infrastructures Technical controlswill be the subject of more topic-specific GTAGs
521 Governance Controls
The primary responsibility for internal control resides withthe board of directors in its role as keeper of the governanceframework IT control at the governance level involvesensuring that effective information management and security principles policies and processes are in place andperformance and compliance metrics demonstrate ongoingsupport for that framework
Governance controls are those mandated by and controlled by either the entire board of directors or a boardcommittee in conjunction with the organizationrsquos executivemanagement These controls are linked with the concepts of corporate governance which are driven both by organizational goals and strategies and by outside bodiessuch as regulators
An important distinction between governance and management controls is the concept of ldquonoses in fingersoutrdquo The boardrsquos responsibility involves oversight ratherthan actually performing control activities For example theaudit committee of the board does no auditing but it does oversee both the internal and external auditing of theorganization
522 Management Controls
Management responsibility for internal controls typicallyinvolves reaching into all areas of the organization with special attention to critical assets sensitive information andoperational functions Consequently close collaborationamong board members and executive managers is essentialManagement must make sure the IT controls needed toachieve the organizationrsquos established objectives are appliedand ensure reliable and continuous processing These controls are deployed as a result of deliberate actions bymanagement to
bull Recognize risks to the organization its processes and assets
bull Enact mechanisms and processes to mitigate and manage risks (protect monitor and measure results)
523 Technical Controls
Technical controls form the foundation that ensures the reli-ability of virtually every other control in the organizationFor example by protecting against unauthorized access andintrusion they provide the basis for reliance on the integri-ty of information mdash including evidence of all changes andtheir authenticity These controls are specific to the
GTAG ndash Understanding IT Controls ndash 5
4
Figure 3 - Some Control Classifications
GTAG mdash Understanding IT Controls mdash 5
5
technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization
53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems
The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below
531 Policies
All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies
IT policy statements include but are not restricted tobull A general policy on the level of security and privacy
throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of
the system and data processedbull A statement on the classification of information and
the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access
bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems
bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications
bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures
bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of
Figure 4 ndash IT Controls
The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal
Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)
a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS
Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants
532 Standards
Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently
Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for
bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization
bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited
bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls
that should apply to sensitive processes and information
bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly
bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers
As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them
533 Organization and Management
Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented
5331 Separation of Duties
Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information
Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum
GTAG mdash Understanding IT Controls mdash 5
6
GTAG mdash Understanding IT Controls mdash 5
7
Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts
5332 Financial Controls
Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects
5333 Change Management
Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations
5334 Other Management Controls
Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications
534 Physical and Environmental Controls
IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications
Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is
restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data
away from environmental hazards such as low-lyingflood plains or flammable liquid stores
When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable
535 Systems Software Controls
Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2
Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs
IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the
Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability
Some key technical controls the CAE should expect tofind in a well-managed IT environment include
bull Access rights allocated and controlled according tothe organizationrsquos stated policy
bull Division of duties enforced through systems softwareand other configuration controls
bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored
bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a
stated requirementbull Change management processes mdash including patch
management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data
536 Systems Development and
Acquisition Controls
Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner
Some basic control issues should be evident in all systemsdevelopment and acquisition work
bull User requirements should be documented and theirachievement should be measured
bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system
bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct
bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided
bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be
subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls
Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered
537 Application-based Controls
The objective of internal controls over application systems is toensure that
bull All input data is accurate complete authorized and correct
bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data
from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application
bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters
bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized
bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input
bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct
bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources
GTAG mdash Understanding IT Controls mdash 5
8
GTAG mdash Understanding IT Controls mdash 5
9
54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are
bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations
bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting
bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located
55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them
Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite
Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite
Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly
Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)
The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)
Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include
bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services
bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of effectivecontrols
bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services
bull The efficient use of a customer support center or helpdesk
bull A security-conscious culture among end usersthroughout the organization
Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees
The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control
GTAG mdash Importance of IT Controls mdash 6
10
2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley
GTAG mdash IT Roles in the Organization mdash 7
Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained
Overall the objectives for the use of IT within any organization are
bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite
bull To protect stakeholder interestsbull To enable mutually beneficial relationships with
customers business partners and other outside parties that accomplish business objectives
bull To identify and respond to threats and potential violations of control appropriately
Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members
71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires
bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458
bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets
bull Approval of the data classifications structure and therelated access rights
The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important
711 Audit Committee
The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for
bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting
bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting
bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately
bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to
new systems development and acquisitionbull Examining internal and external audit plans and
work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring
the resolution of issues raisedbull Understanding the IT topics that impact ethics
monitoring
712 Compensation Committee
The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves
713 Governance Committee
The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should
bull Ensure that potential and current board membershave a suitable IT knowledge or background
bull Assess board committeesrsquo performance in terms oftheir oversight of IT
bull Review any external regulatory governance assessments in relation to IT topics
bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency
714 Risk Management Committee
The risk management committee is responsible for oversight
11
GTAG mdash IT Roles in the Organization mdash 7
of all risk analysis and assessment risk response and riskmonitoring Its role includes
bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization
bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance
bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash
including IT risks mdash and considering it against the organizationrsquos risk appetite
bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate
bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks
715 Finance Committee
The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data
72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so
that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions
721 Chief Executive Officer
The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will
bull Define corporate objectives and performance measures in relation to IT
bull Act as custodian over the organizationrsquos critical success factors in relation to IT
bull Understand and approve the short-term and long-range strategy for IT
bull Approve IT resources for the organization includingstructure and oversightmonitoring
bull Determine IT issues for periodic management boardand staff discussion
bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas
722 Chief Financial Officer
The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of
bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining
technologically competitivebull The technologies used to implement financial
applicationsbull The operation of specific financial applications
IT Controls and Ethics
As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior
12
GTAG mdash IT Roles in the Organization mdash 7
13
bull The limitations and benefits of ITbull The IT control structure for general controls that
apply to all business systems and data as well as controls that are specific to financial applications
The CFO should operate as the highest-level control ownerfor financial systems and data
723 Chief Information Officer
The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should
bull Understand the business requirements that drive theneed to implement IT
bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business
strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks
bull Design implement and maintain an IT internal control framework
bull Plan source and control IT resourcesbull Explore assess select and implement technology
advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels
of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian
and IT control owner bull Measure the operational performance of IT in support
of business objectives byndash Setting expectationsndash Evaluating results
bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors
724 Chief Security Officer
The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO
bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy
bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks
bull Acts as a key link between the compliance legalCIO and audit functions
bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive
bull Is responsible for business continuity planningincluding incident handling and disaster recovery
bull Ensures that security staff provide support for imple-menting controls at all levels
bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization
725 Chief Information Security Officer (CISO)
Information security is a subset of the overall security roleThe CISO
bull Develops and implements the information security policy in coordination with the CSO
bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives
bull Ensures alignment of information security and busi-ness objectives
bull Manages operational information risks throughoutthe organization
bull Oversees security within the IT organizationbull Provides education and awareness on information
security issues and new best practicesbull Develops end-user policies for the usage of IT
information in conjunction with the humanresources function
bull Coordinates information security work with the chief risk officer (CRO) and CIO
bull Advises the CEO CRO CIO and board on IT risk issues
bull Acts as a key link for the CAE when internal auditing performs IT control-related audits
726 Chief Legal Counsel (CLC)
Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves
bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto
bull Ensuring financial reports and presentations complywith laws and regulations
bull Understanding IT legal issues and advising on legalrisks related to IT
bull Managing organizational reputation in relation tolegal issues compliance and public relations
bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols
regarding suspected criminal activity
727 Chief Risk Officer
The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes
bull Analysis and assessment of IT risk exposures including information compromises such as loss
damage unauthorized disclosure and interruptedaccess
bull Assessment of IT events such as interruptions disasters and changes
bull Analysis and assessment of business risk as it is affected by IT risk
bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks
73 Audit
731 Internal Auditing ndash CAE and Audit Staff
Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves
bull Advising the audit committee and senior management on IT internal control issues
bull Ensuring IT is included in the audit universe andannual plan (selecting topics)
bull Ensuring IT risks are considered when assigningresources and priorities to audit activities
bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff
bull Ensuring that audit planning considers IT issues foreach audit
bull Liaising with audit clients to determine what theywant or need to know
bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable
evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the
audit processesbull During systems development or analysis activities
operating as experts who understand how controlscan be implemented and circumvented
bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks
732 External Auditor
Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include
bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits
bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements
GTAG mdash IT Roles in the Organization mdash 7
14
3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)
81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance
It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization
The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as
ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo
In addition the CAE should consider risk tolerance COSOdefines risk tolerance as
ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo
Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with
the organizationrsquos risk appetitebull The internal control framework is adequate to ensure
that the organizationrsquos performance remains withinthe stated risk tolerances
82 Risk Considerations in Determining the Adequacy of IT Controls
Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness
When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE
should consider the processes established by management to determine
bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for
each business function and processbull IT risks faced by the organization and quality of
service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they
providebull Harmful IT incidents in the past 24 months
The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project
821 The IT Infrastructure
Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems
The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security
The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers
GTAG mdash Analyzing Risk mdash 8
15
822 IT Risks Faced by the Organization
The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls
823 Risk Appetite and Tolerance
Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation
The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite
824 Performing Risk analysis
Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas
There are eight basic questions associated with the riskassessment process The first five include
bull What are the assets at risk and the value of theirconfidentiality integrity and availability
bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets
bull If a threat event happened how bad could its impact be
bull How often might the event be expected to occur (frequency of occurrence)
bull How certain are the answers to the first four questions (uncertainty analysis)
The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient
825 Value of Information
Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security
Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories
bull Exclusive possession ndash cost in the event of a breachof confidentiality
bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability
826 Appropriate IT Controls
Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)
The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework
83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them
In general there are several ways to mitigate the poten-tial impact of risks
bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low
bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors
bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider
bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects
GTAG mdash Analyzing Risk mdash 8
16
84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include
bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective
controls effectivebull Do the controls provide evidence when control
parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken
bull Is evidence retained (audit or management trail)
85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization
IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other
It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls
bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been
defined assigned and acceptedbull Are IT infrastructure equipment and tools
logically and physically securedbull Are access and authentication control
mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance
with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)
bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved
bull Are change and configuration management and quality assurance processes in place
bull Are structured monitoring and service measurementprocesses in place
bull Are specialist IT audit skills available (eitherinternally or outsourced)
Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf
GTAG mdash Analyzing Risk mdash 8
Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management
(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network
and perimeter)5 Malware protection (including worms and viruses)
Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo
1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each
person with computer access8 Dont use vendor-supplied defaults for passwords
and security parameters9 Track all access to data by unique ID
10 Regularly test security systems and processes11 Implement and maintain an information
security policy12 Restrict physical access to data
17
91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation
A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily
Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work
The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process
especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override
Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)
The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
GTAG mdash Monitoring and Techniques mdash 9
COSO Model for Technology Controls
Monitoringbull Monthly metrics from technology
performance bull Technology cost and control
performance analysisbull Periodic technology
management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas
Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to
plan and return on investmentbull Documentation and approval of IT plans
and systems architecturebull Compliance with information and
physical security standardsbull Adherence to business continuity risk
assessmentbull Technology standards
compliance enforcement
Information and Communicationbull Periodic corporate communications (intranet e-mail
meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution
Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business
areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls
considered Importantbull Overall technology policy and Information
security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units
Figure 5 - COSO Model for Technology Controls
18
compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)
92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks
Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows
921 Ongoing Monitoring
bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment
bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered
specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached
bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached
922 Special Reviews
bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances
bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk
GTAG mdash Monitoring and Techniques mdash 9
Suitable Recognized Framework
ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo
mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003
19
101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business
The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems
A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance
Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities
Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample
bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method
bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files
bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach
102 Testing IT Controls and Continuous Assurance
In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data
1021 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-
20
GTAG mdash Assessment mdash 10
How Auditing Contributes to IT Controls
During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management
ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events
1022 Automated Internal Control Analysis Tools
Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use
1023 Automated Risk Analysis
Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools
Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right
103 Audit CommitteeManagementAudit Interfaces
It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues
The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations
ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their
value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting
A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially
Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework
The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist
GTAG mdash Assessment mdash 10
Figure 6 ndash Audit Interfaces
21
Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda
Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process
The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members
22
GTAG mdash Conclusion mdash 11
Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg
121 Governance (Board of Directors)bull Oversee risk management and compliance programs
pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security
bull Strive to protect the interests of all stakeholdersdependent on information security
bull Review information security policies regardingstrategic partners and other third parties
bull Strive to ensure business continuitybull Review provisions for internal and external audits of
the information security programbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
122 Managementbull Establish information security management policies
and controls and monitor compliancebull Assign information security roles responsibilities
and required skills and enforce role-based information access privileges
bull Assess information risks establish risk thresholdsand actively manage risk mitigation
bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties
bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture
during acquisition development operations andmaintenance
bull Protect the physical environmentbull Ensure internal and external audits of the informa-
tion security program with timely follow-upbull Collaborate with security staff to specify the informa-
tion security metrics to be reported to management
123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements
bull User identification and authentication
bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms
and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the
technical metrics to be reported to management
23
GTAG mdash Appendix A mdash Information Security Program Elements mdash 12
There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments
For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries
This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors
131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)
However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of
ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews
Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls
Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant
to IT Controls
The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls
13111 Sections 103 and 802
These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting
One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained
13112 Section 201
This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors
13113 Section 301
Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT
13114 Section 302 and 404
Section 302 of the act requires the CEO and CFO mdash who
24
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
25
are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges
They must disclosebull ldquoAll significant deficiencies in the design or opera-
tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo
bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo
Section 404 requires the CEO and CFO to produce an annual audit report that
bull Assesses the effectiveness of the internal controlstructure over financial reporting
bull Discloses all known internal control weaknessesbull Discloses all known frauds
This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley
13115 Section 409
Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses
132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management
A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means
bull Senior management is actively involvedbull The bank has an OR management system processes
policies and procedures enterprisewidebull The bank has the right governance and sufficient
resources to manage operational risksbull The bank has an OR management function that is
responsible forndash Designing and implementing the OR management
frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement
methodologyndash Designing and implementing an OR management
reporting systemndash Developing strategies to identify measure monitor
and control or mitigate ORbull An OR measurement system is closely integrated into
the day-to-day risk management processbull The OR exposures and loss experiences are regularly
reportedbull The OR management system is documentedbull Internal and external auditors regularly review the
OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function
The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required
First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy
Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange
The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA
bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
bull Internal loss data must be linked to the bankrsquos current business activities
bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA
bull According to the internal loss collection processndash OR losses related to credit risk and historically
included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately
ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge
bull The OR measurement system must use relevantexternal data
Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including
bull Strategies and processesbull Structure and organization of the risk management
functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including
operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)
133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)
The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)
134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999
The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)
135 US Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg
136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)
Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers
26
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
GTAG ndash Appendix B - Compliance with Laws and Regulations - 13
27
137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls
GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14
28
141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors
1411 Category 1 ndash All Auditors
Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge
1412 Category 2 ndash Audit Supervisors
Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must
bull Understand the threats and vulnerabilities associatedwith automated business processes
bull Understand business controls and risk mitigation thatshould be provided by IT
bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments
bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits
bull Ensure the effective use of IT tools in audit assess-ments and testing
bull Approve plans and techniques for testing controlsand information
bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses
bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas
bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected
1413 Category 3 ndash Technical IT Audit Specialists
Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology
IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence
The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications
Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals
4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
29
151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg
152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control
In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience
153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language
154 ITGI Control Objectives for Information and Related Technology (CobiT)
Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance
155 ISO 17799 (Code of Practice for Information Security Management)
ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading
The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to
ISOIEC 177992000 bull Part 2 is a specification for implementing an
information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002
1551 What Is Information Security
BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities
Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately
Information security is characterized within BS 7799 asthe preservation of
bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access
bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods
bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired
Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met
1552 How to Establish Security Requirements
BS 7799 states that it is essential that an organization
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
30
identify its security requirements There are three mainsources
bull Assessing risks to the organization BS 7799 does notprescribe a methodology
bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy
bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations
1553 Assessing Security Risks
BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically
1554 Selecting Controls
Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com
1555 Topics Addressed in BS 7799
1 Scope2 Terms and definitions3 Security policy
31 Information security policy document32 Review and evaluation
4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing
5 Asset classification and control51 Accountability for assets52 Information classification
6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions
7 Physical and environmental security71 Secure areas72 Equipment security73 General control
8 Communications and operations management
81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software
9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking
10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes
11 Business continuity management111 Business continuity management process
12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations
156 ISF Standard of Good Practice for Information Security
The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom
157 Generally Accepted Information Security Principles (GAISP)
The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including
bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-
tive-level information management (exposure draft distributed September 1999)
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
bull Detailed Principles ndash guidance for operational infor-mation security management (under development)
GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details
1571 Pervasive Principles
The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology
bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable
bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-
trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties
bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations
bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance
bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance
bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information
bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat
Figure 7 ndash Security Management
31
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
32
events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents
bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness
bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives
158 AICPACICA Trust Services Principles and Criteria
The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas
bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple
bull Communications ndash The organization has communi-cated its defined policies to authorized users
bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies
bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies
Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices
1581 Security Principle ndash The system is protected
against unauthorized access (both physical
and logical)
In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components
1582 Availability Principle ndash The system is
available for operation and use as
committed or agreed
The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties
Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does
5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties
6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
33
address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance
1583 Processing Integrity Principle ndash System
processing is complete accurate timely
and authorized
Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing
The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems
Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond
the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed
1584 Privacy Principle and Components ndash
Personal information is collected used
retained and disclosed in conformity with the
commitments in the organizationrsquos privacy
notice and with the AICPACICA Trust
Services Privacy Criteria
The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are
bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures
bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed
bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information
bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice
bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes
bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate
bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual
bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical
bull Quality ndash The organization maintains accurate
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
34
complete and relevant personal information for thepurposes identified in the notice
bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes
1585 Confidentiality Principle ndash Information
designated as ldquoconfidentialrdquo is protected as
committed or agreed
The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential
Information that may be subject to confidentialityincludes
bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry
Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness
Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous
access controls can help protect the information while it isstored on computer systems
1586 Certification Authority (CA) Principle
The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols
159 IIA Systems Assurance and Control (SAC)
The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411
1510 Corporate Governance
15101 OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy
15102 EU Commission
The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society
GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16
35
The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states
ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo
The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework
161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations
These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT
The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control
The third category deals with complying with those lawsand regulations to which the entity is subject
Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that
bull They understand the extent to which the entityrsquosoperations objectives are being achieved
bull Published financial statements are being preparedreliably
bull There is compliance with applicable laws and regulations
Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time
162 COSO Internal Control mdash Integrated Framework
Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are
1621 Control Environment
The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors
1622 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change
1623 Control Activities
Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties
1624 Information and Communication
Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and
GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16
36
control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders
1625 Monitoring
Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board
There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions
There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective
The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework
GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
37
Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems
Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes
CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives
1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks
10 Manage projects11 Manage quality
Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as
well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems
12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes
Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems
18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations
Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources
31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit
This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment
CobiT is comprised ofbull An executive summary which provides an overview
of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-
level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective
bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives
bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives
Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work
GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
38
bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources
bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective
Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg
CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise
39
The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7
that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations
The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security
These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the
ldquoTechnologyrdquo section of httpwwwtheiiaorg
The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement
181 Metrics for Boards of DirectorsTrustees
Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident
bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a
comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program
principles for which approved policies and controls have been implemented by management
ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified
bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated
committee meetings for which information security is on the agenda
ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders
ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods
bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-
party relationships for which information security requirements have been implemented in agreements
bull Strive to ensure business continuityndash Percentage of organizational units with an
established business-continuity planbull Review provisions for internal and external audits of
the information security programndash Percentage of required internal and external audits
completed and reviewed by the boardndash Percentage of audit findings that have not
been resolvedbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
7 httpreformhousegovTIPRC
GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18
40
and policies established by the board as part of an effectiveinformation security program
bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program
elements for which approved policies and controls are operational
ndash Percentage of staff assigned responsibilities for information security policies and controls who have
acknowledged accountability for their responsibili-ties in connection with those policies and controls
ndash Percentage of information security policy compliance reviews that noted violations
ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls
bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting
period who satisfactorily completed security-awareness training before being granted network access
ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy
ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users
ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance
ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle
bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators
bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have
been reviewed this reporting period including+ Employees with high-level system and application
privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors
ndash Percentage of users who have undergone back-ground checks
bull Assess information risks establish risk thresholds and
actively manage risk mitigationndash Percentage of critical information assets and
information-dependent functions for which some form of risk assessment has been performed and documented as required by policy
ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified
ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy
bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that
are related to third-party relationshipsndash Percentage of critical information assets or
functions to which third-party personnel have been given access
ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy
ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically
ndash Percentage of security incidents that involve third-party personnel
ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures
ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements
ndash Percentage of out-of-compliance review findings that have been corrected since the last review
bull Identify and classify information assetsndash Percentage of information assets that have been
reviewed and classified by the designated owner in accordance with the classification scheme established by policy
ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy
ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans
ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned
ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy
bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to
systems architecture identified in the most recent risk assessment that have been mitigated adequately
ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms
ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture
bull Protect the physical environmentndash Percentage of critical organizational information
assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media
ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented
ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding
ndash Percentage of servers in locations with controlled physical access
ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule
ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule
ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness
bull Collaborate with security personnel to specify theinformation security metrics to be reported to management
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
41
GTAG mdash Appendix H mdash CAE Checklist mdash 19
42
1 Identify the IT control environment of the organization including
a Values
b Philosophy
c Management style
d IT awareness
e Organisation
f Policies
g Standards
2 Identify relevant legislation and regulation impactingIT control such as
a Governance
b Reporting
c Data protection
d Compliance
3 Identify the roles and responsibilities for IT control inrelation to
a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee
b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO
c Auditi Internal Auditii External Audit
Action Questions
1 Do corporate policies and standards that describe theneed for IT controls exist
2 What legislation exists that impacts on the need forIT controls
3 Has management taken steps to ensure compliancewith this legislation
4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles
5 Is the allocation of responsibilities compatible withthe need to apply division of duties
6 Are IT responsibilities documented
7 Are IT control responsibilities communicated to thewhole organization
8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls
9 What evidence is there of individual role holdersexercising their responsibilities
10Does internal auditing employ sufficient IT audit specialists to address the IT control issues
CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas
GTAG mdash Appendix H mdash CAE Checklist mdash 19
43
4 Identify the risk assessment process Does it cover
a Risk appetite
b Risk tolerances
c Risk analysis
d Matching risks to IT controls
5 Identify all monitoring processes including
a Regulatory
b Normal in-house
c Other than internal auditing
6 Identify information and communication mechanisms
a Control information
b Control failures
11 How is the risk appetite and tolerance of the organization determined
12 Is the risk appetite and tolerance of the organization authorized at board level
13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control
14 Is a formal risk analysis process used by theorganization
15 Is the process understood by all those with responsibility for IT control
16 Is the process used consistently throughout theorganization
17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards
18 Are there monitoring processes carried out bymanagement outside of internal audit
19 What metrics are provided to the board of directors its committees and management inrelation to IT security
20 What additional reports are provided to theboard of directors and to management on a regular basis
21 Is management always provided with reportswhen there are IT control failures
22 Do the board of directors and its committeesreceive similar reports of IT control failures
Action Questions
GTAG mdash Appendix I mdash References mdash 20
44
The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT
echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues
201 Governance
Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm
Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg
Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap
Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716
IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503
Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896
202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk
Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg
Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity
Generally Accepted Information Security Principles(GAISP) Information Systems Security Association
Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml
Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml
ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg
Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3
OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html
Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm
Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices
203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg
DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml
GTAG mdash Appendix I mdash References mdash 20
45
ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm
ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler
IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm
ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca
NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml
NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml
NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml
NSA Configuration Guides httpwwwnsagovsnac
SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg
204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg
Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov
Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca
Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
46
GTAG mdash Appendix J mdash Glossary mdash 21
A listing of technical terms used in the guide with a simpleplain English definition
Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases
Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence
CAE ndash Chief audit executive
CEO ndash Chief executive officer
CFO ndash Chief financial officer (and controller)
CIO ndash Chief information officer
CISO ndash Chief information security officer
CLC ndash Chief legal council
COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg
CRM ndash Customer resource management
CSO ndash Chief Security Officer
Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda
Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders
Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable
efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms
Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices
General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)
GLBA ndash US Gramm-Leach-Bliley Act
Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives
GTAG ndash Global Technology Audit Guide
HIPAA ndash US Health Information Portability andAccountability Act
Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization
Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel
Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use
Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology
ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg
IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information
IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures
ITPI ndash IT Process Institute See httpwwwitpiorg
Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing
Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo
Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely
Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo
47
GTAG mdash Appendix J mdash Glossary mdash 21
GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22
48
This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control
The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication
221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects
The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide
231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role
Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute
Michael R Dickson Business Technology Group LLC
Clint Kreitner PresidentCEO CIS The Center forInternet Security
Alex Lajoux NACD National Association of CorporateDirectors
Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA
Mark Salamasick CIA University of Texas at Dallas
Karyn Waller AICPA American Institute of CertifiedPublic Accountants
232 Partner Organizations
AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants
CIS ndash Clint Kreitner Center for Internet Security
CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute
ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association
NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors
SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO
233 Project Review Team
Peter Allor ISS Internet Security Systems
Jack Antonelli ADP
Ken D Askelson CIA JC Penney Co Inc
Becky Bace Infidel Inc
Kevin Behr IPSI Institute for Integrated Publication andInformation Systems
Jeff Benson BearingPoint
Robert S Block Chairman 3D Business Tools USA
Sylvia Boyd The IIA
Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA
Larry Brown Options Clearing Corp
Stephanie Bryant University of South Florida
Phil Campbell Specialized IT LLC USA
John Carlson BITS Banking Industry TechnologySecretariat
Chris Compton Intrusion Labs
Guy Copeland CSC Computer Sciences Corp
Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA
Bob Daniels EDS
Bob Dix US House of Representatives
49
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
50
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
5
Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA
Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program
Greg Garcia ITAA Information Technology Association ofAmerica
Russ Gates Dupage Consulting LLC
Lou Giles Chevron Phillips Chemical Co
Doug Guerrero EDS
Kai Tamara Hare Nuserve
Michael S Hines CIA Purdue University
Bob Hirth Protiviti
Don Holden CISSP Concordant Inc USA
Dave Kern Ethentica
Gene Kim CTO Tripwire Inc USA
Jim Kolouch BearingPoint
David Kowal VP JP Morgan Chase
Paul Kurtz CSIA Cyber Security Industry Alliance
Cindy LeRouge PhD Decision SciencesMIS Department
John Cook School of Business St Louis University USA
Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants
Debbie Lew Guidance Software
Brenda Lovell CIA CCSA CGAP The IIA
Warren Malmquist Adolph Coors Co
Stacy Mantzaris CIA IIA
Dennis Miller Heritage Bank
Patrick Morrissey Auditwire
Bruce Moulton Symantec
Paul Moxey ACCA Association of Chartered CertifiedAccountants
Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA
Fred Palmer Palmer Associates
Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc
Bernie Plagman TechPar Group
Heriot Prentice MIIA FIIA QiCA The IIA
Dick Price Beacon IT Ltd BS 7799 Consultancy USA
Michael Quint Corporate Compliance Officer EDSCorporate Audit USA
Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA
Amy Ray Bentley College
Martin Ross GSC Global Security Consortium
Chip Schilb EDS USA
Howard Schmidt eBay
Mark Silver Symantec
George Spafford President Spafford Global ConsultingSaint Joseph IL USA
Adam Stone Assurant
Jay H Stott CIA Fidelity Investments
Dan Swanson CIA IIA
Jay R Taylor CIA CISA CFE General MotorsCorporation
Bill Tener University amp Community College System ofNevada
Archie Thomas
Fred Tompkins BearingPoint
Don Warren Rutgers University
Dominique Vincenti CIA The IIA
Mark Winn Intrusec
Amit Yoran
234 IIA International Affiliates
Frank Alvern CIA CCSA Nordea Bank Norway
Alexandre Alves Apparecido Brazil
Dror Aviv Israel
David F Bentley England UK and Ireland
Gerardo Carstens CIA IIA Argentina
Richard Cascarino South Africa
Iftikhar Chaudry Pakistan
Hisham T El Gindy Manager KPMG Hazem Hassan Egypt
Dr Ulrich Hahn CIA Switzerland
Rossana S Javier Makati City Philippines
Andras Kovacks Hungary
Christopher McRostie Australia
Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan
Kyoko Shimizu CIA Japan
John Silltow Security Control and Audit Ltd UnitedKingdom
Ken Siong International Federation of Accountants
Anton van Wyk PwC South Africa
Nick Wolanin Adjunt Senior Lecturer Australian Graduate
Julie Young Australia
235 Other International
Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada
P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates
Ariel Peled President ISSA Israeli Chapter
P Shreekanth India
Karen Woo Selangor Malaysia
236 IIA International Advanced Technology Committee
Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa
Alexandre Alves Apparecido Brasil Telecom Brazil
Ken D Askelson CIA JC Penney Co Inc USA
Dror Aviv CFSA IIA Israel
Donald L Bailey Grant Thornton LLP USA
EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)
Norman F Barber Microsoft Corp USA
David F Bentley QiCA Consultant England
Claude Cargou GIE AXA France
Michael P Fabrizius CIA Bon Secours Health SystemInc USA
Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan
Douglas Guerrero EDS Corp USA
Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland
David J Hill IBM Corp USA
Michael S Hines CIA Purdue University USA
Mark J Hornung Ernst amp Young LLP USA
Gene Kim CTO Tripwire Inc USA
David S Lione KPMG LLP Southeast Region USA
Peter B Millar ACL Services Ltd Canada
Allan M Newstadt CIA World BankInternationalFinance Corp USA
Brenda J S Putman CIA City Utilities of Springfield USA
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
51
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23
52
Kyoko Shimizu CIA Shin Nihon amp Co Japan
Brian M Spindel CIA SecurePipe Inc USA
Rajendra P Srivastava University of Kansas USA
Jay Stott CIA Fidelity Investments USA
Jay R Taylor CIA CISA CFE General Motors Corp USA
Thomas Jason Wood CIA Ernst amp Young LLP USA
Akitomo Yamamoto IIA Japan
237 The Writing Team
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR International
Charles H Le Grand CIA CHL Global
238 IIA Headquarters Staff Production Team
Michael Feland
Trish Harris
Tim McCollum
Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business
Contin
u
ity Manag
ement
Th
is G
TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization
could potentially encounter if a natural or
man-made disruptive event t
hat affects the exte
nded ope
ra
bility of the organization were to occur The guide includes disaster rec
o
very
planning for continuity of critical information technology infrastructure and business application systems
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an
d su
pport management in
its
deve
lopm
ent and maintenance
of a
BCM pr
o
gram
Vis
it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme
nts
Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250
wwwtheiiaorg
ISBN 0-89413-570-8ISBN 978-0-89413-623-8
threats and to recover from any disruption of IT services quickly and efficiently
bull The efficient use of a customer support center or help desk
bull Heightened security awareness on the part of the users and a security-conscious culture throughout theorganization
24 IT Roles and ResponsibilitiesMany different roles have emerged in recent years for posi-tions within the organization with IT control responsibilitiesand ownership Each position within the governance management operational and technical levels should havea clear description of its roles responsibilities and owner-ship for IT controls to ensure accountability for specificissues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
25 Analyzing RiskIT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified suit-able risk responses are determined ranging from doing nothingand accepting the risk as a cost of doing business to applying awide range of specific controls including insurance Thissection explains the concepts of when to apply IT controls
26 Monitoring and TechniquesThe implementation of a formal control framework facili-tates the process of identifying and assessing the IT controlsnecessary to address specific risks A control framework is astructured way of categorizing controls to ensure the wholespectrum of control is covered adequately The frameworkcan be informal or formal A formal approach will morereadily satisfy the various regulatory or statutory require-ments for organizations subject to them The process ofchoosing or constructing a control framework shouldinvolve all positions in the organization with direct respon-sibility for controls The control framework should apply toand be used by the whole organization mdash not just internalauditing
27 IT Control AssessmentAssessing IT controls is a continuous process Businessprocesses are changing constantly as technology continuesto evolve Threats emerge as new vulnerabilities are discov-ered Audit methods improve as auditors adopt an approachwhere IT control issues in support of the business objectivesare near the top of the agenda
Management provides IT control metrics and reportingAuditors attest to their validity and opine on their valueThe auditor should liaise with management at all levels andwith the audit committee to agree on the validity and effec-tiveness of the metrics and assurances for reporting
iv
GTAG mdash Executive Summary mdash 2
IT is an integral part of all processes that enable businessesand governments to accomplish their missions and objec-tives IT facilitates local and global communications and fosters international business cooperation IT controls havetwo significant components automation of business controlsand control of IT They support business management andgovernance and they provide general and technical controlsover the policies processes systems and people that comprise IT infrastructures
IT controls do not exist in isolation They form an inter-dependent continuum of protection but they also may besubject to compromise due to a ldquoweak linkrdquo They are subject to error and management override may range fromsimple to highly technical and may exist in a dynamic environment IT controls support the concept of ldquodefense in depthrdquo so a single weakness does not always result in asingle point of failureControls exist to protect stakeholder interests
bull The ownerrsquos equitybull Customer concerns such as privacy and identitybull Employeesrsquo jobs and abilities to prove they did the
right thingbull Managementrsquos comfort with the assurance provided
by automated processesIT control assurance addresses the ability of controls to protect the organization against the most important threatsand provides evidence that remaining risks are unlikely toharm the organization and its stakeholders significantlyThese controls also are essential for assuring the reliability offinancial processes and reporting
1
Introduction ndash 3GTAG mdash Introduction mdash 3
They are all connected
When a security administrator selects the settings in a firewall configuration file (a technical task requiring specificskills and knowledge) he or she implements a policy (which may or may not be documented elsewhere) that when deployed determines the messages that will or will not be allowed into or out of the communications network and establishes the ldquoportsrdquo through which they may travel Your organization gets an element of protection from its firewalls that is vital to the protection of information and the infrastructures where that information is collected processed stored and communicated
When CAEs review and assess the controls over IT theyshould ask
bull What do we mean by IT controlsbull Why do we need IT controlsbull Who is responsible for IT controlsbull When is it appropriate to apply IT controlsbull Where exactly are IT controls appliedbull How do we perform IT control assessments
The audit process provides a formal structure for address-ing IT controls within the overall system of internal controls Figure 1 The Structure of IT Auditing belowdivides the assessment into a logical series of steps
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditors interact with the people responsible for controlsand must pursue continuous learning and reassessment asnew technologies emerge and the organizationrsquos opportuni-ties uses dependencies strategies risks and requirementschange
GTAG mdash Assessing IT Controls mdash An Overview mdash 4
2
ldquoI keep six honest serving-men
(They taught me all I knew)
Their names are
What and Why and When
and How and Where and Whordquo
mdash Rudyard Kipling
from ldquoElephantrsquos Childrdquo
in Just So Stories
Figure 1 - The Structure of IT Auditing
3
COSO1 defines internal control as ldquoA process effected by anorganizationrsquos board of directors management and otherpersonnel designed to provide reasonable assurance regard-ing the achievement of objectives in the following cate-gories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulationsrdquo
IT controls encompass those processes that provide assur-ance for information and information services and help mit-igate the risks associated with an organizationrsquos use oftechnology These controls range from written corporatepolicies to their implementation within coded instructionsfrom physical access protection to the ability to trace actionsand transactions to the individuals who are responsible forthem and from automatic edits to reasonability analysis forlarge bodies of data
51 Control ClassificationsControls may be classified to help understand their purposesand where they fit into the overall system of internal controls(See Figure 3 Some Control Classifications page 4) By under-standing these classifications the control analyst and auditorare better able to establish their positions in the controlframework and answer key questions such as Are the detec-tive controls adequate to identify errors that may get past thepreventive controls Are corrective controls sufficient to fixthe errors once detected A common classification of IT controls is general versus application
General controls (also known as infrastructure controls)apply to all systems components processes and data for agiven organization or systems environment General controls include but are not limited to information security policy administration access and authenticationseparation of key IT functions management of systemsacquisition and implementation change managementbackup recovery and business continuity
Application controls pertain to the scope of individualbusiness processes or application systems They include suchcontrols as data edits separation of business functions (egtransaction initiation versus authorization) balancing ofprocessing totals transaction logging and error reportingThe function of a control is highly relevant to the assessment of its design and effectiveness Controls may be classified as preventive detective or corrective
Preventive controls prevent errors omissions or securityincidents from occurring Examples include simple data-entryedits that block alphabetic characters from being enteredinto numeric fields access controls that protect sensitive dataor system resources from unauthorized people and complexand dynamic technical controls such as antivirus softwarefirewalls and intrusion prevention systems
GTAG mdash Understanding IT Controls mdash 5
1 COSO ndash Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (The Committee of Sponsoring Organizationsof the Treadway Commission) See wwwcosoorg
It is not necessary to know ldquoeverythingrdquo about IT controls
Do not be concerned if you do not understand the full continuum or all the technical intricacies of IT controls Many of these controls are the domain of specialists who manage specific risks associated with individual components of the systems and network infrastructure In keeping with good separation of duties prac-tices some people who have specialized knowledge in a technology such as database management may know littleabout network components or communication protocols and vice versa
There are two key control concepts to remember1 Assurance must be provided by the IT controls within the whole system of internal control and must
be continuous and produce a reliable and continuous trail of evidence2 The auditorrsquos assurance is an independent and objective assessment of the first assurance It is based
on understanding examining and assessing the key controls related to the risks the auditors manage as well as performing sufficient tests to ensure the controls are designed appropriately and function effectively
Figure 2
Detective controls detect errors or incidents that eludepreventive controls For example a detective control mayidentify account numbers of inactive accounts or accountsthat have been flagged for monitoring of suspicious activi-ties Detective controls can also include monitoring andanalysis to uncover activities or events that exceed author-ized limits or violate known patterns in data that may indi-cate improper manipulation For sensitive electroniccommunications detective controls can indicate that a mes-sage has been corrupted or the senderrsquos secure identificationcannot be authenticated
Corrective controls correct errors omissions or inci-dents once they have been detected They vary from simplecorrection of data-entry errors to identifying and removingunauthorized users or software from systems or networks torecovery from incidents disruptions or disasters
Generally it is most efficient to prevent errors or detectthem as close as possible to their source to simplify correc-tion These corrective processes also should be subject topreventive and detective controls because they representanother opportunity for errors omissions or falsification
Many other control classifications described in this guidemay be useful in assessing their effectiveness For exampleautomated controls tend to be more reliable than manualcontrols and nondiscretionary controls are more likely to beapplied consistently than discretionary controls Other control classifications include mandatory voluntary complementary compensating redundant continuous on-demand and event-driven
52 Governance Management TechnicalAnother common classification of controls is by the groupresponsible for ensuring they are implemented and main-tained properly For the purpose of assessing roles andresponsibilities this guide primarily categorizes IT controls
as governance management and technical Information securi-ty program elements for these three categories are describedin Appendix A (page 25) The first two levels mdash gover-nance and management mdash are the most applicable to thescope of this guide although it may also be useful to under-stand how higher-level controls specifically are establishedwithin the technical IT infrastructures Technical controlswill be the subject of more topic-specific GTAGs
521 Governance Controls
The primary responsibility for internal control resides withthe board of directors in its role as keeper of the governanceframework IT control at the governance level involvesensuring that effective information management and security principles policies and processes are in place andperformance and compliance metrics demonstrate ongoingsupport for that framework
Governance controls are those mandated by and controlled by either the entire board of directors or a boardcommittee in conjunction with the organizationrsquos executivemanagement These controls are linked with the concepts of corporate governance which are driven both by organizational goals and strategies and by outside bodiessuch as regulators
An important distinction between governance and management controls is the concept of ldquonoses in fingersoutrdquo The boardrsquos responsibility involves oversight ratherthan actually performing control activities For example theaudit committee of the board does no auditing but it does oversee both the internal and external auditing of theorganization
522 Management Controls
Management responsibility for internal controls typicallyinvolves reaching into all areas of the organization with special attention to critical assets sensitive information andoperational functions Consequently close collaborationamong board members and executive managers is essentialManagement must make sure the IT controls needed toachieve the organizationrsquos established objectives are appliedand ensure reliable and continuous processing These controls are deployed as a result of deliberate actions bymanagement to
bull Recognize risks to the organization its processes and assets
bull Enact mechanisms and processes to mitigate and manage risks (protect monitor and measure results)
523 Technical Controls
Technical controls form the foundation that ensures the reli-ability of virtually every other control in the organizationFor example by protecting against unauthorized access andintrusion they provide the basis for reliance on the integri-ty of information mdash including evidence of all changes andtheir authenticity These controls are specific to the
GTAG ndash Understanding IT Controls ndash 5
4
Figure 3 - Some Control Classifications
GTAG mdash Understanding IT Controls mdash 5
5
technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization
53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems
The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below
531 Policies
All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies
IT policy statements include but are not restricted tobull A general policy on the level of security and privacy
throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of
the system and data processedbull A statement on the classification of information and
the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access
bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems
bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications
bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures
bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of
Figure 4 ndash IT Controls
The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal
Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)
a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS
Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants
532 Standards
Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently
Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for
bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization
bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited
bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls
that should apply to sensitive processes and information
bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly
bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers
As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them
533 Organization and Management
Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented
5331 Separation of Duties
Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information
Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum
GTAG mdash Understanding IT Controls mdash 5
6
GTAG mdash Understanding IT Controls mdash 5
7
Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts
5332 Financial Controls
Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects
5333 Change Management
Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations
5334 Other Management Controls
Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications
534 Physical and Environmental Controls
IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications
Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is
restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data
away from environmental hazards such as low-lyingflood plains or flammable liquid stores
When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable
535 Systems Software Controls
Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2
Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs
IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the
Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability
Some key technical controls the CAE should expect tofind in a well-managed IT environment include
bull Access rights allocated and controlled according tothe organizationrsquos stated policy
bull Division of duties enforced through systems softwareand other configuration controls
bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored
bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a
stated requirementbull Change management processes mdash including patch
management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data
536 Systems Development and
Acquisition Controls
Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner
Some basic control issues should be evident in all systemsdevelopment and acquisition work
bull User requirements should be documented and theirachievement should be measured
bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system
bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct
bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided
bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be
subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls
Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered
537 Application-based Controls
The objective of internal controls over application systems is toensure that
bull All input data is accurate complete authorized and correct
bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data
from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application
bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters
bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized
bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input
bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct
bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources
GTAG mdash Understanding IT Controls mdash 5
8
GTAG mdash Understanding IT Controls mdash 5
9
54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are
bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations
bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting
bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located
55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them
Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite
Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite
Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly
Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)
The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)
Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include
bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services
bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of effectivecontrols
bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services
bull The efficient use of a customer support center or helpdesk
bull A security-conscious culture among end usersthroughout the organization
Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees
The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control
GTAG mdash Importance of IT Controls mdash 6
10
2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley
GTAG mdash IT Roles in the Organization mdash 7
Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained
Overall the objectives for the use of IT within any organization are
bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite
bull To protect stakeholder interestsbull To enable mutually beneficial relationships with
customers business partners and other outside parties that accomplish business objectives
bull To identify and respond to threats and potential violations of control appropriately
Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members
71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires
bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458
bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets
bull Approval of the data classifications structure and therelated access rights
The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important
711 Audit Committee
The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for
bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting
bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting
bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately
bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to
new systems development and acquisitionbull Examining internal and external audit plans and
work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring
the resolution of issues raisedbull Understanding the IT topics that impact ethics
monitoring
712 Compensation Committee
The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves
713 Governance Committee
The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should
bull Ensure that potential and current board membershave a suitable IT knowledge or background
bull Assess board committeesrsquo performance in terms oftheir oversight of IT
bull Review any external regulatory governance assessments in relation to IT topics
bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency
714 Risk Management Committee
The risk management committee is responsible for oversight
11
GTAG mdash IT Roles in the Organization mdash 7
of all risk analysis and assessment risk response and riskmonitoring Its role includes
bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization
bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance
bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash
including IT risks mdash and considering it against the organizationrsquos risk appetite
bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate
bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks
715 Finance Committee
The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data
72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so
that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions
721 Chief Executive Officer
The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will
bull Define corporate objectives and performance measures in relation to IT
bull Act as custodian over the organizationrsquos critical success factors in relation to IT
bull Understand and approve the short-term and long-range strategy for IT
bull Approve IT resources for the organization includingstructure and oversightmonitoring
bull Determine IT issues for periodic management boardand staff discussion
bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas
722 Chief Financial Officer
The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of
bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining
technologically competitivebull The technologies used to implement financial
applicationsbull The operation of specific financial applications
IT Controls and Ethics
As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior
12
GTAG mdash IT Roles in the Organization mdash 7
13
bull The limitations and benefits of ITbull The IT control structure for general controls that
apply to all business systems and data as well as controls that are specific to financial applications
The CFO should operate as the highest-level control ownerfor financial systems and data
723 Chief Information Officer
The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should
bull Understand the business requirements that drive theneed to implement IT
bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business
strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks
bull Design implement and maintain an IT internal control framework
bull Plan source and control IT resourcesbull Explore assess select and implement technology
advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels
of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian
and IT control owner bull Measure the operational performance of IT in support
of business objectives byndash Setting expectationsndash Evaluating results
bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors
724 Chief Security Officer
The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO
bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy
bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks
bull Acts as a key link between the compliance legalCIO and audit functions
bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive
bull Is responsible for business continuity planningincluding incident handling and disaster recovery
bull Ensures that security staff provide support for imple-menting controls at all levels
bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization
725 Chief Information Security Officer (CISO)
Information security is a subset of the overall security roleThe CISO
bull Develops and implements the information security policy in coordination with the CSO
bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives
bull Ensures alignment of information security and busi-ness objectives
bull Manages operational information risks throughoutthe organization
bull Oversees security within the IT organizationbull Provides education and awareness on information
security issues and new best practicesbull Develops end-user policies for the usage of IT
information in conjunction with the humanresources function
bull Coordinates information security work with the chief risk officer (CRO) and CIO
bull Advises the CEO CRO CIO and board on IT risk issues
bull Acts as a key link for the CAE when internal auditing performs IT control-related audits
726 Chief Legal Counsel (CLC)
Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves
bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto
bull Ensuring financial reports and presentations complywith laws and regulations
bull Understanding IT legal issues and advising on legalrisks related to IT
bull Managing organizational reputation in relation tolegal issues compliance and public relations
bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols
regarding suspected criminal activity
727 Chief Risk Officer
The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes
bull Analysis and assessment of IT risk exposures including information compromises such as loss
damage unauthorized disclosure and interruptedaccess
bull Assessment of IT events such as interruptions disasters and changes
bull Analysis and assessment of business risk as it is affected by IT risk
bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks
73 Audit
731 Internal Auditing ndash CAE and Audit Staff
Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves
bull Advising the audit committee and senior management on IT internal control issues
bull Ensuring IT is included in the audit universe andannual plan (selecting topics)
bull Ensuring IT risks are considered when assigningresources and priorities to audit activities
bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff
bull Ensuring that audit planning considers IT issues foreach audit
bull Liaising with audit clients to determine what theywant or need to know
bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable
evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the
audit processesbull During systems development or analysis activities
operating as experts who understand how controlscan be implemented and circumvented
bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks
732 External Auditor
Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include
bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits
bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements
GTAG mdash IT Roles in the Organization mdash 7
14
3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)
81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance
It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization
The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as
ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo
In addition the CAE should consider risk tolerance COSOdefines risk tolerance as
ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo
Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with
the organizationrsquos risk appetitebull The internal control framework is adequate to ensure
that the organizationrsquos performance remains withinthe stated risk tolerances
82 Risk Considerations in Determining the Adequacy of IT Controls
Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness
When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE
should consider the processes established by management to determine
bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for
each business function and processbull IT risks faced by the organization and quality of
service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they
providebull Harmful IT incidents in the past 24 months
The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project
821 The IT Infrastructure
Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems
The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security
The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers
GTAG mdash Analyzing Risk mdash 8
15
822 IT Risks Faced by the Organization
The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls
823 Risk Appetite and Tolerance
Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation
The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite
824 Performing Risk analysis
Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas
There are eight basic questions associated with the riskassessment process The first five include
bull What are the assets at risk and the value of theirconfidentiality integrity and availability
bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets
bull If a threat event happened how bad could its impact be
bull How often might the event be expected to occur (frequency of occurrence)
bull How certain are the answers to the first four questions (uncertainty analysis)
The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient
825 Value of Information
Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security
Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories
bull Exclusive possession ndash cost in the event of a breachof confidentiality
bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability
826 Appropriate IT Controls
Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)
The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework
83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them
In general there are several ways to mitigate the poten-tial impact of risks
bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low
bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors
bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider
bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects
GTAG mdash Analyzing Risk mdash 8
16
84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include
bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective
controls effectivebull Do the controls provide evidence when control
parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken
bull Is evidence retained (audit or management trail)
85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization
IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other
It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls
bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been
defined assigned and acceptedbull Are IT infrastructure equipment and tools
logically and physically securedbull Are access and authentication control
mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance
with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)
bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved
bull Are change and configuration management and quality assurance processes in place
bull Are structured monitoring and service measurementprocesses in place
bull Are specialist IT audit skills available (eitherinternally or outsourced)
Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf
GTAG mdash Analyzing Risk mdash 8
Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management
(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network
and perimeter)5 Malware protection (including worms and viruses)
Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo
1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each
person with computer access8 Dont use vendor-supplied defaults for passwords
and security parameters9 Track all access to data by unique ID
10 Regularly test security systems and processes11 Implement and maintain an information
security policy12 Restrict physical access to data
17
91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation
A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily
Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work
The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process
especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override
Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)
The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
GTAG mdash Monitoring and Techniques mdash 9
COSO Model for Technology Controls
Monitoringbull Monthly metrics from technology
performance bull Technology cost and control
performance analysisbull Periodic technology
management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas
Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to
plan and return on investmentbull Documentation and approval of IT plans
and systems architecturebull Compliance with information and
physical security standardsbull Adherence to business continuity risk
assessmentbull Technology standards
compliance enforcement
Information and Communicationbull Periodic corporate communications (intranet e-mail
meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution
Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business
areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls
considered Importantbull Overall technology policy and Information
security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units
Figure 5 - COSO Model for Technology Controls
18
compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)
92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks
Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows
921 Ongoing Monitoring
bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment
bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered
specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached
bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached
922 Special Reviews
bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances
bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk
GTAG mdash Monitoring and Techniques mdash 9
Suitable Recognized Framework
ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo
mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003
19
101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business
The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems
A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance
Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities
Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample
bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method
bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files
bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach
102 Testing IT Controls and Continuous Assurance
In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data
1021 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-
20
GTAG mdash Assessment mdash 10
How Auditing Contributes to IT Controls
During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management
ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events
1022 Automated Internal Control Analysis Tools
Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use
1023 Automated Risk Analysis
Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools
Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right
103 Audit CommitteeManagementAudit Interfaces
It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues
The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations
ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their
value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting
A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially
Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework
The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist
GTAG mdash Assessment mdash 10
Figure 6 ndash Audit Interfaces
21
Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda
Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process
The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members
22
GTAG mdash Conclusion mdash 11
Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg
121 Governance (Board of Directors)bull Oversee risk management and compliance programs
pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security
bull Strive to protect the interests of all stakeholdersdependent on information security
bull Review information security policies regardingstrategic partners and other third parties
bull Strive to ensure business continuitybull Review provisions for internal and external audits of
the information security programbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
122 Managementbull Establish information security management policies
and controls and monitor compliancebull Assign information security roles responsibilities
and required skills and enforce role-based information access privileges
bull Assess information risks establish risk thresholdsand actively manage risk mitigation
bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties
bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture
during acquisition development operations andmaintenance
bull Protect the physical environmentbull Ensure internal and external audits of the informa-
tion security program with timely follow-upbull Collaborate with security staff to specify the informa-
tion security metrics to be reported to management
123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements
bull User identification and authentication
bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms
and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the
technical metrics to be reported to management
23
GTAG mdash Appendix A mdash Information Security Program Elements mdash 12
There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments
For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries
This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors
131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)
However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of
ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews
Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls
Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant
to IT Controls
The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls
13111 Sections 103 and 802
These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting
One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained
13112 Section 201
This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors
13113 Section 301
Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT
13114 Section 302 and 404
Section 302 of the act requires the CEO and CFO mdash who
24
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
25
are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges
They must disclosebull ldquoAll significant deficiencies in the design or opera-
tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo
bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo
Section 404 requires the CEO and CFO to produce an annual audit report that
bull Assesses the effectiveness of the internal controlstructure over financial reporting
bull Discloses all known internal control weaknessesbull Discloses all known frauds
This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley
13115 Section 409
Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses
132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management
A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means
bull Senior management is actively involvedbull The bank has an OR management system processes
policies and procedures enterprisewidebull The bank has the right governance and sufficient
resources to manage operational risksbull The bank has an OR management function that is
responsible forndash Designing and implementing the OR management
frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement
methodologyndash Designing and implementing an OR management
reporting systemndash Developing strategies to identify measure monitor
and control or mitigate ORbull An OR measurement system is closely integrated into
the day-to-day risk management processbull The OR exposures and loss experiences are regularly
reportedbull The OR management system is documentedbull Internal and external auditors regularly review the
OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function
The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required
First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy
Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange
The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA
bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
bull Internal loss data must be linked to the bankrsquos current business activities
bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA
bull According to the internal loss collection processndash OR losses related to credit risk and historically
included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately
ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge
bull The OR measurement system must use relevantexternal data
Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including
bull Strategies and processesbull Structure and organization of the risk management
functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including
operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)
133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)
The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)
134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999
The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)
135 US Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg
136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)
Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers
26
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
GTAG ndash Appendix B - Compliance with Laws and Regulations - 13
27
137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls
GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14
28
141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors
1411 Category 1 ndash All Auditors
Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge
1412 Category 2 ndash Audit Supervisors
Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must
bull Understand the threats and vulnerabilities associatedwith automated business processes
bull Understand business controls and risk mitigation thatshould be provided by IT
bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments
bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits
bull Ensure the effective use of IT tools in audit assess-ments and testing
bull Approve plans and techniques for testing controlsand information
bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses
bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas
bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected
1413 Category 3 ndash Technical IT Audit Specialists
Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology
IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence
The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications
Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals
4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
29
151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg
152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control
In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience
153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language
154 ITGI Control Objectives for Information and Related Technology (CobiT)
Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance
155 ISO 17799 (Code of Practice for Information Security Management)
ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading
The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to
ISOIEC 177992000 bull Part 2 is a specification for implementing an
information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002
1551 What Is Information Security
BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities
Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately
Information security is characterized within BS 7799 asthe preservation of
bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access
bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods
bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired
Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met
1552 How to Establish Security Requirements
BS 7799 states that it is essential that an organization
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
30
identify its security requirements There are three mainsources
bull Assessing risks to the organization BS 7799 does notprescribe a methodology
bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy
bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations
1553 Assessing Security Risks
BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically
1554 Selecting Controls
Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com
1555 Topics Addressed in BS 7799
1 Scope2 Terms and definitions3 Security policy
31 Information security policy document32 Review and evaluation
4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing
5 Asset classification and control51 Accountability for assets52 Information classification
6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions
7 Physical and environmental security71 Secure areas72 Equipment security73 General control
8 Communications and operations management
81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software
9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking
10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes
11 Business continuity management111 Business continuity management process
12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations
156 ISF Standard of Good Practice for Information Security
The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom
157 Generally Accepted Information Security Principles (GAISP)
The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including
bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-
tive-level information management (exposure draft distributed September 1999)
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
bull Detailed Principles ndash guidance for operational infor-mation security management (under development)
GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details
1571 Pervasive Principles
The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology
bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable
bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-
trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties
bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations
bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance
bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance
bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information
bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat
Figure 7 ndash Security Management
31
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
32
events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents
bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness
bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives
158 AICPACICA Trust Services Principles and Criteria
The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas
bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple
bull Communications ndash The organization has communi-cated its defined policies to authorized users
bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies
bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies
Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices
1581 Security Principle ndash The system is protected
against unauthorized access (both physical
and logical)
In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components
1582 Availability Principle ndash The system is
available for operation and use as
committed or agreed
The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties
Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does
5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties
6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
33
address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance
1583 Processing Integrity Principle ndash System
processing is complete accurate timely
and authorized
Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing
The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems
Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond
the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed
1584 Privacy Principle and Components ndash
Personal information is collected used
retained and disclosed in conformity with the
commitments in the organizationrsquos privacy
notice and with the AICPACICA Trust
Services Privacy Criteria
The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are
bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures
bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed
bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information
bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice
bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes
bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate
bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual
bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical
bull Quality ndash The organization maintains accurate
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
34
complete and relevant personal information for thepurposes identified in the notice
bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes
1585 Confidentiality Principle ndash Information
designated as ldquoconfidentialrdquo is protected as
committed or agreed
The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential
Information that may be subject to confidentialityincludes
bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry
Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness
Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous
access controls can help protect the information while it isstored on computer systems
1586 Certification Authority (CA) Principle
The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols
159 IIA Systems Assurance and Control (SAC)
The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411
1510 Corporate Governance
15101 OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy
15102 EU Commission
The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society
GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16
35
The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states
ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo
The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework
161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations
These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT
The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control
The third category deals with complying with those lawsand regulations to which the entity is subject
Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that
bull They understand the extent to which the entityrsquosoperations objectives are being achieved
bull Published financial statements are being preparedreliably
bull There is compliance with applicable laws and regulations
Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time
162 COSO Internal Control mdash Integrated Framework
Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are
1621 Control Environment
The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors
1622 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change
1623 Control Activities
Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties
1624 Information and Communication
Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and
GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16
36
control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders
1625 Monitoring
Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board
There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions
There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective
The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework
GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
37
Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems
Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes
CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives
1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks
10 Manage projects11 Manage quality
Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as
well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems
12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes
Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems
18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations
Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources
31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit
This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment
CobiT is comprised ofbull An executive summary which provides an overview
of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-
level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective
bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives
bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives
Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work
GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
38
bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources
bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective
Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg
CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise
39
The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7
that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations
The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security
These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the
ldquoTechnologyrdquo section of httpwwwtheiiaorg
The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement
181 Metrics for Boards of DirectorsTrustees
Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident
bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a
comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program
principles for which approved policies and controls have been implemented by management
ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified
bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated
committee meetings for which information security is on the agenda
ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders
ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods
bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-
party relationships for which information security requirements have been implemented in agreements
bull Strive to ensure business continuityndash Percentage of organizational units with an
established business-continuity planbull Review provisions for internal and external audits of
the information security programndash Percentage of required internal and external audits
completed and reviewed by the boardndash Percentage of audit findings that have not
been resolvedbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
7 httpreformhousegovTIPRC
GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18
40
and policies established by the board as part of an effectiveinformation security program
bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program
elements for which approved policies and controls are operational
ndash Percentage of staff assigned responsibilities for information security policies and controls who have
acknowledged accountability for their responsibili-ties in connection with those policies and controls
ndash Percentage of information security policy compliance reviews that noted violations
ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls
bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting
period who satisfactorily completed security-awareness training before being granted network access
ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy
ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users
ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance
ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle
bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators
bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have
been reviewed this reporting period including+ Employees with high-level system and application
privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors
ndash Percentage of users who have undergone back-ground checks
bull Assess information risks establish risk thresholds and
actively manage risk mitigationndash Percentage of critical information assets and
information-dependent functions for which some form of risk assessment has been performed and documented as required by policy
ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified
ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy
bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that
are related to third-party relationshipsndash Percentage of critical information assets or
functions to which third-party personnel have been given access
ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy
ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically
ndash Percentage of security incidents that involve third-party personnel
ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures
ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements
ndash Percentage of out-of-compliance review findings that have been corrected since the last review
bull Identify and classify information assetsndash Percentage of information assets that have been
reviewed and classified by the designated owner in accordance with the classification scheme established by policy
ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy
ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans
ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned
ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy
bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to
systems architecture identified in the most recent risk assessment that have been mitigated adequately
ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms
ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture
bull Protect the physical environmentndash Percentage of critical organizational information
assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media
ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented
ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding
ndash Percentage of servers in locations with controlled physical access
ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule
ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule
ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness
bull Collaborate with security personnel to specify theinformation security metrics to be reported to management
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
41
GTAG mdash Appendix H mdash CAE Checklist mdash 19
42
1 Identify the IT control environment of the organization including
a Values
b Philosophy
c Management style
d IT awareness
e Organisation
f Policies
g Standards
2 Identify relevant legislation and regulation impactingIT control such as
a Governance
b Reporting
c Data protection
d Compliance
3 Identify the roles and responsibilities for IT control inrelation to
a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee
b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO
c Auditi Internal Auditii External Audit
Action Questions
1 Do corporate policies and standards that describe theneed for IT controls exist
2 What legislation exists that impacts on the need forIT controls
3 Has management taken steps to ensure compliancewith this legislation
4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles
5 Is the allocation of responsibilities compatible withthe need to apply division of duties
6 Are IT responsibilities documented
7 Are IT control responsibilities communicated to thewhole organization
8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls
9 What evidence is there of individual role holdersexercising their responsibilities
10Does internal auditing employ sufficient IT audit specialists to address the IT control issues
CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas
GTAG mdash Appendix H mdash CAE Checklist mdash 19
43
4 Identify the risk assessment process Does it cover
a Risk appetite
b Risk tolerances
c Risk analysis
d Matching risks to IT controls
5 Identify all monitoring processes including
a Regulatory
b Normal in-house
c Other than internal auditing
6 Identify information and communication mechanisms
a Control information
b Control failures
11 How is the risk appetite and tolerance of the organization determined
12 Is the risk appetite and tolerance of the organization authorized at board level
13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control
14 Is a formal risk analysis process used by theorganization
15 Is the process understood by all those with responsibility for IT control
16 Is the process used consistently throughout theorganization
17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards
18 Are there monitoring processes carried out bymanagement outside of internal audit
19 What metrics are provided to the board of directors its committees and management inrelation to IT security
20 What additional reports are provided to theboard of directors and to management on a regular basis
21 Is management always provided with reportswhen there are IT control failures
22 Do the board of directors and its committeesreceive similar reports of IT control failures
Action Questions
GTAG mdash Appendix I mdash References mdash 20
44
The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT
echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues
201 Governance
Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm
Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg
Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap
Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716
IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503
Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896
202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk
Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg
Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity
Generally Accepted Information Security Principles(GAISP) Information Systems Security Association
Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml
Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml
ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg
Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3
OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html
Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm
Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices
203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg
DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml
GTAG mdash Appendix I mdash References mdash 20
45
ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm
ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler
IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm
ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca
NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml
NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml
NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml
NSA Configuration Guides httpwwwnsagovsnac
SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg
204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg
Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov
Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca
Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
46
GTAG mdash Appendix J mdash Glossary mdash 21
A listing of technical terms used in the guide with a simpleplain English definition
Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases
Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence
CAE ndash Chief audit executive
CEO ndash Chief executive officer
CFO ndash Chief financial officer (and controller)
CIO ndash Chief information officer
CISO ndash Chief information security officer
CLC ndash Chief legal council
COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg
CRM ndash Customer resource management
CSO ndash Chief Security Officer
Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda
Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders
Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable
efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms
Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices
General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)
GLBA ndash US Gramm-Leach-Bliley Act
Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives
GTAG ndash Global Technology Audit Guide
HIPAA ndash US Health Information Portability andAccountability Act
Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization
Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel
Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use
Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology
ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg
IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information
IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures
ITPI ndash IT Process Institute See httpwwwitpiorg
Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing
Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo
Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely
Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo
47
GTAG mdash Appendix J mdash Glossary mdash 21
GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22
48
This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control
The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication
221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects
The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide
231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role
Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute
Michael R Dickson Business Technology Group LLC
Clint Kreitner PresidentCEO CIS The Center forInternet Security
Alex Lajoux NACD National Association of CorporateDirectors
Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA
Mark Salamasick CIA University of Texas at Dallas
Karyn Waller AICPA American Institute of CertifiedPublic Accountants
232 Partner Organizations
AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants
CIS ndash Clint Kreitner Center for Internet Security
CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute
ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association
NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors
SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO
233 Project Review Team
Peter Allor ISS Internet Security Systems
Jack Antonelli ADP
Ken D Askelson CIA JC Penney Co Inc
Becky Bace Infidel Inc
Kevin Behr IPSI Institute for Integrated Publication andInformation Systems
Jeff Benson BearingPoint
Robert S Block Chairman 3D Business Tools USA
Sylvia Boyd The IIA
Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA
Larry Brown Options Clearing Corp
Stephanie Bryant University of South Florida
Phil Campbell Specialized IT LLC USA
John Carlson BITS Banking Industry TechnologySecretariat
Chris Compton Intrusion Labs
Guy Copeland CSC Computer Sciences Corp
Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA
Bob Daniels EDS
Bob Dix US House of Representatives
49
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
50
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
5
Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA
Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program
Greg Garcia ITAA Information Technology Association ofAmerica
Russ Gates Dupage Consulting LLC
Lou Giles Chevron Phillips Chemical Co
Doug Guerrero EDS
Kai Tamara Hare Nuserve
Michael S Hines CIA Purdue University
Bob Hirth Protiviti
Don Holden CISSP Concordant Inc USA
Dave Kern Ethentica
Gene Kim CTO Tripwire Inc USA
Jim Kolouch BearingPoint
David Kowal VP JP Morgan Chase
Paul Kurtz CSIA Cyber Security Industry Alliance
Cindy LeRouge PhD Decision SciencesMIS Department
John Cook School of Business St Louis University USA
Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants
Debbie Lew Guidance Software
Brenda Lovell CIA CCSA CGAP The IIA
Warren Malmquist Adolph Coors Co
Stacy Mantzaris CIA IIA
Dennis Miller Heritage Bank
Patrick Morrissey Auditwire
Bruce Moulton Symantec
Paul Moxey ACCA Association of Chartered CertifiedAccountants
Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA
Fred Palmer Palmer Associates
Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc
Bernie Plagman TechPar Group
Heriot Prentice MIIA FIIA QiCA The IIA
Dick Price Beacon IT Ltd BS 7799 Consultancy USA
Michael Quint Corporate Compliance Officer EDSCorporate Audit USA
Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA
Amy Ray Bentley College
Martin Ross GSC Global Security Consortium
Chip Schilb EDS USA
Howard Schmidt eBay
Mark Silver Symantec
George Spafford President Spafford Global ConsultingSaint Joseph IL USA
Adam Stone Assurant
Jay H Stott CIA Fidelity Investments
Dan Swanson CIA IIA
Jay R Taylor CIA CISA CFE General MotorsCorporation
Bill Tener University amp Community College System ofNevada
Archie Thomas
Fred Tompkins BearingPoint
Don Warren Rutgers University
Dominique Vincenti CIA The IIA
Mark Winn Intrusec
Amit Yoran
234 IIA International Affiliates
Frank Alvern CIA CCSA Nordea Bank Norway
Alexandre Alves Apparecido Brazil
Dror Aviv Israel
David F Bentley England UK and Ireland
Gerardo Carstens CIA IIA Argentina
Richard Cascarino South Africa
Iftikhar Chaudry Pakistan
Hisham T El Gindy Manager KPMG Hazem Hassan Egypt
Dr Ulrich Hahn CIA Switzerland
Rossana S Javier Makati City Philippines
Andras Kovacks Hungary
Christopher McRostie Australia
Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan
Kyoko Shimizu CIA Japan
John Silltow Security Control and Audit Ltd UnitedKingdom
Ken Siong International Federation of Accountants
Anton van Wyk PwC South Africa
Nick Wolanin Adjunt Senior Lecturer Australian Graduate
Julie Young Australia
235 Other International
Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada
P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates
Ariel Peled President ISSA Israeli Chapter
P Shreekanth India
Karen Woo Selangor Malaysia
236 IIA International Advanced Technology Committee
Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa
Alexandre Alves Apparecido Brasil Telecom Brazil
Ken D Askelson CIA JC Penney Co Inc USA
Dror Aviv CFSA IIA Israel
Donald L Bailey Grant Thornton LLP USA
EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)
Norman F Barber Microsoft Corp USA
David F Bentley QiCA Consultant England
Claude Cargou GIE AXA France
Michael P Fabrizius CIA Bon Secours Health SystemInc USA
Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan
Douglas Guerrero EDS Corp USA
Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland
David J Hill IBM Corp USA
Michael S Hines CIA Purdue University USA
Mark J Hornung Ernst amp Young LLP USA
Gene Kim CTO Tripwire Inc USA
David S Lione KPMG LLP Southeast Region USA
Peter B Millar ACL Services Ltd Canada
Allan M Newstadt CIA World BankInternationalFinance Corp USA
Brenda J S Putman CIA City Utilities of Springfield USA
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
51
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23
52
Kyoko Shimizu CIA Shin Nihon amp Co Japan
Brian M Spindel CIA SecurePipe Inc USA
Rajendra P Srivastava University of Kansas USA
Jay Stott CIA Fidelity Investments USA
Jay R Taylor CIA CISA CFE General Motors Corp USA
Thomas Jason Wood CIA Ernst amp Young LLP USA
Akitomo Yamamoto IIA Japan
237 The Writing Team
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR International
Charles H Le Grand CIA CHL Global
238 IIA Headquarters Staff Production Team
Michael Feland
Trish Harris
Tim McCollum
Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business
Contin
u
ity Manag
ement
Th
is G
TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization
could potentially encounter if a natural or
man-made disruptive event t
hat affects the exte
nded ope
ra
bility of the organization were to occur The guide includes disaster rec
o
very
planning for continuity of critical information technology infrastructure and business application systems
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an
d su
pport management in
its
deve
lopm
ent and maintenance
of a
BCM pr
o
gram
Vis
it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme
nts
Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250
wwwtheiiaorg
ISBN 0-89413-570-8ISBN 978-0-89413-623-8
IT is an integral part of all processes that enable businessesand governments to accomplish their missions and objec-tives IT facilitates local and global communications and fosters international business cooperation IT controls havetwo significant components automation of business controlsand control of IT They support business management andgovernance and they provide general and technical controlsover the policies processes systems and people that comprise IT infrastructures
IT controls do not exist in isolation They form an inter-dependent continuum of protection but they also may besubject to compromise due to a ldquoweak linkrdquo They are subject to error and management override may range fromsimple to highly technical and may exist in a dynamic environment IT controls support the concept of ldquodefense in depthrdquo so a single weakness does not always result in asingle point of failureControls exist to protect stakeholder interests
bull The ownerrsquos equitybull Customer concerns such as privacy and identitybull Employeesrsquo jobs and abilities to prove they did the
right thingbull Managementrsquos comfort with the assurance provided
by automated processesIT control assurance addresses the ability of controls to protect the organization against the most important threatsand provides evidence that remaining risks are unlikely toharm the organization and its stakeholders significantlyThese controls also are essential for assuring the reliability offinancial processes and reporting
1
Introduction ndash 3GTAG mdash Introduction mdash 3
They are all connected
When a security administrator selects the settings in a firewall configuration file (a technical task requiring specificskills and knowledge) he or she implements a policy (which may or may not be documented elsewhere) that when deployed determines the messages that will or will not be allowed into or out of the communications network and establishes the ldquoportsrdquo through which they may travel Your organization gets an element of protection from its firewalls that is vital to the protection of information and the infrastructures where that information is collected processed stored and communicated
When CAEs review and assess the controls over IT theyshould ask
bull What do we mean by IT controlsbull Why do we need IT controlsbull Who is responsible for IT controlsbull When is it appropriate to apply IT controlsbull Where exactly are IT controls appliedbull How do we perform IT control assessments
The audit process provides a formal structure for address-ing IT controls within the overall system of internal controls Figure 1 The Structure of IT Auditing belowdivides the assessment into a logical series of steps
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditors interact with the people responsible for controlsand must pursue continuous learning and reassessment asnew technologies emerge and the organizationrsquos opportuni-ties uses dependencies strategies risks and requirementschange
GTAG mdash Assessing IT Controls mdash An Overview mdash 4
2
ldquoI keep six honest serving-men
(They taught me all I knew)
Their names are
What and Why and When
and How and Where and Whordquo
mdash Rudyard Kipling
from ldquoElephantrsquos Childrdquo
in Just So Stories
Figure 1 - The Structure of IT Auditing
3
COSO1 defines internal control as ldquoA process effected by anorganizationrsquos board of directors management and otherpersonnel designed to provide reasonable assurance regard-ing the achievement of objectives in the following cate-gories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulationsrdquo
IT controls encompass those processes that provide assur-ance for information and information services and help mit-igate the risks associated with an organizationrsquos use oftechnology These controls range from written corporatepolicies to their implementation within coded instructionsfrom physical access protection to the ability to trace actionsand transactions to the individuals who are responsible forthem and from automatic edits to reasonability analysis forlarge bodies of data
51 Control ClassificationsControls may be classified to help understand their purposesand where they fit into the overall system of internal controls(See Figure 3 Some Control Classifications page 4) By under-standing these classifications the control analyst and auditorare better able to establish their positions in the controlframework and answer key questions such as Are the detec-tive controls adequate to identify errors that may get past thepreventive controls Are corrective controls sufficient to fixthe errors once detected A common classification of IT controls is general versus application
General controls (also known as infrastructure controls)apply to all systems components processes and data for agiven organization or systems environment General controls include but are not limited to information security policy administration access and authenticationseparation of key IT functions management of systemsacquisition and implementation change managementbackup recovery and business continuity
Application controls pertain to the scope of individualbusiness processes or application systems They include suchcontrols as data edits separation of business functions (egtransaction initiation versus authorization) balancing ofprocessing totals transaction logging and error reportingThe function of a control is highly relevant to the assessment of its design and effectiveness Controls may be classified as preventive detective or corrective
Preventive controls prevent errors omissions or securityincidents from occurring Examples include simple data-entryedits that block alphabetic characters from being enteredinto numeric fields access controls that protect sensitive dataor system resources from unauthorized people and complexand dynamic technical controls such as antivirus softwarefirewalls and intrusion prevention systems
GTAG mdash Understanding IT Controls mdash 5
1 COSO ndash Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (The Committee of Sponsoring Organizationsof the Treadway Commission) See wwwcosoorg
It is not necessary to know ldquoeverythingrdquo about IT controls
Do not be concerned if you do not understand the full continuum or all the technical intricacies of IT controls Many of these controls are the domain of specialists who manage specific risks associated with individual components of the systems and network infrastructure In keeping with good separation of duties prac-tices some people who have specialized knowledge in a technology such as database management may know littleabout network components or communication protocols and vice versa
There are two key control concepts to remember1 Assurance must be provided by the IT controls within the whole system of internal control and must
be continuous and produce a reliable and continuous trail of evidence2 The auditorrsquos assurance is an independent and objective assessment of the first assurance It is based
on understanding examining and assessing the key controls related to the risks the auditors manage as well as performing sufficient tests to ensure the controls are designed appropriately and function effectively
Figure 2
Detective controls detect errors or incidents that eludepreventive controls For example a detective control mayidentify account numbers of inactive accounts or accountsthat have been flagged for monitoring of suspicious activi-ties Detective controls can also include monitoring andanalysis to uncover activities or events that exceed author-ized limits or violate known patterns in data that may indi-cate improper manipulation For sensitive electroniccommunications detective controls can indicate that a mes-sage has been corrupted or the senderrsquos secure identificationcannot be authenticated
Corrective controls correct errors omissions or inci-dents once they have been detected They vary from simplecorrection of data-entry errors to identifying and removingunauthorized users or software from systems or networks torecovery from incidents disruptions or disasters
Generally it is most efficient to prevent errors or detectthem as close as possible to their source to simplify correc-tion These corrective processes also should be subject topreventive and detective controls because they representanother opportunity for errors omissions or falsification
Many other control classifications described in this guidemay be useful in assessing their effectiveness For exampleautomated controls tend to be more reliable than manualcontrols and nondiscretionary controls are more likely to beapplied consistently than discretionary controls Other control classifications include mandatory voluntary complementary compensating redundant continuous on-demand and event-driven
52 Governance Management TechnicalAnother common classification of controls is by the groupresponsible for ensuring they are implemented and main-tained properly For the purpose of assessing roles andresponsibilities this guide primarily categorizes IT controls
as governance management and technical Information securi-ty program elements for these three categories are describedin Appendix A (page 25) The first two levels mdash gover-nance and management mdash are the most applicable to thescope of this guide although it may also be useful to under-stand how higher-level controls specifically are establishedwithin the technical IT infrastructures Technical controlswill be the subject of more topic-specific GTAGs
521 Governance Controls
The primary responsibility for internal control resides withthe board of directors in its role as keeper of the governanceframework IT control at the governance level involvesensuring that effective information management and security principles policies and processes are in place andperformance and compliance metrics demonstrate ongoingsupport for that framework
Governance controls are those mandated by and controlled by either the entire board of directors or a boardcommittee in conjunction with the organizationrsquos executivemanagement These controls are linked with the concepts of corporate governance which are driven both by organizational goals and strategies and by outside bodiessuch as regulators
An important distinction between governance and management controls is the concept of ldquonoses in fingersoutrdquo The boardrsquos responsibility involves oversight ratherthan actually performing control activities For example theaudit committee of the board does no auditing but it does oversee both the internal and external auditing of theorganization
522 Management Controls
Management responsibility for internal controls typicallyinvolves reaching into all areas of the organization with special attention to critical assets sensitive information andoperational functions Consequently close collaborationamong board members and executive managers is essentialManagement must make sure the IT controls needed toachieve the organizationrsquos established objectives are appliedand ensure reliable and continuous processing These controls are deployed as a result of deliberate actions bymanagement to
bull Recognize risks to the organization its processes and assets
bull Enact mechanisms and processes to mitigate and manage risks (protect monitor and measure results)
523 Technical Controls
Technical controls form the foundation that ensures the reli-ability of virtually every other control in the organizationFor example by protecting against unauthorized access andintrusion they provide the basis for reliance on the integri-ty of information mdash including evidence of all changes andtheir authenticity These controls are specific to the
GTAG ndash Understanding IT Controls ndash 5
4
Figure 3 - Some Control Classifications
GTAG mdash Understanding IT Controls mdash 5
5
technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization
53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems
The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below
531 Policies
All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies
IT policy statements include but are not restricted tobull A general policy on the level of security and privacy
throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of
the system and data processedbull A statement on the classification of information and
the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access
bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems
bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications
bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures
bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of
Figure 4 ndash IT Controls
The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal
Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)
a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS
Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants
532 Standards
Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently
Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for
bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization
bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited
bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls
that should apply to sensitive processes and information
bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly
bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers
As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them
533 Organization and Management
Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented
5331 Separation of Duties
Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information
Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum
GTAG mdash Understanding IT Controls mdash 5
6
GTAG mdash Understanding IT Controls mdash 5
7
Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts
5332 Financial Controls
Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects
5333 Change Management
Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations
5334 Other Management Controls
Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications
534 Physical and Environmental Controls
IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications
Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is
restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data
away from environmental hazards such as low-lyingflood plains or flammable liquid stores
When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable
535 Systems Software Controls
Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2
Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs
IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the
Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability
Some key technical controls the CAE should expect tofind in a well-managed IT environment include
bull Access rights allocated and controlled according tothe organizationrsquos stated policy
bull Division of duties enforced through systems softwareand other configuration controls
bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored
bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a
stated requirementbull Change management processes mdash including patch
management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data
536 Systems Development and
Acquisition Controls
Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner
Some basic control issues should be evident in all systemsdevelopment and acquisition work
bull User requirements should be documented and theirachievement should be measured
bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system
bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct
bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided
bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be
subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls
Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered
537 Application-based Controls
The objective of internal controls over application systems is toensure that
bull All input data is accurate complete authorized and correct
bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data
from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application
bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters
bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized
bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input
bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct
bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources
GTAG mdash Understanding IT Controls mdash 5
8
GTAG mdash Understanding IT Controls mdash 5
9
54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are
bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations
bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting
bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located
55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them
Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite
Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite
Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly
Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)
The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)
Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include
bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services
bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of effectivecontrols
bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services
bull The efficient use of a customer support center or helpdesk
bull A security-conscious culture among end usersthroughout the organization
Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees
The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control
GTAG mdash Importance of IT Controls mdash 6
10
2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley
GTAG mdash IT Roles in the Organization mdash 7
Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained
Overall the objectives for the use of IT within any organization are
bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite
bull To protect stakeholder interestsbull To enable mutually beneficial relationships with
customers business partners and other outside parties that accomplish business objectives
bull To identify and respond to threats and potential violations of control appropriately
Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members
71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires
bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458
bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets
bull Approval of the data classifications structure and therelated access rights
The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important
711 Audit Committee
The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for
bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting
bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting
bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately
bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to
new systems development and acquisitionbull Examining internal and external audit plans and
work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring
the resolution of issues raisedbull Understanding the IT topics that impact ethics
monitoring
712 Compensation Committee
The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves
713 Governance Committee
The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should
bull Ensure that potential and current board membershave a suitable IT knowledge or background
bull Assess board committeesrsquo performance in terms oftheir oversight of IT
bull Review any external regulatory governance assessments in relation to IT topics
bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency
714 Risk Management Committee
The risk management committee is responsible for oversight
11
GTAG mdash IT Roles in the Organization mdash 7
of all risk analysis and assessment risk response and riskmonitoring Its role includes
bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization
bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance
bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash
including IT risks mdash and considering it against the organizationrsquos risk appetite
bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate
bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks
715 Finance Committee
The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data
72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so
that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions
721 Chief Executive Officer
The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will
bull Define corporate objectives and performance measures in relation to IT
bull Act as custodian over the organizationrsquos critical success factors in relation to IT
bull Understand and approve the short-term and long-range strategy for IT
bull Approve IT resources for the organization includingstructure and oversightmonitoring
bull Determine IT issues for periodic management boardand staff discussion
bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas
722 Chief Financial Officer
The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of
bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining
technologically competitivebull The technologies used to implement financial
applicationsbull The operation of specific financial applications
IT Controls and Ethics
As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior
12
GTAG mdash IT Roles in the Organization mdash 7
13
bull The limitations and benefits of ITbull The IT control structure for general controls that
apply to all business systems and data as well as controls that are specific to financial applications
The CFO should operate as the highest-level control ownerfor financial systems and data
723 Chief Information Officer
The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should
bull Understand the business requirements that drive theneed to implement IT
bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business
strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks
bull Design implement and maintain an IT internal control framework
bull Plan source and control IT resourcesbull Explore assess select and implement technology
advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels
of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian
and IT control owner bull Measure the operational performance of IT in support
of business objectives byndash Setting expectationsndash Evaluating results
bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors
724 Chief Security Officer
The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO
bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy
bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks
bull Acts as a key link between the compliance legalCIO and audit functions
bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive
bull Is responsible for business continuity planningincluding incident handling and disaster recovery
bull Ensures that security staff provide support for imple-menting controls at all levels
bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization
725 Chief Information Security Officer (CISO)
Information security is a subset of the overall security roleThe CISO
bull Develops and implements the information security policy in coordination with the CSO
bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives
bull Ensures alignment of information security and busi-ness objectives
bull Manages operational information risks throughoutthe organization
bull Oversees security within the IT organizationbull Provides education and awareness on information
security issues and new best practicesbull Develops end-user policies for the usage of IT
information in conjunction with the humanresources function
bull Coordinates information security work with the chief risk officer (CRO) and CIO
bull Advises the CEO CRO CIO and board on IT risk issues
bull Acts as a key link for the CAE when internal auditing performs IT control-related audits
726 Chief Legal Counsel (CLC)
Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves
bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto
bull Ensuring financial reports and presentations complywith laws and regulations
bull Understanding IT legal issues and advising on legalrisks related to IT
bull Managing organizational reputation in relation tolegal issues compliance and public relations
bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols
regarding suspected criminal activity
727 Chief Risk Officer
The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes
bull Analysis and assessment of IT risk exposures including information compromises such as loss
damage unauthorized disclosure and interruptedaccess
bull Assessment of IT events such as interruptions disasters and changes
bull Analysis and assessment of business risk as it is affected by IT risk
bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks
73 Audit
731 Internal Auditing ndash CAE and Audit Staff
Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves
bull Advising the audit committee and senior management on IT internal control issues
bull Ensuring IT is included in the audit universe andannual plan (selecting topics)
bull Ensuring IT risks are considered when assigningresources and priorities to audit activities
bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff
bull Ensuring that audit planning considers IT issues foreach audit
bull Liaising with audit clients to determine what theywant or need to know
bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable
evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the
audit processesbull During systems development or analysis activities
operating as experts who understand how controlscan be implemented and circumvented
bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks
732 External Auditor
Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include
bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits
bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements
GTAG mdash IT Roles in the Organization mdash 7
14
3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)
81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance
It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization
The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as
ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo
In addition the CAE should consider risk tolerance COSOdefines risk tolerance as
ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo
Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with
the organizationrsquos risk appetitebull The internal control framework is adequate to ensure
that the organizationrsquos performance remains withinthe stated risk tolerances
82 Risk Considerations in Determining the Adequacy of IT Controls
Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness
When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE
should consider the processes established by management to determine
bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for
each business function and processbull IT risks faced by the organization and quality of
service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they
providebull Harmful IT incidents in the past 24 months
The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project
821 The IT Infrastructure
Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems
The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security
The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers
GTAG mdash Analyzing Risk mdash 8
15
822 IT Risks Faced by the Organization
The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls
823 Risk Appetite and Tolerance
Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation
The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite
824 Performing Risk analysis
Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas
There are eight basic questions associated with the riskassessment process The first five include
bull What are the assets at risk and the value of theirconfidentiality integrity and availability
bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets
bull If a threat event happened how bad could its impact be
bull How often might the event be expected to occur (frequency of occurrence)
bull How certain are the answers to the first four questions (uncertainty analysis)
The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient
825 Value of Information
Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security
Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories
bull Exclusive possession ndash cost in the event of a breachof confidentiality
bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability
826 Appropriate IT Controls
Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)
The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework
83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them
In general there are several ways to mitigate the poten-tial impact of risks
bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low
bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors
bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider
bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects
GTAG mdash Analyzing Risk mdash 8
16
84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include
bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective
controls effectivebull Do the controls provide evidence when control
parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken
bull Is evidence retained (audit or management trail)
85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization
IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other
It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls
bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been
defined assigned and acceptedbull Are IT infrastructure equipment and tools
logically and physically securedbull Are access and authentication control
mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance
with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)
bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved
bull Are change and configuration management and quality assurance processes in place
bull Are structured monitoring and service measurementprocesses in place
bull Are specialist IT audit skills available (eitherinternally or outsourced)
Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf
GTAG mdash Analyzing Risk mdash 8
Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management
(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network
and perimeter)5 Malware protection (including worms and viruses)
Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo
1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each
person with computer access8 Dont use vendor-supplied defaults for passwords
and security parameters9 Track all access to data by unique ID
10 Regularly test security systems and processes11 Implement and maintain an information
security policy12 Restrict physical access to data
17
91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation
A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily
Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work
The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process
especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override
Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)
The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
GTAG mdash Monitoring and Techniques mdash 9
COSO Model for Technology Controls
Monitoringbull Monthly metrics from technology
performance bull Technology cost and control
performance analysisbull Periodic technology
management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas
Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to
plan and return on investmentbull Documentation and approval of IT plans
and systems architecturebull Compliance with information and
physical security standardsbull Adherence to business continuity risk
assessmentbull Technology standards
compliance enforcement
Information and Communicationbull Periodic corporate communications (intranet e-mail
meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution
Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business
areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls
considered Importantbull Overall technology policy and Information
security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units
Figure 5 - COSO Model for Technology Controls
18
compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)
92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks
Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows
921 Ongoing Monitoring
bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment
bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered
specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached
bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached
922 Special Reviews
bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances
bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk
GTAG mdash Monitoring and Techniques mdash 9
Suitable Recognized Framework
ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo
mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003
19
101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business
The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems
A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance
Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities
Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample
bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method
bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files
bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach
102 Testing IT Controls and Continuous Assurance
In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data
1021 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-
20
GTAG mdash Assessment mdash 10
How Auditing Contributes to IT Controls
During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management
ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events
1022 Automated Internal Control Analysis Tools
Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use
1023 Automated Risk Analysis
Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools
Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right
103 Audit CommitteeManagementAudit Interfaces
It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues
The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations
ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their
value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting
A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially
Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework
The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist
GTAG mdash Assessment mdash 10
Figure 6 ndash Audit Interfaces
21
Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda
Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process
The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members
22
GTAG mdash Conclusion mdash 11
Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg
121 Governance (Board of Directors)bull Oversee risk management and compliance programs
pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security
bull Strive to protect the interests of all stakeholdersdependent on information security
bull Review information security policies regardingstrategic partners and other third parties
bull Strive to ensure business continuitybull Review provisions for internal and external audits of
the information security programbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
122 Managementbull Establish information security management policies
and controls and monitor compliancebull Assign information security roles responsibilities
and required skills and enforce role-based information access privileges
bull Assess information risks establish risk thresholdsand actively manage risk mitigation
bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties
bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture
during acquisition development operations andmaintenance
bull Protect the physical environmentbull Ensure internal and external audits of the informa-
tion security program with timely follow-upbull Collaborate with security staff to specify the informa-
tion security metrics to be reported to management
123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements
bull User identification and authentication
bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms
and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the
technical metrics to be reported to management
23
GTAG mdash Appendix A mdash Information Security Program Elements mdash 12
There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments
For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries
This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors
131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)
However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of
ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews
Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls
Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant
to IT Controls
The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls
13111 Sections 103 and 802
These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting
One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained
13112 Section 201
This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors
13113 Section 301
Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT
13114 Section 302 and 404
Section 302 of the act requires the CEO and CFO mdash who
24
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
25
are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges
They must disclosebull ldquoAll significant deficiencies in the design or opera-
tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo
bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo
Section 404 requires the CEO and CFO to produce an annual audit report that
bull Assesses the effectiveness of the internal controlstructure over financial reporting
bull Discloses all known internal control weaknessesbull Discloses all known frauds
This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley
13115 Section 409
Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses
132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management
A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means
bull Senior management is actively involvedbull The bank has an OR management system processes
policies and procedures enterprisewidebull The bank has the right governance and sufficient
resources to manage operational risksbull The bank has an OR management function that is
responsible forndash Designing and implementing the OR management
frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement
methodologyndash Designing and implementing an OR management
reporting systemndash Developing strategies to identify measure monitor
and control or mitigate ORbull An OR measurement system is closely integrated into
the day-to-day risk management processbull The OR exposures and loss experiences are regularly
reportedbull The OR management system is documentedbull Internal and external auditors regularly review the
OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function
The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required
First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy
Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange
The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA
bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
bull Internal loss data must be linked to the bankrsquos current business activities
bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA
bull According to the internal loss collection processndash OR losses related to credit risk and historically
included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately
ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge
bull The OR measurement system must use relevantexternal data
Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including
bull Strategies and processesbull Structure and organization of the risk management
functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including
operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)
133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)
The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)
134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999
The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)
135 US Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg
136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)
Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers
26
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
GTAG ndash Appendix B - Compliance with Laws and Regulations - 13
27
137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls
GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14
28
141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors
1411 Category 1 ndash All Auditors
Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge
1412 Category 2 ndash Audit Supervisors
Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must
bull Understand the threats and vulnerabilities associatedwith automated business processes
bull Understand business controls and risk mitigation thatshould be provided by IT
bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments
bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits
bull Ensure the effective use of IT tools in audit assess-ments and testing
bull Approve plans and techniques for testing controlsand information
bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses
bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas
bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected
1413 Category 3 ndash Technical IT Audit Specialists
Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology
IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence
The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications
Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals
4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
29
151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg
152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control
In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience
153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language
154 ITGI Control Objectives for Information and Related Technology (CobiT)
Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance
155 ISO 17799 (Code of Practice for Information Security Management)
ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading
The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to
ISOIEC 177992000 bull Part 2 is a specification for implementing an
information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002
1551 What Is Information Security
BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities
Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately
Information security is characterized within BS 7799 asthe preservation of
bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access
bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods
bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired
Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met
1552 How to Establish Security Requirements
BS 7799 states that it is essential that an organization
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
30
identify its security requirements There are three mainsources
bull Assessing risks to the organization BS 7799 does notprescribe a methodology
bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy
bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations
1553 Assessing Security Risks
BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically
1554 Selecting Controls
Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com
1555 Topics Addressed in BS 7799
1 Scope2 Terms and definitions3 Security policy
31 Information security policy document32 Review and evaluation
4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing
5 Asset classification and control51 Accountability for assets52 Information classification
6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions
7 Physical and environmental security71 Secure areas72 Equipment security73 General control
8 Communications and operations management
81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software
9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking
10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes
11 Business continuity management111 Business continuity management process
12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations
156 ISF Standard of Good Practice for Information Security
The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom
157 Generally Accepted Information Security Principles (GAISP)
The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including
bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-
tive-level information management (exposure draft distributed September 1999)
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
bull Detailed Principles ndash guidance for operational infor-mation security management (under development)
GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details
1571 Pervasive Principles
The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology
bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable
bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-
trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties
bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations
bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance
bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance
bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information
bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat
Figure 7 ndash Security Management
31
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
32
events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents
bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness
bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives
158 AICPACICA Trust Services Principles and Criteria
The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas
bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple
bull Communications ndash The organization has communi-cated its defined policies to authorized users
bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies
bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies
Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices
1581 Security Principle ndash The system is protected
against unauthorized access (both physical
and logical)
In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components
1582 Availability Principle ndash The system is
available for operation and use as
committed or agreed
The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties
Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does
5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties
6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
33
address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance
1583 Processing Integrity Principle ndash System
processing is complete accurate timely
and authorized
Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing
The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems
Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond
the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed
1584 Privacy Principle and Components ndash
Personal information is collected used
retained and disclosed in conformity with the
commitments in the organizationrsquos privacy
notice and with the AICPACICA Trust
Services Privacy Criteria
The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are
bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures
bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed
bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information
bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice
bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes
bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate
bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual
bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical
bull Quality ndash The organization maintains accurate
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
34
complete and relevant personal information for thepurposes identified in the notice
bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes
1585 Confidentiality Principle ndash Information
designated as ldquoconfidentialrdquo is protected as
committed or agreed
The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential
Information that may be subject to confidentialityincludes
bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry
Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness
Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous
access controls can help protect the information while it isstored on computer systems
1586 Certification Authority (CA) Principle
The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols
159 IIA Systems Assurance and Control (SAC)
The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411
1510 Corporate Governance
15101 OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy
15102 EU Commission
The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society
GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16
35
The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states
ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo
The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework
161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations
These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT
The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control
The third category deals with complying with those lawsand regulations to which the entity is subject
Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that
bull They understand the extent to which the entityrsquosoperations objectives are being achieved
bull Published financial statements are being preparedreliably
bull There is compliance with applicable laws and regulations
Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time
162 COSO Internal Control mdash Integrated Framework
Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are
1621 Control Environment
The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors
1622 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change
1623 Control Activities
Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties
1624 Information and Communication
Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and
GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16
36
control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders
1625 Monitoring
Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board
There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions
There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective
The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework
GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
37
Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems
Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes
CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives
1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks
10 Manage projects11 Manage quality
Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as
well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems
12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes
Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems
18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations
Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources
31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit
This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment
CobiT is comprised ofbull An executive summary which provides an overview
of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-
level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective
bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives
bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives
Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work
GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
38
bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources
bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective
Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg
CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise
39
The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7
that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations
The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security
These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the
ldquoTechnologyrdquo section of httpwwwtheiiaorg
The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement
181 Metrics for Boards of DirectorsTrustees
Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident
bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a
comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program
principles for which approved policies and controls have been implemented by management
ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified
bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated
committee meetings for which information security is on the agenda
ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders
ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods
bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-
party relationships for which information security requirements have been implemented in agreements
bull Strive to ensure business continuityndash Percentage of organizational units with an
established business-continuity planbull Review provisions for internal and external audits of
the information security programndash Percentage of required internal and external audits
completed and reviewed by the boardndash Percentage of audit findings that have not
been resolvedbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
7 httpreformhousegovTIPRC
GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18
40
and policies established by the board as part of an effectiveinformation security program
bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program
elements for which approved policies and controls are operational
ndash Percentage of staff assigned responsibilities for information security policies and controls who have
acknowledged accountability for their responsibili-ties in connection with those policies and controls
ndash Percentage of information security policy compliance reviews that noted violations
ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls
bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting
period who satisfactorily completed security-awareness training before being granted network access
ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy
ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users
ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance
ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle
bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators
bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have
been reviewed this reporting period including+ Employees with high-level system and application
privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors
ndash Percentage of users who have undergone back-ground checks
bull Assess information risks establish risk thresholds and
actively manage risk mitigationndash Percentage of critical information assets and
information-dependent functions for which some form of risk assessment has been performed and documented as required by policy
ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified
ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy
bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that
are related to third-party relationshipsndash Percentage of critical information assets or
functions to which third-party personnel have been given access
ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy
ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically
ndash Percentage of security incidents that involve third-party personnel
ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures
ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements
ndash Percentage of out-of-compliance review findings that have been corrected since the last review
bull Identify and classify information assetsndash Percentage of information assets that have been
reviewed and classified by the designated owner in accordance with the classification scheme established by policy
ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy
ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans
ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned
ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy
bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to
systems architecture identified in the most recent risk assessment that have been mitigated adequately
ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms
ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture
bull Protect the physical environmentndash Percentage of critical organizational information
assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media
ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented
ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding
ndash Percentage of servers in locations with controlled physical access
ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule
ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule
ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness
bull Collaborate with security personnel to specify theinformation security metrics to be reported to management
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
41
GTAG mdash Appendix H mdash CAE Checklist mdash 19
42
1 Identify the IT control environment of the organization including
a Values
b Philosophy
c Management style
d IT awareness
e Organisation
f Policies
g Standards
2 Identify relevant legislation and regulation impactingIT control such as
a Governance
b Reporting
c Data protection
d Compliance
3 Identify the roles and responsibilities for IT control inrelation to
a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee
b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO
c Auditi Internal Auditii External Audit
Action Questions
1 Do corporate policies and standards that describe theneed for IT controls exist
2 What legislation exists that impacts on the need forIT controls
3 Has management taken steps to ensure compliancewith this legislation
4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles
5 Is the allocation of responsibilities compatible withthe need to apply division of duties
6 Are IT responsibilities documented
7 Are IT control responsibilities communicated to thewhole organization
8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls
9 What evidence is there of individual role holdersexercising their responsibilities
10Does internal auditing employ sufficient IT audit specialists to address the IT control issues
CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas
GTAG mdash Appendix H mdash CAE Checklist mdash 19
43
4 Identify the risk assessment process Does it cover
a Risk appetite
b Risk tolerances
c Risk analysis
d Matching risks to IT controls
5 Identify all monitoring processes including
a Regulatory
b Normal in-house
c Other than internal auditing
6 Identify information and communication mechanisms
a Control information
b Control failures
11 How is the risk appetite and tolerance of the organization determined
12 Is the risk appetite and tolerance of the organization authorized at board level
13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control
14 Is a formal risk analysis process used by theorganization
15 Is the process understood by all those with responsibility for IT control
16 Is the process used consistently throughout theorganization
17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards
18 Are there monitoring processes carried out bymanagement outside of internal audit
19 What metrics are provided to the board of directors its committees and management inrelation to IT security
20 What additional reports are provided to theboard of directors and to management on a regular basis
21 Is management always provided with reportswhen there are IT control failures
22 Do the board of directors and its committeesreceive similar reports of IT control failures
Action Questions
GTAG mdash Appendix I mdash References mdash 20
44
The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT
echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues
201 Governance
Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm
Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg
Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap
Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716
IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503
Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896
202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk
Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg
Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity
Generally Accepted Information Security Principles(GAISP) Information Systems Security Association
Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml
Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml
ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg
Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3
OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html
Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm
Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices
203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg
DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml
GTAG mdash Appendix I mdash References mdash 20
45
ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm
ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler
IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm
ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca
NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml
NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml
NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml
NSA Configuration Guides httpwwwnsagovsnac
SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg
204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg
Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov
Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca
Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
46
GTAG mdash Appendix J mdash Glossary mdash 21
A listing of technical terms used in the guide with a simpleplain English definition
Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases
Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence
CAE ndash Chief audit executive
CEO ndash Chief executive officer
CFO ndash Chief financial officer (and controller)
CIO ndash Chief information officer
CISO ndash Chief information security officer
CLC ndash Chief legal council
COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg
CRM ndash Customer resource management
CSO ndash Chief Security Officer
Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda
Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders
Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable
efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms
Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices
General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)
GLBA ndash US Gramm-Leach-Bliley Act
Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives
GTAG ndash Global Technology Audit Guide
HIPAA ndash US Health Information Portability andAccountability Act
Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization
Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel
Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use
Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology
ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg
IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information
IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures
ITPI ndash IT Process Institute See httpwwwitpiorg
Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing
Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo
Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely
Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo
47
GTAG mdash Appendix J mdash Glossary mdash 21
GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22
48
This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control
The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication
221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects
The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide
231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role
Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute
Michael R Dickson Business Technology Group LLC
Clint Kreitner PresidentCEO CIS The Center forInternet Security
Alex Lajoux NACD National Association of CorporateDirectors
Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA
Mark Salamasick CIA University of Texas at Dallas
Karyn Waller AICPA American Institute of CertifiedPublic Accountants
232 Partner Organizations
AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants
CIS ndash Clint Kreitner Center for Internet Security
CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute
ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association
NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors
SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO
233 Project Review Team
Peter Allor ISS Internet Security Systems
Jack Antonelli ADP
Ken D Askelson CIA JC Penney Co Inc
Becky Bace Infidel Inc
Kevin Behr IPSI Institute for Integrated Publication andInformation Systems
Jeff Benson BearingPoint
Robert S Block Chairman 3D Business Tools USA
Sylvia Boyd The IIA
Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA
Larry Brown Options Clearing Corp
Stephanie Bryant University of South Florida
Phil Campbell Specialized IT LLC USA
John Carlson BITS Banking Industry TechnologySecretariat
Chris Compton Intrusion Labs
Guy Copeland CSC Computer Sciences Corp
Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA
Bob Daniels EDS
Bob Dix US House of Representatives
49
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
50
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
5
Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA
Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program
Greg Garcia ITAA Information Technology Association ofAmerica
Russ Gates Dupage Consulting LLC
Lou Giles Chevron Phillips Chemical Co
Doug Guerrero EDS
Kai Tamara Hare Nuserve
Michael S Hines CIA Purdue University
Bob Hirth Protiviti
Don Holden CISSP Concordant Inc USA
Dave Kern Ethentica
Gene Kim CTO Tripwire Inc USA
Jim Kolouch BearingPoint
David Kowal VP JP Morgan Chase
Paul Kurtz CSIA Cyber Security Industry Alliance
Cindy LeRouge PhD Decision SciencesMIS Department
John Cook School of Business St Louis University USA
Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants
Debbie Lew Guidance Software
Brenda Lovell CIA CCSA CGAP The IIA
Warren Malmquist Adolph Coors Co
Stacy Mantzaris CIA IIA
Dennis Miller Heritage Bank
Patrick Morrissey Auditwire
Bruce Moulton Symantec
Paul Moxey ACCA Association of Chartered CertifiedAccountants
Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA
Fred Palmer Palmer Associates
Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc
Bernie Plagman TechPar Group
Heriot Prentice MIIA FIIA QiCA The IIA
Dick Price Beacon IT Ltd BS 7799 Consultancy USA
Michael Quint Corporate Compliance Officer EDSCorporate Audit USA
Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA
Amy Ray Bentley College
Martin Ross GSC Global Security Consortium
Chip Schilb EDS USA
Howard Schmidt eBay
Mark Silver Symantec
George Spafford President Spafford Global ConsultingSaint Joseph IL USA
Adam Stone Assurant
Jay H Stott CIA Fidelity Investments
Dan Swanson CIA IIA
Jay R Taylor CIA CISA CFE General MotorsCorporation
Bill Tener University amp Community College System ofNevada
Archie Thomas
Fred Tompkins BearingPoint
Don Warren Rutgers University
Dominique Vincenti CIA The IIA
Mark Winn Intrusec
Amit Yoran
234 IIA International Affiliates
Frank Alvern CIA CCSA Nordea Bank Norway
Alexandre Alves Apparecido Brazil
Dror Aviv Israel
David F Bentley England UK and Ireland
Gerardo Carstens CIA IIA Argentina
Richard Cascarino South Africa
Iftikhar Chaudry Pakistan
Hisham T El Gindy Manager KPMG Hazem Hassan Egypt
Dr Ulrich Hahn CIA Switzerland
Rossana S Javier Makati City Philippines
Andras Kovacks Hungary
Christopher McRostie Australia
Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan
Kyoko Shimizu CIA Japan
John Silltow Security Control and Audit Ltd UnitedKingdom
Ken Siong International Federation of Accountants
Anton van Wyk PwC South Africa
Nick Wolanin Adjunt Senior Lecturer Australian Graduate
Julie Young Australia
235 Other International
Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada
P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates
Ariel Peled President ISSA Israeli Chapter
P Shreekanth India
Karen Woo Selangor Malaysia
236 IIA International Advanced Technology Committee
Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa
Alexandre Alves Apparecido Brasil Telecom Brazil
Ken D Askelson CIA JC Penney Co Inc USA
Dror Aviv CFSA IIA Israel
Donald L Bailey Grant Thornton LLP USA
EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)
Norman F Barber Microsoft Corp USA
David F Bentley QiCA Consultant England
Claude Cargou GIE AXA France
Michael P Fabrizius CIA Bon Secours Health SystemInc USA
Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan
Douglas Guerrero EDS Corp USA
Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland
David J Hill IBM Corp USA
Michael S Hines CIA Purdue University USA
Mark J Hornung Ernst amp Young LLP USA
Gene Kim CTO Tripwire Inc USA
David S Lione KPMG LLP Southeast Region USA
Peter B Millar ACL Services Ltd Canada
Allan M Newstadt CIA World BankInternationalFinance Corp USA
Brenda J S Putman CIA City Utilities of Springfield USA
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
51
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23
52
Kyoko Shimizu CIA Shin Nihon amp Co Japan
Brian M Spindel CIA SecurePipe Inc USA
Rajendra P Srivastava University of Kansas USA
Jay Stott CIA Fidelity Investments USA
Jay R Taylor CIA CISA CFE General Motors Corp USA
Thomas Jason Wood CIA Ernst amp Young LLP USA
Akitomo Yamamoto IIA Japan
237 The Writing Team
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR International
Charles H Le Grand CIA CHL Global
238 IIA Headquarters Staff Production Team
Michael Feland
Trish Harris
Tim McCollum
Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business
Contin
u
ity Manag
ement
Th
is G
TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization
could potentially encounter if a natural or
man-made disruptive event t
hat affects the exte
nded ope
ra
bility of the organization were to occur The guide includes disaster rec
o
very
planning for continuity of critical information technology infrastructure and business application systems
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an
d su
pport management in
its
deve
lopm
ent and maintenance
of a
BCM pr
o
gram
Vis
it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme
nts
Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250
wwwtheiiaorg
ISBN 0-89413-570-8ISBN 978-0-89413-623-8
When CAEs review and assess the controls over IT theyshould ask
bull What do we mean by IT controlsbull Why do we need IT controlsbull Who is responsible for IT controlsbull When is it appropriate to apply IT controlsbull Where exactly are IT controls appliedbull How do we perform IT control assessments
The audit process provides a formal structure for address-ing IT controls within the overall system of internal controls Figure 1 The Structure of IT Auditing belowdivides the assessment into a logical series of steps
The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditors interact with the people responsible for controlsand must pursue continuous learning and reassessment asnew technologies emerge and the organizationrsquos opportuni-ties uses dependencies strategies risks and requirementschange
GTAG mdash Assessing IT Controls mdash An Overview mdash 4
2
ldquoI keep six honest serving-men
(They taught me all I knew)
Their names are
What and Why and When
and How and Where and Whordquo
mdash Rudyard Kipling
from ldquoElephantrsquos Childrdquo
in Just So Stories
Figure 1 - The Structure of IT Auditing
3
COSO1 defines internal control as ldquoA process effected by anorganizationrsquos board of directors management and otherpersonnel designed to provide reasonable assurance regard-ing the achievement of objectives in the following cate-gories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulationsrdquo
IT controls encompass those processes that provide assur-ance for information and information services and help mit-igate the risks associated with an organizationrsquos use oftechnology These controls range from written corporatepolicies to their implementation within coded instructionsfrom physical access protection to the ability to trace actionsand transactions to the individuals who are responsible forthem and from automatic edits to reasonability analysis forlarge bodies of data
51 Control ClassificationsControls may be classified to help understand their purposesand where they fit into the overall system of internal controls(See Figure 3 Some Control Classifications page 4) By under-standing these classifications the control analyst and auditorare better able to establish their positions in the controlframework and answer key questions such as Are the detec-tive controls adequate to identify errors that may get past thepreventive controls Are corrective controls sufficient to fixthe errors once detected A common classification of IT controls is general versus application
General controls (also known as infrastructure controls)apply to all systems components processes and data for agiven organization or systems environment General controls include but are not limited to information security policy administration access and authenticationseparation of key IT functions management of systemsacquisition and implementation change managementbackup recovery and business continuity
Application controls pertain to the scope of individualbusiness processes or application systems They include suchcontrols as data edits separation of business functions (egtransaction initiation versus authorization) balancing ofprocessing totals transaction logging and error reportingThe function of a control is highly relevant to the assessment of its design and effectiveness Controls may be classified as preventive detective or corrective
Preventive controls prevent errors omissions or securityincidents from occurring Examples include simple data-entryedits that block alphabetic characters from being enteredinto numeric fields access controls that protect sensitive dataor system resources from unauthorized people and complexand dynamic technical controls such as antivirus softwarefirewalls and intrusion prevention systems
GTAG mdash Understanding IT Controls mdash 5
1 COSO ndash Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (The Committee of Sponsoring Organizationsof the Treadway Commission) See wwwcosoorg
It is not necessary to know ldquoeverythingrdquo about IT controls
Do not be concerned if you do not understand the full continuum or all the technical intricacies of IT controls Many of these controls are the domain of specialists who manage specific risks associated with individual components of the systems and network infrastructure In keeping with good separation of duties prac-tices some people who have specialized knowledge in a technology such as database management may know littleabout network components or communication protocols and vice versa
There are two key control concepts to remember1 Assurance must be provided by the IT controls within the whole system of internal control and must
be continuous and produce a reliable and continuous trail of evidence2 The auditorrsquos assurance is an independent and objective assessment of the first assurance It is based
on understanding examining and assessing the key controls related to the risks the auditors manage as well as performing sufficient tests to ensure the controls are designed appropriately and function effectively
Figure 2
Detective controls detect errors or incidents that eludepreventive controls For example a detective control mayidentify account numbers of inactive accounts or accountsthat have been flagged for monitoring of suspicious activi-ties Detective controls can also include monitoring andanalysis to uncover activities or events that exceed author-ized limits or violate known patterns in data that may indi-cate improper manipulation For sensitive electroniccommunications detective controls can indicate that a mes-sage has been corrupted or the senderrsquos secure identificationcannot be authenticated
Corrective controls correct errors omissions or inci-dents once they have been detected They vary from simplecorrection of data-entry errors to identifying and removingunauthorized users or software from systems or networks torecovery from incidents disruptions or disasters
Generally it is most efficient to prevent errors or detectthem as close as possible to their source to simplify correc-tion These corrective processes also should be subject topreventive and detective controls because they representanother opportunity for errors omissions or falsification
Many other control classifications described in this guidemay be useful in assessing their effectiveness For exampleautomated controls tend to be more reliable than manualcontrols and nondiscretionary controls are more likely to beapplied consistently than discretionary controls Other control classifications include mandatory voluntary complementary compensating redundant continuous on-demand and event-driven
52 Governance Management TechnicalAnother common classification of controls is by the groupresponsible for ensuring they are implemented and main-tained properly For the purpose of assessing roles andresponsibilities this guide primarily categorizes IT controls
as governance management and technical Information securi-ty program elements for these three categories are describedin Appendix A (page 25) The first two levels mdash gover-nance and management mdash are the most applicable to thescope of this guide although it may also be useful to under-stand how higher-level controls specifically are establishedwithin the technical IT infrastructures Technical controlswill be the subject of more topic-specific GTAGs
521 Governance Controls
The primary responsibility for internal control resides withthe board of directors in its role as keeper of the governanceframework IT control at the governance level involvesensuring that effective information management and security principles policies and processes are in place andperformance and compliance metrics demonstrate ongoingsupport for that framework
Governance controls are those mandated by and controlled by either the entire board of directors or a boardcommittee in conjunction with the organizationrsquos executivemanagement These controls are linked with the concepts of corporate governance which are driven both by organizational goals and strategies and by outside bodiessuch as regulators
An important distinction between governance and management controls is the concept of ldquonoses in fingersoutrdquo The boardrsquos responsibility involves oversight ratherthan actually performing control activities For example theaudit committee of the board does no auditing but it does oversee both the internal and external auditing of theorganization
522 Management Controls
Management responsibility for internal controls typicallyinvolves reaching into all areas of the organization with special attention to critical assets sensitive information andoperational functions Consequently close collaborationamong board members and executive managers is essentialManagement must make sure the IT controls needed toachieve the organizationrsquos established objectives are appliedand ensure reliable and continuous processing These controls are deployed as a result of deliberate actions bymanagement to
bull Recognize risks to the organization its processes and assets
bull Enact mechanisms and processes to mitigate and manage risks (protect monitor and measure results)
523 Technical Controls
Technical controls form the foundation that ensures the reli-ability of virtually every other control in the organizationFor example by protecting against unauthorized access andintrusion they provide the basis for reliance on the integri-ty of information mdash including evidence of all changes andtheir authenticity These controls are specific to the
GTAG ndash Understanding IT Controls ndash 5
4
Figure 3 - Some Control Classifications
GTAG mdash Understanding IT Controls mdash 5
5
technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization
53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems
The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below
531 Policies
All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies
IT policy statements include but are not restricted tobull A general policy on the level of security and privacy
throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of
the system and data processedbull A statement on the classification of information and
the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access
bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems
bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications
bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures
bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of
Figure 4 ndash IT Controls
The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal
Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)
a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS
Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants
532 Standards
Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently
Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for
bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization
bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited
bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls
that should apply to sensitive processes and information
bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly
bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers
As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them
533 Organization and Management
Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented
5331 Separation of Duties
Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information
Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum
GTAG mdash Understanding IT Controls mdash 5
6
GTAG mdash Understanding IT Controls mdash 5
7
Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts
5332 Financial Controls
Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects
5333 Change Management
Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations
5334 Other Management Controls
Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications
534 Physical and Environmental Controls
IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications
Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is
restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data
away from environmental hazards such as low-lyingflood plains or flammable liquid stores
When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable
535 Systems Software Controls
Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2
Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs
IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the
Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability
Some key technical controls the CAE should expect tofind in a well-managed IT environment include
bull Access rights allocated and controlled according tothe organizationrsquos stated policy
bull Division of duties enforced through systems softwareand other configuration controls
bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored
bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a
stated requirementbull Change management processes mdash including patch
management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data
536 Systems Development and
Acquisition Controls
Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner
Some basic control issues should be evident in all systemsdevelopment and acquisition work
bull User requirements should be documented and theirachievement should be measured
bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system
bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct
bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided
bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be
subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls
Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered
537 Application-based Controls
The objective of internal controls over application systems is toensure that
bull All input data is accurate complete authorized and correct
bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data
from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application
bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters
bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized
bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input
bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct
bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources
GTAG mdash Understanding IT Controls mdash 5
8
GTAG mdash Understanding IT Controls mdash 5
9
54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are
bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations
bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting
bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located
55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them
Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite
Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite
Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly
Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)
The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)
Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include
bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services
bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of effectivecontrols
bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services
bull The efficient use of a customer support center or helpdesk
bull A security-conscious culture among end usersthroughout the organization
Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees
The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control
GTAG mdash Importance of IT Controls mdash 6
10
2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley
GTAG mdash IT Roles in the Organization mdash 7
Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained
Overall the objectives for the use of IT within any organization are
bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite
bull To protect stakeholder interestsbull To enable mutually beneficial relationships with
customers business partners and other outside parties that accomplish business objectives
bull To identify and respond to threats and potential violations of control appropriately
Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members
71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires
bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458
bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets
bull Approval of the data classifications structure and therelated access rights
The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important
711 Audit Committee
The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for
bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting
bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting
bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately
bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to
new systems development and acquisitionbull Examining internal and external audit plans and
work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring
the resolution of issues raisedbull Understanding the IT topics that impact ethics
monitoring
712 Compensation Committee
The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves
713 Governance Committee
The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should
bull Ensure that potential and current board membershave a suitable IT knowledge or background
bull Assess board committeesrsquo performance in terms oftheir oversight of IT
bull Review any external regulatory governance assessments in relation to IT topics
bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency
714 Risk Management Committee
The risk management committee is responsible for oversight
11
GTAG mdash IT Roles in the Organization mdash 7
of all risk analysis and assessment risk response and riskmonitoring Its role includes
bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization
bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance
bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash
including IT risks mdash and considering it against the organizationrsquos risk appetite
bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate
bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks
715 Finance Committee
The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data
72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so
that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions
721 Chief Executive Officer
The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will
bull Define corporate objectives and performance measures in relation to IT
bull Act as custodian over the organizationrsquos critical success factors in relation to IT
bull Understand and approve the short-term and long-range strategy for IT
bull Approve IT resources for the organization includingstructure and oversightmonitoring
bull Determine IT issues for periodic management boardand staff discussion
bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas
722 Chief Financial Officer
The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of
bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining
technologically competitivebull The technologies used to implement financial
applicationsbull The operation of specific financial applications
IT Controls and Ethics
As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior
12
GTAG mdash IT Roles in the Organization mdash 7
13
bull The limitations and benefits of ITbull The IT control structure for general controls that
apply to all business systems and data as well as controls that are specific to financial applications
The CFO should operate as the highest-level control ownerfor financial systems and data
723 Chief Information Officer
The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should
bull Understand the business requirements that drive theneed to implement IT
bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business
strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks
bull Design implement and maintain an IT internal control framework
bull Plan source and control IT resourcesbull Explore assess select and implement technology
advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels
of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian
and IT control owner bull Measure the operational performance of IT in support
of business objectives byndash Setting expectationsndash Evaluating results
bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors
724 Chief Security Officer
The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO
bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy
bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks
bull Acts as a key link between the compliance legalCIO and audit functions
bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive
bull Is responsible for business continuity planningincluding incident handling and disaster recovery
bull Ensures that security staff provide support for imple-menting controls at all levels
bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization
725 Chief Information Security Officer (CISO)
Information security is a subset of the overall security roleThe CISO
bull Develops and implements the information security policy in coordination with the CSO
bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives
bull Ensures alignment of information security and busi-ness objectives
bull Manages operational information risks throughoutthe organization
bull Oversees security within the IT organizationbull Provides education and awareness on information
security issues and new best practicesbull Develops end-user policies for the usage of IT
information in conjunction with the humanresources function
bull Coordinates information security work with the chief risk officer (CRO) and CIO
bull Advises the CEO CRO CIO and board on IT risk issues
bull Acts as a key link for the CAE when internal auditing performs IT control-related audits
726 Chief Legal Counsel (CLC)
Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves
bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto
bull Ensuring financial reports and presentations complywith laws and regulations
bull Understanding IT legal issues and advising on legalrisks related to IT
bull Managing organizational reputation in relation tolegal issues compliance and public relations
bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols
regarding suspected criminal activity
727 Chief Risk Officer
The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes
bull Analysis and assessment of IT risk exposures including information compromises such as loss
damage unauthorized disclosure and interruptedaccess
bull Assessment of IT events such as interruptions disasters and changes
bull Analysis and assessment of business risk as it is affected by IT risk
bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks
73 Audit
731 Internal Auditing ndash CAE and Audit Staff
Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves
bull Advising the audit committee and senior management on IT internal control issues
bull Ensuring IT is included in the audit universe andannual plan (selecting topics)
bull Ensuring IT risks are considered when assigningresources and priorities to audit activities
bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff
bull Ensuring that audit planning considers IT issues foreach audit
bull Liaising with audit clients to determine what theywant or need to know
bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable
evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the
audit processesbull During systems development or analysis activities
operating as experts who understand how controlscan be implemented and circumvented
bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks
732 External Auditor
Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include
bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits
bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements
GTAG mdash IT Roles in the Organization mdash 7
14
3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)
81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance
It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization
The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as
ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo
In addition the CAE should consider risk tolerance COSOdefines risk tolerance as
ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo
Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with
the organizationrsquos risk appetitebull The internal control framework is adequate to ensure
that the organizationrsquos performance remains withinthe stated risk tolerances
82 Risk Considerations in Determining the Adequacy of IT Controls
Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness
When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE
should consider the processes established by management to determine
bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for
each business function and processbull IT risks faced by the organization and quality of
service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they
providebull Harmful IT incidents in the past 24 months
The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project
821 The IT Infrastructure
Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems
The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security
The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers
GTAG mdash Analyzing Risk mdash 8
15
822 IT Risks Faced by the Organization
The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls
823 Risk Appetite and Tolerance
Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation
The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite
824 Performing Risk analysis
Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas
There are eight basic questions associated with the riskassessment process The first five include
bull What are the assets at risk and the value of theirconfidentiality integrity and availability
bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets
bull If a threat event happened how bad could its impact be
bull How often might the event be expected to occur (frequency of occurrence)
bull How certain are the answers to the first four questions (uncertainty analysis)
The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient
825 Value of Information
Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security
Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories
bull Exclusive possession ndash cost in the event of a breachof confidentiality
bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability
826 Appropriate IT Controls
Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)
The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework
83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them
In general there are several ways to mitigate the poten-tial impact of risks
bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low
bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors
bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider
bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects
GTAG mdash Analyzing Risk mdash 8
16
84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include
bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective
controls effectivebull Do the controls provide evidence when control
parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken
bull Is evidence retained (audit or management trail)
85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization
IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other
It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls
bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been
defined assigned and acceptedbull Are IT infrastructure equipment and tools
logically and physically securedbull Are access and authentication control
mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance
with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)
bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved
bull Are change and configuration management and quality assurance processes in place
bull Are structured monitoring and service measurementprocesses in place
bull Are specialist IT audit skills available (eitherinternally or outsourced)
Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf
GTAG mdash Analyzing Risk mdash 8
Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management
(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network
and perimeter)5 Malware protection (including worms and viruses)
Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo
1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each
person with computer access8 Dont use vendor-supplied defaults for passwords
and security parameters9 Track all access to data by unique ID
10 Regularly test security systems and processes11 Implement and maintain an information
security policy12 Restrict physical access to data
17
91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation
A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily
Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work
The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process
especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override
Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)
The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
GTAG mdash Monitoring and Techniques mdash 9
COSO Model for Technology Controls
Monitoringbull Monthly metrics from technology
performance bull Technology cost and control
performance analysisbull Periodic technology
management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas
Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to
plan and return on investmentbull Documentation and approval of IT plans
and systems architecturebull Compliance with information and
physical security standardsbull Adherence to business continuity risk
assessmentbull Technology standards
compliance enforcement
Information and Communicationbull Periodic corporate communications (intranet e-mail
meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution
Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business
areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls
considered Importantbull Overall technology policy and Information
security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units
Figure 5 - COSO Model for Technology Controls
18
compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)
92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks
Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows
921 Ongoing Monitoring
bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment
bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered
specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached
bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached
922 Special Reviews
bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances
bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk
GTAG mdash Monitoring and Techniques mdash 9
Suitable Recognized Framework
ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo
mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003
19
101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business
The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems
A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance
Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities
Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample
bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method
bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files
bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach
102 Testing IT Controls and Continuous Assurance
In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data
1021 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-
20
GTAG mdash Assessment mdash 10
How Auditing Contributes to IT Controls
During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management
ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events
1022 Automated Internal Control Analysis Tools
Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use
1023 Automated Risk Analysis
Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools
Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right
103 Audit CommitteeManagementAudit Interfaces
It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues
The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations
ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their
value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting
A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially
Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework
The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist
GTAG mdash Assessment mdash 10
Figure 6 ndash Audit Interfaces
21
Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda
Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process
The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members
22
GTAG mdash Conclusion mdash 11
Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg
121 Governance (Board of Directors)bull Oversee risk management and compliance programs
pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security
bull Strive to protect the interests of all stakeholdersdependent on information security
bull Review information security policies regardingstrategic partners and other third parties
bull Strive to ensure business continuitybull Review provisions for internal and external audits of
the information security programbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
122 Managementbull Establish information security management policies
and controls and monitor compliancebull Assign information security roles responsibilities
and required skills and enforce role-based information access privileges
bull Assess information risks establish risk thresholdsand actively manage risk mitigation
bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties
bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture
during acquisition development operations andmaintenance
bull Protect the physical environmentbull Ensure internal and external audits of the informa-
tion security program with timely follow-upbull Collaborate with security staff to specify the informa-
tion security metrics to be reported to management
123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements
bull User identification and authentication
bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms
and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the
technical metrics to be reported to management
23
GTAG mdash Appendix A mdash Information Security Program Elements mdash 12
There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments
For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries
This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors
131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)
However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of
ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews
Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls
Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant
to IT Controls
The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls
13111 Sections 103 and 802
These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting
One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained
13112 Section 201
This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors
13113 Section 301
Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT
13114 Section 302 and 404
Section 302 of the act requires the CEO and CFO mdash who
24
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
25
are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges
They must disclosebull ldquoAll significant deficiencies in the design or opera-
tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo
bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo
Section 404 requires the CEO and CFO to produce an annual audit report that
bull Assesses the effectiveness of the internal controlstructure over financial reporting
bull Discloses all known internal control weaknessesbull Discloses all known frauds
This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley
13115 Section 409
Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses
132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management
A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means
bull Senior management is actively involvedbull The bank has an OR management system processes
policies and procedures enterprisewidebull The bank has the right governance and sufficient
resources to manage operational risksbull The bank has an OR management function that is
responsible forndash Designing and implementing the OR management
frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement
methodologyndash Designing and implementing an OR management
reporting systemndash Developing strategies to identify measure monitor
and control or mitigate ORbull An OR measurement system is closely integrated into
the day-to-day risk management processbull The OR exposures and loss experiences are regularly
reportedbull The OR management system is documentedbull Internal and external auditors regularly review the
OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function
The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required
First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy
Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange
The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA
bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
bull Internal loss data must be linked to the bankrsquos current business activities
bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA
bull According to the internal loss collection processndash OR losses related to credit risk and historically
included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately
ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge
bull The OR measurement system must use relevantexternal data
Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including
bull Strategies and processesbull Structure and organization of the risk management
functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including
operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)
133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)
The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)
134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999
The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)
135 US Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg
136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)
Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers
26
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
GTAG ndash Appendix B - Compliance with Laws and Regulations - 13
27
137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls
GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14
28
141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors
1411 Category 1 ndash All Auditors
Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge
1412 Category 2 ndash Audit Supervisors
Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must
bull Understand the threats and vulnerabilities associatedwith automated business processes
bull Understand business controls and risk mitigation thatshould be provided by IT
bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments
bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits
bull Ensure the effective use of IT tools in audit assess-ments and testing
bull Approve plans and techniques for testing controlsand information
bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses
bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas
bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected
1413 Category 3 ndash Technical IT Audit Specialists
Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology
IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence
The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications
Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals
4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
29
151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg
152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control
In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience
153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language
154 ITGI Control Objectives for Information and Related Technology (CobiT)
Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance
155 ISO 17799 (Code of Practice for Information Security Management)
ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading
The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to
ISOIEC 177992000 bull Part 2 is a specification for implementing an
information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002
1551 What Is Information Security
BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities
Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately
Information security is characterized within BS 7799 asthe preservation of
bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access
bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods
bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired
Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met
1552 How to Establish Security Requirements
BS 7799 states that it is essential that an organization
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
30
identify its security requirements There are three mainsources
bull Assessing risks to the organization BS 7799 does notprescribe a methodology
bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy
bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations
1553 Assessing Security Risks
BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically
1554 Selecting Controls
Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com
1555 Topics Addressed in BS 7799
1 Scope2 Terms and definitions3 Security policy
31 Information security policy document32 Review and evaluation
4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing
5 Asset classification and control51 Accountability for assets52 Information classification
6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions
7 Physical and environmental security71 Secure areas72 Equipment security73 General control
8 Communications and operations management
81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software
9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking
10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes
11 Business continuity management111 Business continuity management process
12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations
156 ISF Standard of Good Practice for Information Security
The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom
157 Generally Accepted Information Security Principles (GAISP)
The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including
bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-
tive-level information management (exposure draft distributed September 1999)
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
bull Detailed Principles ndash guidance for operational infor-mation security management (under development)
GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details
1571 Pervasive Principles
The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology
bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable
bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-
trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties
bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations
bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance
bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance
bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information
bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat
Figure 7 ndash Security Management
31
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
32
events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents
bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness
bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives
158 AICPACICA Trust Services Principles and Criteria
The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas
bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple
bull Communications ndash The organization has communi-cated its defined policies to authorized users
bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies
bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies
Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices
1581 Security Principle ndash The system is protected
against unauthorized access (both physical
and logical)
In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components
1582 Availability Principle ndash The system is
available for operation and use as
committed or agreed
The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties
Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does
5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties
6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
33
address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance
1583 Processing Integrity Principle ndash System
processing is complete accurate timely
and authorized
Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing
The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems
Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond
the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed
1584 Privacy Principle and Components ndash
Personal information is collected used
retained and disclosed in conformity with the
commitments in the organizationrsquos privacy
notice and with the AICPACICA Trust
Services Privacy Criteria
The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are
bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures
bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed
bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information
bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice
bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes
bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate
bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual
bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical
bull Quality ndash The organization maintains accurate
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
34
complete and relevant personal information for thepurposes identified in the notice
bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes
1585 Confidentiality Principle ndash Information
designated as ldquoconfidentialrdquo is protected as
committed or agreed
The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential
Information that may be subject to confidentialityincludes
bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry
Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness
Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous
access controls can help protect the information while it isstored on computer systems
1586 Certification Authority (CA) Principle
The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols
159 IIA Systems Assurance and Control (SAC)
The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411
1510 Corporate Governance
15101 OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy
15102 EU Commission
The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society
GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16
35
The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states
ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo
The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework
161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations
These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT
The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control
The third category deals with complying with those lawsand regulations to which the entity is subject
Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that
bull They understand the extent to which the entityrsquosoperations objectives are being achieved
bull Published financial statements are being preparedreliably
bull There is compliance with applicable laws and regulations
Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time
162 COSO Internal Control mdash Integrated Framework
Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are
1621 Control Environment
The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors
1622 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change
1623 Control Activities
Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties
1624 Information and Communication
Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and
GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16
36
control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders
1625 Monitoring
Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board
There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions
There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective
The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework
GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
37
Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems
Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes
CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives
1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks
10 Manage projects11 Manage quality
Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as
well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems
12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes
Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems
18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations
Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources
31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit
This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment
CobiT is comprised ofbull An executive summary which provides an overview
of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-
level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective
bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives
bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives
Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work
GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
38
bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources
bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective
Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg
CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise
39
The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7
that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations
The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security
These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the
ldquoTechnologyrdquo section of httpwwwtheiiaorg
The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement
181 Metrics for Boards of DirectorsTrustees
Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident
bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a
comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program
principles for which approved policies and controls have been implemented by management
ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified
bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated
committee meetings for which information security is on the agenda
ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders
ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods
bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-
party relationships for which information security requirements have been implemented in agreements
bull Strive to ensure business continuityndash Percentage of organizational units with an
established business-continuity planbull Review provisions for internal and external audits of
the information security programndash Percentage of required internal and external audits
completed and reviewed by the boardndash Percentage of audit findings that have not
been resolvedbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
7 httpreformhousegovTIPRC
GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18
40
and policies established by the board as part of an effectiveinformation security program
bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program
elements for which approved policies and controls are operational
ndash Percentage of staff assigned responsibilities for information security policies and controls who have
acknowledged accountability for their responsibili-ties in connection with those policies and controls
ndash Percentage of information security policy compliance reviews that noted violations
ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls
bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting
period who satisfactorily completed security-awareness training before being granted network access
ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy
ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users
ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance
ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle
bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators
bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have
been reviewed this reporting period including+ Employees with high-level system and application
privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors
ndash Percentage of users who have undergone back-ground checks
bull Assess information risks establish risk thresholds and
actively manage risk mitigationndash Percentage of critical information assets and
information-dependent functions for which some form of risk assessment has been performed and documented as required by policy
ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified
ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy
bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that
are related to third-party relationshipsndash Percentage of critical information assets or
functions to which third-party personnel have been given access
ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy
ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically
ndash Percentage of security incidents that involve third-party personnel
ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures
ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements
ndash Percentage of out-of-compliance review findings that have been corrected since the last review
bull Identify and classify information assetsndash Percentage of information assets that have been
reviewed and classified by the designated owner in accordance with the classification scheme established by policy
ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy
ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans
ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned
ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy
bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to
systems architecture identified in the most recent risk assessment that have been mitigated adequately
ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms
ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture
bull Protect the physical environmentndash Percentage of critical organizational information
assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media
ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented
ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding
ndash Percentage of servers in locations with controlled physical access
ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule
ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule
ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness
bull Collaborate with security personnel to specify theinformation security metrics to be reported to management
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
41
GTAG mdash Appendix H mdash CAE Checklist mdash 19
42
1 Identify the IT control environment of the organization including
a Values
b Philosophy
c Management style
d IT awareness
e Organisation
f Policies
g Standards
2 Identify relevant legislation and regulation impactingIT control such as
a Governance
b Reporting
c Data protection
d Compliance
3 Identify the roles and responsibilities for IT control inrelation to
a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee
b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO
c Auditi Internal Auditii External Audit
Action Questions
1 Do corporate policies and standards that describe theneed for IT controls exist
2 What legislation exists that impacts on the need forIT controls
3 Has management taken steps to ensure compliancewith this legislation
4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles
5 Is the allocation of responsibilities compatible withthe need to apply division of duties
6 Are IT responsibilities documented
7 Are IT control responsibilities communicated to thewhole organization
8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls
9 What evidence is there of individual role holdersexercising their responsibilities
10Does internal auditing employ sufficient IT audit specialists to address the IT control issues
CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas
GTAG mdash Appendix H mdash CAE Checklist mdash 19
43
4 Identify the risk assessment process Does it cover
a Risk appetite
b Risk tolerances
c Risk analysis
d Matching risks to IT controls
5 Identify all monitoring processes including
a Regulatory
b Normal in-house
c Other than internal auditing
6 Identify information and communication mechanisms
a Control information
b Control failures
11 How is the risk appetite and tolerance of the organization determined
12 Is the risk appetite and tolerance of the organization authorized at board level
13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control
14 Is a formal risk analysis process used by theorganization
15 Is the process understood by all those with responsibility for IT control
16 Is the process used consistently throughout theorganization
17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards
18 Are there monitoring processes carried out bymanagement outside of internal audit
19 What metrics are provided to the board of directors its committees and management inrelation to IT security
20 What additional reports are provided to theboard of directors and to management on a regular basis
21 Is management always provided with reportswhen there are IT control failures
22 Do the board of directors and its committeesreceive similar reports of IT control failures
Action Questions
GTAG mdash Appendix I mdash References mdash 20
44
The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT
echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues
201 Governance
Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm
Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg
Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap
Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716
IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503
Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896
202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk
Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg
Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity
Generally Accepted Information Security Principles(GAISP) Information Systems Security Association
Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml
Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml
ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg
Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3
OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html
Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm
Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices
203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg
DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml
GTAG mdash Appendix I mdash References mdash 20
45
ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm
ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler
IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm
ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca
NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml
NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml
NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml
NSA Configuration Guides httpwwwnsagovsnac
SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg
204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg
Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov
Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca
Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
46
GTAG mdash Appendix J mdash Glossary mdash 21
A listing of technical terms used in the guide with a simpleplain English definition
Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases
Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence
CAE ndash Chief audit executive
CEO ndash Chief executive officer
CFO ndash Chief financial officer (and controller)
CIO ndash Chief information officer
CISO ndash Chief information security officer
CLC ndash Chief legal council
COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg
CRM ndash Customer resource management
CSO ndash Chief Security Officer
Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda
Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders
Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable
efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms
Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices
General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)
GLBA ndash US Gramm-Leach-Bliley Act
Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives
GTAG ndash Global Technology Audit Guide
HIPAA ndash US Health Information Portability andAccountability Act
Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization
Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel
Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use
Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology
ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg
IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information
IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures
ITPI ndash IT Process Institute See httpwwwitpiorg
Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing
Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo
Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely
Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo
47
GTAG mdash Appendix J mdash Glossary mdash 21
GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22
48
This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control
The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication
221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects
The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide
231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role
Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute
Michael R Dickson Business Technology Group LLC
Clint Kreitner PresidentCEO CIS The Center forInternet Security
Alex Lajoux NACD National Association of CorporateDirectors
Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA
Mark Salamasick CIA University of Texas at Dallas
Karyn Waller AICPA American Institute of CertifiedPublic Accountants
232 Partner Organizations
AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants
CIS ndash Clint Kreitner Center for Internet Security
CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute
ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association
NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors
SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO
233 Project Review Team
Peter Allor ISS Internet Security Systems
Jack Antonelli ADP
Ken D Askelson CIA JC Penney Co Inc
Becky Bace Infidel Inc
Kevin Behr IPSI Institute for Integrated Publication andInformation Systems
Jeff Benson BearingPoint
Robert S Block Chairman 3D Business Tools USA
Sylvia Boyd The IIA
Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA
Larry Brown Options Clearing Corp
Stephanie Bryant University of South Florida
Phil Campbell Specialized IT LLC USA
John Carlson BITS Banking Industry TechnologySecretariat
Chris Compton Intrusion Labs
Guy Copeland CSC Computer Sciences Corp
Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA
Bob Daniels EDS
Bob Dix US House of Representatives
49
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
50
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
5
Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA
Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program
Greg Garcia ITAA Information Technology Association ofAmerica
Russ Gates Dupage Consulting LLC
Lou Giles Chevron Phillips Chemical Co
Doug Guerrero EDS
Kai Tamara Hare Nuserve
Michael S Hines CIA Purdue University
Bob Hirth Protiviti
Don Holden CISSP Concordant Inc USA
Dave Kern Ethentica
Gene Kim CTO Tripwire Inc USA
Jim Kolouch BearingPoint
David Kowal VP JP Morgan Chase
Paul Kurtz CSIA Cyber Security Industry Alliance
Cindy LeRouge PhD Decision SciencesMIS Department
John Cook School of Business St Louis University USA
Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants
Debbie Lew Guidance Software
Brenda Lovell CIA CCSA CGAP The IIA
Warren Malmquist Adolph Coors Co
Stacy Mantzaris CIA IIA
Dennis Miller Heritage Bank
Patrick Morrissey Auditwire
Bruce Moulton Symantec
Paul Moxey ACCA Association of Chartered CertifiedAccountants
Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA
Fred Palmer Palmer Associates
Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc
Bernie Plagman TechPar Group
Heriot Prentice MIIA FIIA QiCA The IIA
Dick Price Beacon IT Ltd BS 7799 Consultancy USA
Michael Quint Corporate Compliance Officer EDSCorporate Audit USA
Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA
Amy Ray Bentley College
Martin Ross GSC Global Security Consortium
Chip Schilb EDS USA
Howard Schmidt eBay
Mark Silver Symantec
George Spafford President Spafford Global ConsultingSaint Joseph IL USA
Adam Stone Assurant
Jay H Stott CIA Fidelity Investments
Dan Swanson CIA IIA
Jay R Taylor CIA CISA CFE General MotorsCorporation
Bill Tener University amp Community College System ofNevada
Archie Thomas
Fred Tompkins BearingPoint
Don Warren Rutgers University
Dominique Vincenti CIA The IIA
Mark Winn Intrusec
Amit Yoran
234 IIA International Affiliates
Frank Alvern CIA CCSA Nordea Bank Norway
Alexandre Alves Apparecido Brazil
Dror Aviv Israel
David F Bentley England UK and Ireland
Gerardo Carstens CIA IIA Argentina
Richard Cascarino South Africa
Iftikhar Chaudry Pakistan
Hisham T El Gindy Manager KPMG Hazem Hassan Egypt
Dr Ulrich Hahn CIA Switzerland
Rossana S Javier Makati City Philippines
Andras Kovacks Hungary
Christopher McRostie Australia
Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan
Kyoko Shimizu CIA Japan
John Silltow Security Control and Audit Ltd UnitedKingdom
Ken Siong International Federation of Accountants
Anton van Wyk PwC South Africa
Nick Wolanin Adjunt Senior Lecturer Australian Graduate
Julie Young Australia
235 Other International
Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada
P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates
Ariel Peled President ISSA Israeli Chapter
P Shreekanth India
Karen Woo Selangor Malaysia
236 IIA International Advanced Technology Committee
Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa
Alexandre Alves Apparecido Brasil Telecom Brazil
Ken D Askelson CIA JC Penney Co Inc USA
Dror Aviv CFSA IIA Israel
Donald L Bailey Grant Thornton LLP USA
EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)
Norman F Barber Microsoft Corp USA
David F Bentley QiCA Consultant England
Claude Cargou GIE AXA France
Michael P Fabrizius CIA Bon Secours Health SystemInc USA
Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan
Douglas Guerrero EDS Corp USA
Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland
David J Hill IBM Corp USA
Michael S Hines CIA Purdue University USA
Mark J Hornung Ernst amp Young LLP USA
Gene Kim CTO Tripwire Inc USA
David S Lione KPMG LLP Southeast Region USA
Peter B Millar ACL Services Ltd Canada
Allan M Newstadt CIA World BankInternationalFinance Corp USA
Brenda J S Putman CIA City Utilities of Springfield USA
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
51
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23
52
Kyoko Shimizu CIA Shin Nihon amp Co Japan
Brian M Spindel CIA SecurePipe Inc USA
Rajendra P Srivastava University of Kansas USA
Jay Stott CIA Fidelity Investments USA
Jay R Taylor CIA CISA CFE General Motors Corp USA
Thomas Jason Wood CIA Ernst amp Young LLP USA
Akitomo Yamamoto IIA Japan
237 The Writing Team
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR International
Charles H Le Grand CIA CHL Global
238 IIA Headquarters Staff Production Team
Michael Feland
Trish Harris
Tim McCollum
Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business
Contin
u
ity Manag
ement
Th
is G
TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization
could potentially encounter if a natural or
man-made disruptive event t
hat affects the exte
nded ope
ra
bility of the organization were to occur The guide includes disaster rec
o
very
planning for continuity of critical information technology infrastructure and business application systems
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an
d su
pport management in
its
deve
lopm
ent and maintenance
of a
BCM pr
o
gram
Vis
it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme
nts
Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250
wwwtheiiaorg
ISBN 0-89413-570-8ISBN 978-0-89413-623-8
3
COSO1 defines internal control as ldquoA process effected by anorganizationrsquos board of directors management and otherpersonnel designed to provide reasonable assurance regard-ing the achievement of objectives in the following cate-gories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulationsrdquo
IT controls encompass those processes that provide assur-ance for information and information services and help mit-igate the risks associated with an organizationrsquos use oftechnology These controls range from written corporatepolicies to their implementation within coded instructionsfrom physical access protection to the ability to trace actionsand transactions to the individuals who are responsible forthem and from automatic edits to reasonability analysis forlarge bodies of data
51 Control ClassificationsControls may be classified to help understand their purposesand where they fit into the overall system of internal controls(See Figure 3 Some Control Classifications page 4) By under-standing these classifications the control analyst and auditorare better able to establish their positions in the controlframework and answer key questions such as Are the detec-tive controls adequate to identify errors that may get past thepreventive controls Are corrective controls sufficient to fixthe errors once detected A common classification of IT controls is general versus application
General controls (also known as infrastructure controls)apply to all systems components processes and data for agiven organization or systems environment General controls include but are not limited to information security policy administration access and authenticationseparation of key IT functions management of systemsacquisition and implementation change managementbackup recovery and business continuity
Application controls pertain to the scope of individualbusiness processes or application systems They include suchcontrols as data edits separation of business functions (egtransaction initiation versus authorization) balancing ofprocessing totals transaction logging and error reportingThe function of a control is highly relevant to the assessment of its design and effectiveness Controls may be classified as preventive detective or corrective
Preventive controls prevent errors omissions or securityincidents from occurring Examples include simple data-entryedits that block alphabetic characters from being enteredinto numeric fields access controls that protect sensitive dataor system resources from unauthorized people and complexand dynamic technical controls such as antivirus softwarefirewalls and intrusion prevention systems
GTAG mdash Understanding IT Controls mdash 5
1 COSO ndash Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (The Committee of Sponsoring Organizationsof the Treadway Commission) See wwwcosoorg
It is not necessary to know ldquoeverythingrdquo about IT controls
Do not be concerned if you do not understand the full continuum or all the technical intricacies of IT controls Many of these controls are the domain of specialists who manage specific risks associated with individual components of the systems and network infrastructure In keeping with good separation of duties prac-tices some people who have specialized knowledge in a technology such as database management may know littleabout network components or communication protocols and vice versa
There are two key control concepts to remember1 Assurance must be provided by the IT controls within the whole system of internal control and must
be continuous and produce a reliable and continuous trail of evidence2 The auditorrsquos assurance is an independent and objective assessment of the first assurance It is based
on understanding examining and assessing the key controls related to the risks the auditors manage as well as performing sufficient tests to ensure the controls are designed appropriately and function effectively
Figure 2
Detective controls detect errors or incidents that eludepreventive controls For example a detective control mayidentify account numbers of inactive accounts or accountsthat have been flagged for monitoring of suspicious activi-ties Detective controls can also include monitoring andanalysis to uncover activities or events that exceed author-ized limits or violate known patterns in data that may indi-cate improper manipulation For sensitive electroniccommunications detective controls can indicate that a mes-sage has been corrupted or the senderrsquos secure identificationcannot be authenticated
Corrective controls correct errors omissions or inci-dents once they have been detected They vary from simplecorrection of data-entry errors to identifying and removingunauthorized users or software from systems or networks torecovery from incidents disruptions or disasters
Generally it is most efficient to prevent errors or detectthem as close as possible to their source to simplify correc-tion These corrective processes also should be subject topreventive and detective controls because they representanother opportunity for errors omissions or falsification
Many other control classifications described in this guidemay be useful in assessing their effectiveness For exampleautomated controls tend to be more reliable than manualcontrols and nondiscretionary controls are more likely to beapplied consistently than discretionary controls Other control classifications include mandatory voluntary complementary compensating redundant continuous on-demand and event-driven
52 Governance Management TechnicalAnother common classification of controls is by the groupresponsible for ensuring they are implemented and main-tained properly For the purpose of assessing roles andresponsibilities this guide primarily categorizes IT controls
as governance management and technical Information securi-ty program elements for these three categories are describedin Appendix A (page 25) The first two levels mdash gover-nance and management mdash are the most applicable to thescope of this guide although it may also be useful to under-stand how higher-level controls specifically are establishedwithin the technical IT infrastructures Technical controlswill be the subject of more topic-specific GTAGs
521 Governance Controls
The primary responsibility for internal control resides withthe board of directors in its role as keeper of the governanceframework IT control at the governance level involvesensuring that effective information management and security principles policies and processes are in place andperformance and compliance metrics demonstrate ongoingsupport for that framework
Governance controls are those mandated by and controlled by either the entire board of directors or a boardcommittee in conjunction with the organizationrsquos executivemanagement These controls are linked with the concepts of corporate governance which are driven both by organizational goals and strategies and by outside bodiessuch as regulators
An important distinction between governance and management controls is the concept of ldquonoses in fingersoutrdquo The boardrsquos responsibility involves oversight ratherthan actually performing control activities For example theaudit committee of the board does no auditing but it does oversee both the internal and external auditing of theorganization
522 Management Controls
Management responsibility for internal controls typicallyinvolves reaching into all areas of the organization with special attention to critical assets sensitive information andoperational functions Consequently close collaborationamong board members and executive managers is essentialManagement must make sure the IT controls needed toachieve the organizationrsquos established objectives are appliedand ensure reliable and continuous processing These controls are deployed as a result of deliberate actions bymanagement to
bull Recognize risks to the organization its processes and assets
bull Enact mechanisms and processes to mitigate and manage risks (protect monitor and measure results)
523 Technical Controls
Technical controls form the foundation that ensures the reli-ability of virtually every other control in the organizationFor example by protecting against unauthorized access andintrusion they provide the basis for reliance on the integri-ty of information mdash including evidence of all changes andtheir authenticity These controls are specific to the
GTAG ndash Understanding IT Controls ndash 5
4
Figure 3 - Some Control Classifications
GTAG mdash Understanding IT Controls mdash 5
5
technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization
53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems
The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below
531 Policies
All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies
IT policy statements include but are not restricted tobull A general policy on the level of security and privacy
throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of
the system and data processedbull A statement on the classification of information and
the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access
bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems
bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications
bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures
bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of
Figure 4 ndash IT Controls
The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal
Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)
a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS
Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants
532 Standards
Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently
Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for
bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization
bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited
bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls
that should apply to sensitive processes and information
bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly
bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers
As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them
533 Organization and Management
Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented
5331 Separation of Duties
Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information
Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum
GTAG mdash Understanding IT Controls mdash 5
6
GTAG mdash Understanding IT Controls mdash 5
7
Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts
5332 Financial Controls
Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects
5333 Change Management
Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations
5334 Other Management Controls
Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications
534 Physical and Environmental Controls
IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications
Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is
restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data
away from environmental hazards such as low-lyingflood plains or flammable liquid stores
When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable
535 Systems Software Controls
Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2
Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs
IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the
Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability
Some key technical controls the CAE should expect tofind in a well-managed IT environment include
bull Access rights allocated and controlled according tothe organizationrsquos stated policy
bull Division of duties enforced through systems softwareand other configuration controls
bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored
bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a
stated requirementbull Change management processes mdash including patch
management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data
536 Systems Development and
Acquisition Controls
Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner
Some basic control issues should be evident in all systemsdevelopment and acquisition work
bull User requirements should be documented and theirachievement should be measured
bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system
bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct
bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided
bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be
subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls
Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered
537 Application-based Controls
The objective of internal controls over application systems is toensure that
bull All input data is accurate complete authorized and correct
bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data
from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application
bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters
bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized
bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input
bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct
bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources
GTAG mdash Understanding IT Controls mdash 5
8
GTAG mdash Understanding IT Controls mdash 5
9
54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are
bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations
bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting
bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located
55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them
Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite
Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite
Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly
Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)
The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)
Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include
bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services
bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of effectivecontrols
bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services
bull The efficient use of a customer support center or helpdesk
bull A security-conscious culture among end usersthroughout the organization
Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees
The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control
GTAG mdash Importance of IT Controls mdash 6
10
2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley
GTAG mdash IT Roles in the Organization mdash 7
Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained
Overall the objectives for the use of IT within any organization are
bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite
bull To protect stakeholder interestsbull To enable mutually beneficial relationships with
customers business partners and other outside parties that accomplish business objectives
bull To identify and respond to threats and potential violations of control appropriately
Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members
71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires
bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458
bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets
bull Approval of the data classifications structure and therelated access rights
The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important
711 Audit Committee
The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for
bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting
bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting
bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately
bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to
new systems development and acquisitionbull Examining internal and external audit plans and
work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring
the resolution of issues raisedbull Understanding the IT topics that impact ethics
monitoring
712 Compensation Committee
The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves
713 Governance Committee
The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should
bull Ensure that potential and current board membershave a suitable IT knowledge or background
bull Assess board committeesrsquo performance in terms oftheir oversight of IT
bull Review any external regulatory governance assessments in relation to IT topics
bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency
714 Risk Management Committee
The risk management committee is responsible for oversight
11
GTAG mdash IT Roles in the Organization mdash 7
of all risk analysis and assessment risk response and riskmonitoring Its role includes
bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization
bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance
bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash
including IT risks mdash and considering it against the organizationrsquos risk appetite
bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate
bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks
715 Finance Committee
The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data
72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so
that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions
721 Chief Executive Officer
The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will
bull Define corporate objectives and performance measures in relation to IT
bull Act as custodian over the organizationrsquos critical success factors in relation to IT
bull Understand and approve the short-term and long-range strategy for IT
bull Approve IT resources for the organization includingstructure and oversightmonitoring
bull Determine IT issues for periodic management boardand staff discussion
bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas
722 Chief Financial Officer
The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of
bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining
technologically competitivebull The technologies used to implement financial
applicationsbull The operation of specific financial applications
IT Controls and Ethics
As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior
12
GTAG mdash IT Roles in the Organization mdash 7
13
bull The limitations and benefits of ITbull The IT control structure for general controls that
apply to all business systems and data as well as controls that are specific to financial applications
The CFO should operate as the highest-level control ownerfor financial systems and data
723 Chief Information Officer
The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should
bull Understand the business requirements that drive theneed to implement IT
bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business
strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks
bull Design implement and maintain an IT internal control framework
bull Plan source and control IT resourcesbull Explore assess select and implement technology
advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels
of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian
and IT control owner bull Measure the operational performance of IT in support
of business objectives byndash Setting expectationsndash Evaluating results
bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors
724 Chief Security Officer
The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO
bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy
bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks
bull Acts as a key link between the compliance legalCIO and audit functions
bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive
bull Is responsible for business continuity planningincluding incident handling and disaster recovery
bull Ensures that security staff provide support for imple-menting controls at all levels
bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization
725 Chief Information Security Officer (CISO)
Information security is a subset of the overall security roleThe CISO
bull Develops and implements the information security policy in coordination with the CSO
bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives
bull Ensures alignment of information security and busi-ness objectives
bull Manages operational information risks throughoutthe organization
bull Oversees security within the IT organizationbull Provides education and awareness on information
security issues and new best practicesbull Develops end-user policies for the usage of IT
information in conjunction with the humanresources function
bull Coordinates information security work with the chief risk officer (CRO) and CIO
bull Advises the CEO CRO CIO and board on IT risk issues
bull Acts as a key link for the CAE when internal auditing performs IT control-related audits
726 Chief Legal Counsel (CLC)
Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves
bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto
bull Ensuring financial reports and presentations complywith laws and regulations
bull Understanding IT legal issues and advising on legalrisks related to IT
bull Managing organizational reputation in relation tolegal issues compliance and public relations
bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols
regarding suspected criminal activity
727 Chief Risk Officer
The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes
bull Analysis and assessment of IT risk exposures including information compromises such as loss
damage unauthorized disclosure and interruptedaccess
bull Assessment of IT events such as interruptions disasters and changes
bull Analysis and assessment of business risk as it is affected by IT risk
bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks
73 Audit
731 Internal Auditing ndash CAE and Audit Staff
Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves
bull Advising the audit committee and senior management on IT internal control issues
bull Ensuring IT is included in the audit universe andannual plan (selecting topics)
bull Ensuring IT risks are considered when assigningresources and priorities to audit activities
bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff
bull Ensuring that audit planning considers IT issues foreach audit
bull Liaising with audit clients to determine what theywant or need to know
bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable
evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the
audit processesbull During systems development or analysis activities
operating as experts who understand how controlscan be implemented and circumvented
bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks
732 External Auditor
Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include
bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits
bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements
GTAG mdash IT Roles in the Organization mdash 7
14
3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)
81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance
It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization
The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as
ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo
In addition the CAE should consider risk tolerance COSOdefines risk tolerance as
ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo
Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with
the organizationrsquos risk appetitebull The internal control framework is adequate to ensure
that the organizationrsquos performance remains withinthe stated risk tolerances
82 Risk Considerations in Determining the Adequacy of IT Controls
Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness
When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE
should consider the processes established by management to determine
bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for
each business function and processbull IT risks faced by the organization and quality of
service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they
providebull Harmful IT incidents in the past 24 months
The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project
821 The IT Infrastructure
Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems
The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security
The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers
GTAG mdash Analyzing Risk mdash 8
15
822 IT Risks Faced by the Organization
The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls
823 Risk Appetite and Tolerance
Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation
The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite
824 Performing Risk analysis
Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas
There are eight basic questions associated with the riskassessment process The first five include
bull What are the assets at risk and the value of theirconfidentiality integrity and availability
bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets
bull If a threat event happened how bad could its impact be
bull How often might the event be expected to occur (frequency of occurrence)
bull How certain are the answers to the first four questions (uncertainty analysis)
The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient
825 Value of Information
Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security
Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories
bull Exclusive possession ndash cost in the event of a breachof confidentiality
bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability
826 Appropriate IT Controls
Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)
The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework
83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them
In general there are several ways to mitigate the poten-tial impact of risks
bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low
bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors
bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider
bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects
GTAG mdash Analyzing Risk mdash 8
16
84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include
bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective
controls effectivebull Do the controls provide evidence when control
parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken
bull Is evidence retained (audit or management trail)
85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization
IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other
It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls
bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been
defined assigned and acceptedbull Are IT infrastructure equipment and tools
logically and physically securedbull Are access and authentication control
mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance
with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)
bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved
bull Are change and configuration management and quality assurance processes in place
bull Are structured monitoring and service measurementprocesses in place
bull Are specialist IT audit skills available (eitherinternally or outsourced)
Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf
GTAG mdash Analyzing Risk mdash 8
Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management
(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network
and perimeter)5 Malware protection (including worms and viruses)
Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo
1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each
person with computer access8 Dont use vendor-supplied defaults for passwords
and security parameters9 Track all access to data by unique ID
10 Regularly test security systems and processes11 Implement and maintain an information
security policy12 Restrict physical access to data
17
91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation
A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily
Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work
The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process
especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override
Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)
The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
GTAG mdash Monitoring and Techniques mdash 9
COSO Model for Technology Controls
Monitoringbull Monthly metrics from technology
performance bull Technology cost and control
performance analysisbull Periodic technology
management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas
Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to
plan and return on investmentbull Documentation and approval of IT plans
and systems architecturebull Compliance with information and
physical security standardsbull Adherence to business continuity risk
assessmentbull Technology standards
compliance enforcement
Information and Communicationbull Periodic corporate communications (intranet e-mail
meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution
Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business
areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls
considered Importantbull Overall technology policy and Information
security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units
Figure 5 - COSO Model for Technology Controls
18
compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)
92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks
Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows
921 Ongoing Monitoring
bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment
bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered
specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached
bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached
922 Special Reviews
bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances
bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk
GTAG mdash Monitoring and Techniques mdash 9
Suitable Recognized Framework
ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo
mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003
19
101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business
The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems
A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance
Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities
Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample
bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method
bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files
bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach
102 Testing IT Controls and Continuous Assurance
In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data
1021 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-
20
GTAG mdash Assessment mdash 10
How Auditing Contributes to IT Controls
During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management
ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events
1022 Automated Internal Control Analysis Tools
Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use
1023 Automated Risk Analysis
Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools
Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right
103 Audit CommitteeManagementAudit Interfaces
It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues
The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations
ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their
value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting
A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially
Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework
The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist
GTAG mdash Assessment mdash 10
Figure 6 ndash Audit Interfaces
21
Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda
Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process
The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members
22
GTAG mdash Conclusion mdash 11
Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg
121 Governance (Board of Directors)bull Oversee risk management and compliance programs
pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security
bull Strive to protect the interests of all stakeholdersdependent on information security
bull Review information security policies regardingstrategic partners and other third parties
bull Strive to ensure business continuitybull Review provisions for internal and external audits of
the information security programbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
122 Managementbull Establish information security management policies
and controls and monitor compliancebull Assign information security roles responsibilities
and required skills and enforce role-based information access privileges
bull Assess information risks establish risk thresholdsand actively manage risk mitigation
bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties
bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture
during acquisition development operations andmaintenance
bull Protect the physical environmentbull Ensure internal and external audits of the informa-
tion security program with timely follow-upbull Collaborate with security staff to specify the informa-
tion security metrics to be reported to management
123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements
bull User identification and authentication
bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms
and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the
technical metrics to be reported to management
23
GTAG mdash Appendix A mdash Information Security Program Elements mdash 12
There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments
For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries
This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors
131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)
However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of
ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews
Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls
Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant
to IT Controls
The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls
13111 Sections 103 and 802
These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting
One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained
13112 Section 201
This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors
13113 Section 301
Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT
13114 Section 302 and 404
Section 302 of the act requires the CEO and CFO mdash who
24
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
25
are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges
They must disclosebull ldquoAll significant deficiencies in the design or opera-
tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo
bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo
Section 404 requires the CEO and CFO to produce an annual audit report that
bull Assesses the effectiveness of the internal controlstructure over financial reporting
bull Discloses all known internal control weaknessesbull Discloses all known frauds
This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley
13115 Section 409
Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses
132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management
A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means
bull Senior management is actively involvedbull The bank has an OR management system processes
policies and procedures enterprisewidebull The bank has the right governance and sufficient
resources to manage operational risksbull The bank has an OR management function that is
responsible forndash Designing and implementing the OR management
frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement
methodologyndash Designing and implementing an OR management
reporting systemndash Developing strategies to identify measure monitor
and control or mitigate ORbull An OR measurement system is closely integrated into
the day-to-day risk management processbull The OR exposures and loss experiences are regularly
reportedbull The OR management system is documentedbull Internal and external auditors regularly review the
OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function
The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required
First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy
Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange
The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA
bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
bull Internal loss data must be linked to the bankrsquos current business activities
bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA
bull According to the internal loss collection processndash OR losses related to credit risk and historically
included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately
ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge
bull The OR measurement system must use relevantexternal data
Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including
bull Strategies and processesbull Structure and organization of the risk management
functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including
operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)
133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)
The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)
134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999
The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)
135 US Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg
136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)
Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers
26
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
GTAG ndash Appendix B - Compliance with Laws and Regulations - 13
27
137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls
GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14
28
141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors
1411 Category 1 ndash All Auditors
Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge
1412 Category 2 ndash Audit Supervisors
Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must
bull Understand the threats and vulnerabilities associatedwith automated business processes
bull Understand business controls and risk mitigation thatshould be provided by IT
bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments
bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits
bull Ensure the effective use of IT tools in audit assess-ments and testing
bull Approve plans and techniques for testing controlsand information
bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses
bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas
bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected
1413 Category 3 ndash Technical IT Audit Specialists
Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology
IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence
The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications
Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals
4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
29
151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg
152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control
In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience
153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language
154 ITGI Control Objectives for Information and Related Technology (CobiT)
Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance
155 ISO 17799 (Code of Practice for Information Security Management)
ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading
The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to
ISOIEC 177992000 bull Part 2 is a specification for implementing an
information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002
1551 What Is Information Security
BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities
Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately
Information security is characterized within BS 7799 asthe preservation of
bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access
bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods
bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired
Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met
1552 How to Establish Security Requirements
BS 7799 states that it is essential that an organization
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
30
identify its security requirements There are three mainsources
bull Assessing risks to the organization BS 7799 does notprescribe a methodology
bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy
bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations
1553 Assessing Security Risks
BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically
1554 Selecting Controls
Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com
1555 Topics Addressed in BS 7799
1 Scope2 Terms and definitions3 Security policy
31 Information security policy document32 Review and evaluation
4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing
5 Asset classification and control51 Accountability for assets52 Information classification
6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions
7 Physical and environmental security71 Secure areas72 Equipment security73 General control
8 Communications and operations management
81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software
9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking
10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes
11 Business continuity management111 Business continuity management process
12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations
156 ISF Standard of Good Practice for Information Security
The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom
157 Generally Accepted Information Security Principles (GAISP)
The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including
bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-
tive-level information management (exposure draft distributed September 1999)
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
bull Detailed Principles ndash guidance for operational infor-mation security management (under development)
GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details
1571 Pervasive Principles
The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology
bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable
bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-
trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties
bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations
bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance
bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance
bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information
bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat
Figure 7 ndash Security Management
31
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
32
events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents
bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness
bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives
158 AICPACICA Trust Services Principles and Criteria
The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas
bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple
bull Communications ndash The organization has communi-cated its defined policies to authorized users
bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies
bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies
Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices
1581 Security Principle ndash The system is protected
against unauthorized access (both physical
and logical)
In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components
1582 Availability Principle ndash The system is
available for operation and use as
committed or agreed
The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties
Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does
5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties
6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
33
address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance
1583 Processing Integrity Principle ndash System
processing is complete accurate timely
and authorized
Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing
The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems
Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond
the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed
1584 Privacy Principle and Components ndash
Personal information is collected used
retained and disclosed in conformity with the
commitments in the organizationrsquos privacy
notice and with the AICPACICA Trust
Services Privacy Criteria
The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are
bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures
bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed
bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information
bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice
bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes
bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate
bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual
bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical
bull Quality ndash The organization maintains accurate
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
34
complete and relevant personal information for thepurposes identified in the notice
bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes
1585 Confidentiality Principle ndash Information
designated as ldquoconfidentialrdquo is protected as
committed or agreed
The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential
Information that may be subject to confidentialityincludes
bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry
Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness
Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous
access controls can help protect the information while it isstored on computer systems
1586 Certification Authority (CA) Principle
The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols
159 IIA Systems Assurance and Control (SAC)
The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411
1510 Corporate Governance
15101 OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy
15102 EU Commission
The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society
GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16
35
The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states
ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo
The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework
161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations
These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT
The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control
The third category deals with complying with those lawsand regulations to which the entity is subject
Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that
bull They understand the extent to which the entityrsquosoperations objectives are being achieved
bull Published financial statements are being preparedreliably
bull There is compliance with applicable laws and regulations
Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time
162 COSO Internal Control mdash Integrated Framework
Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are
1621 Control Environment
The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors
1622 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change
1623 Control Activities
Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties
1624 Information and Communication
Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and
GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16
36
control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders
1625 Monitoring
Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board
There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions
There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective
The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework
GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
37
Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems
Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes
CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives
1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks
10 Manage projects11 Manage quality
Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as
well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems
12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes
Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems
18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations
Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources
31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit
This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment
CobiT is comprised ofbull An executive summary which provides an overview
of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-
level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective
bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives
bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives
Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work
GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
38
bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources
bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective
Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg
CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise
39
The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7
that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations
The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security
These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the
ldquoTechnologyrdquo section of httpwwwtheiiaorg
The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement
181 Metrics for Boards of DirectorsTrustees
Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident
bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a
comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program
principles for which approved policies and controls have been implemented by management
ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified
bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated
committee meetings for which information security is on the agenda
ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders
ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods
bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-
party relationships for which information security requirements have been implemented in agreements
bull Strive to ensure business continuityndash Percentage of organizational units with an
established business-continuity planbull Review provisions for internal and external audits of
the information security programndash Percentage of required internal and external audits
completed and reviewed by the boardndash Percentage of audit findings that have not
been resolvedbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
7 httpreformhousegovTIPRC
GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18
40
and policies established by the board as part of an effectiveinformation security program
bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program
elements for which approved policies and controls are operational
ndash Percentage of staff assigned responsibilities for information security policies and controls who have
acknowledged accountability for their responsibili-ties in connection with those policies and controls
ndash Percentage of information security policy compliance reviews that noted violations
ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls
bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting
period who satisfactorily completed security-awareness training before being granted network access
ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy
ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users
ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance
ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle
bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators
bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have
been reviewed this reporting period including+ Employees with high-level system and application
privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors
ndash Percentage of users who have undergone back-ground checks
bull Assess information risks establish risk thresholds and
actively manage risk mitigationndash Percentage of critical information assets and
information-dependent functions for which some form of risk assessment has been performed and documented as required by policy
ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified
ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy
bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that
are related to third-party relationshipsndash Percentage of critical information assets or
functions to which third-party personnel have been given access
ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy
ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically
ndash Percentage of security incidents that involve third-party personnel
ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures
ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements
ndash Percentage of out-of-compliance review findings that have been corrected since the last review
bull Identify and classify information assetsndash Percentage of information assets that have been
reviewed and classified by the designated owner in accordance with the classification scheme established by policy
ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy
ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans
ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned
ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy
bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to
systems architecture identified in the most recent risk assessment that have been mitigated adequately
ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms
ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture
bull Protect the physical environmentndash Percentage of critical organizational information
assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media
ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented
ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding
ndash Percentage of servers in locations with controlled physical access
ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule
ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule
ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness
bull Collaborate with security personnel to specify theinformation security metrics to be reported to management
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
41
GTAG mdash Appendix H mdash CAE Checklist mdash 19
42
1 Identify the IT control environment of the organization including
a Values
b Philosophy
c Management style
d IT awareness
e Organisation
f Policies
g Standards
2 Identify relevant legislation and regulation impactingIT control such as
a Governance
b Reporting
c Data protection
d Compliance
3 Identify the roles and responsibilities for IT control inrelation to
a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee
b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO
c Auditi Internal Auditii External Audit
Action Questions
1 Do corporate policies and standards that describe theneed for IT controls exist
2 What legislation exists that impacts on the need forIT controls
3 Has management taken steps to ensure compliancewith this legislation
4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles
5 Is the allocation of responsibilities compatible withthe need to apply division of duties
6 Are IT responsibilities documented
7 Are IT control responsibilities communicated to thewhole organization
8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls
9 What evidence is there of individual role holdersexercising their responsibilities
10Does internal auditing employ sufficient IT audit specialists to address the IT control issues
CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas
GTAG mdash Appendix H mdash CAE Checklist mdash 19
43
4 Identify the risk assessment process Does it cover
a Risk appetite
b Risk tolerances
c Risk analysis
d Matching risks to IT controls
5 Identify all monitoring processes including
a Regulatory
b Normal in-house
c Other than internal auditing
6 Identify information and communication mechanisms
a Control information
b Control failures
11 How is the risk appetite and tolerance of the organization determined
12 Is the risk appetite and tolerance of the organization authorized at board level
13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control
14 Is a formal risk analysis process used by theorganization
15 Is the process understood by all those with responsibility for IT control
16 Is the process used consistently throughout theorganization
17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards
18 Are there monitoring processes carried out bymanagement outside of internal audit
19 What metrics are provided to the board of directors its committees and management inrelation to IT security
20 What additional reports are provided to theboard of directors and to management on a regular basis
21 Is management always provided with reportswhen there are IT control failures
22 Do the board of directors and its committeesreceive similar reports of IT control failures
Action Questions
GTAG mdash Appendix I mdash References mdash 20
44
The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT
echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues
201 Governance
Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm
Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg
Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap
Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716
IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503
Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896
202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk
Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg
Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity
Generally Accepted Information Security Principles(GAISP) Information Systems Security Association
Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml
Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml
ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg
Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3
OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html
Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm
Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices
203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg
DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml
GTAG mdash Appendix I mdash References mdash 20
45
ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm
ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler
IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm
ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca
NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml
NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml
NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml
NSA Configuration Guides httpwwwnsagovsnac
SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg
204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg
Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov
Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca
Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
46
GTAG mdash Appendix J mdash Glossary mdash 21
A listing of technical terms used in the guide with a simpleplain English definition
Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases
Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence
CAE ndash Chief audit executive
CEO ndash Chief executive officer
CFO ndash Chief financial officer (and controller)
CIO ndash Chief information officer
CISO ndash Chief information security officer
CLC ndash Chief legal council
COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg
CRM ndash Customer resource management
CSO ndash Chief Security Officer
Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda
Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders
Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable
efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms
Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices
General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)
GLBA ndash US Gramm-Leach-Bliley Act
Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives
GTAG ndash Global Technology Audit Guide
HIPAA ndash US Health Information Portability andAccountability Act
Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization
Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel
Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use
Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology
ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg
IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information
IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures
ITPI ndash IT Process Institute See httpwwwitpiorg
Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing
Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo
Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely
Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo
47
GTAG mdash Appendix J mdash Glossary mdash 21
GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22
48
This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control
The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication
221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects
The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide
231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role
Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute
Michael R Dickson Business Technology Group LLC
Clint Kreitner PresidentCEO CIS The Center forInternet Security
Alex Lajoux NACD National Association of CorporateDirectors
Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA
Mark Salamasick CIA University of Texas at Dallas
Karyn Waller AICPA American Institute of CertifiedPublic Accountants
232 Partner Organizations
AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants
CIS ndash Clint Kreitner Center for Internet Security
CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute
ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association
NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors
SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO
233 Project Review Team
Peter Allor ISS Internet Security Systems
Jack Antonelli ADP
Ken D Askelson CIA JC Penney Co Inc
Becky Bace Infidel Inc
Kevin Behr IPSI Institute for Integrated Publication andInformation Systems
Jeff Benson BearingPoint
Robert S Block Chairman 3D Business Tools USA
Sylvia Boyd The IIA
Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA
Larry Brown Options Clearing Corp
Stephanie Bryant University of South Florida
Phil Campbell Specialized IT LLC USA
John Carlson BITS Banking Industry TechnologySecretariat
Chris Compton Intrusion Labs
Guy Copeland CSC Computer Sciences Corp
Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA
Bob Daniels EDS
Bob Dix US House of Representatives
49
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
50
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
5
Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA
Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program
Greg Garcia ITAA Information Technology Association ofAmerica
Russ Gates Dupage Consulting LLC
Lou Giles Chevron Phillips Chemical Co
Doug Guerrero EDS
Kai Tamara Hare Nuserve
Michael S Hines CIA Purdue University
Bob Hirth Protiviti
Don Holden CISSP Concordant Inc USA
Dave Kern Ethentica
Gene Kim CTO Tripwire Inc USA
Jim Kolouch BearingPoint
David Kowal VP JP Morgan Chase
Paul Kurtz CSIA Cyber Security Industry Alliance
Cindy LeRouge PhD Decision SciencesMIS Department
John Cook School of Business St Louis University USA
Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants
Debbie Lew Guidance Software
Brenda Lovell CIA CCSA CGAP The IIA
Warren Malmquist Adolph Coors Co
Stacy Mantzaris CIA IIA
Dennis Miller Heritage Bank
Patrick Morrissey Auditwire
Bruce Moulton Symantec
Paul Moxey ACCA Association of Chartered CertifiedAccountants
Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA
Fred Palmer Palmer Associates
Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc
Bernie Plagman TechPar Group
Heriot Prentice MIIA FIIA QiCA The IIA
Dick Price Beacon IT Ltd BS 7799 Consultancy USA
Michael Quint Corporate Compliance Officer EDSCorporate Audit USA
Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA
Amy Ray Bentley College
Martin Ross GSC Global Security Consortium
Chip Schilb EDS USA
Howard Schmidt eBay
Mark Silver Symantec
George Spafford President Spafford Global ConsultingSaint Joseph IL USA
Adam Stone Assurant
Jay H Stott CIA Fidelity Investments
Dan Swanson CIA IIA
Jay R Taylor CIA CISA CFE General MotorsCorporation
Bill Tener University amp Community College System ofNevada
Archie Thomas
Fred Tompkins BearingPoint
Don Warren Rutgers University
Dominique Vincenti CIA The IIA
Mark Winn Intrusec
Amit Yoran
234 IIA International Affiliates
Frank Alvern CIA CCSA Nordea Bank Norway
Alexandre Alves Apparecido Brazil
Dror Aviv Israel
David F Bentley England UK and Ireland
Gerardo Carstens CIA IIA Argentina
Richard Cascarino South Africa
Iftikhar Chaudry Pakistan
Hisham T El Gindy Manager KPMG Hazem Hassan Egypt
Dr Ulrich Hahn CIA Switzerland
Rossana S Javier Makati City Philippines
Andras Kovacks Hungary
Christopher McRostie Australia
Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan
Kyoko Shimizu CIA Japan
John Silltow Security Control and Audit Ltd UnitedKingdom
Ken Siong International Federation of Accountants
Anton van Wyk PwC South Africa
Nick Wolanin Adjunt Senior Lecturer Australian Graduate
Julie Young Australia
235 Other International
Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada
P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates
Ariel Peled President ISSA Israeli Chapter
P Shreekanth India
Karen Woo Selangor Malaysia
236 IIA International Advanced Technology Committee
Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa
Alexandre Alves Apparecido Brasil Telecom Brazil
Ken D Askelson CIA JC Penney Co Inc USA
Dror Aviv CFSA IIA Israel
Donald L Bailey Grant Thornton LLP USA
EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)
Norman F Barber Microsoft Corp USA
David F Bentley QiCA Consultant England
Claude Cargou GIE AXA France
Michael P Fabrizius CIA Bon Secours Health SystemInc USA
Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan
Douglas Guerrero EDS Corp USA
Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland
David J Hill IBM Corp USA
Michael S Hines CIA Purdue University USA
Mark J Hornung Ernst amp Young LLP USA
Gene Kim CTO Tripwire Inc USA
David S Lione KPMG LLP Southeast Region USA
Peter B Millar ACL Services Ltd Canada
Allan M Newstadt CIA World BankInternationalFinance Corp USA
Brenda J S Putman CIA City Utilities of Springfield USA
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
51
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23
52
Kyoko Shimizu CIA Shin Nihon amp Co Japan
Brian M Spindel CIA SecurePipe Inc USA
Rajendra P Srivastava University of Kansas USA
Jay Stott CIA Fidelity Investments USA
Jay R Taylor CIA CISA CFE General Motors Corp USA
Thomas Jason Wood CIA Ernst amp Young LLP USA
Akitomo Yamamoto IIA Japan
237 The Writing Team
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR International
Charles H Le Grand CIA CHL Global
238 IIA Headquarters Staff Production Team
Michael Feland
Trish Harris
Tim McCollum
Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business
Contin
u
ity Manag
ement
Th
is G
TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization
could potentially encounter if a natural or
man-made disruptive event t
hat affects the exte
nded ope
ra
bility of the organization were to occur The guide includes disaster rec
o
very
planning for continuity of critical information technology infrastructure and business application systems
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an
d su
pport management in
its
deve
lopm
ent and maintenance
of a
BCM pr
o
gram
Vis
it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme
nts
Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250
wwwtheiiaorg
ISBN 0-89413-570-8ISBN 978-0-89413-623-8
Detective controls detect errors or incidents that eludepreventive controls For example a detective control mayidentify account numbers of inactive accounts or accountsthat have been flagged for monitoring of suspicious activi-ties Detective controls can also include monitoring andanalysis to uncover activities or events that exceed author-ized limits or violate known patterns in data that may indi-cate improper manipulation For sensitive electroniccommunications detective controls can indicate that a mes-sage has been corrupted or the senderrsquos secure identificationcannot be authenticated
Corrective controls correct errors omissions or inci-dents once they have been detected They vary from simplecorrection of data-entry errors to identifying and removingunauthorized users or software from systems or networks torecovery from incidents disruptions or disasters
Generally it is most efficient to prevent errors or detectthem as close as possible to their source to simplify correc-tion These corrective processes also should be subject topreventive and detective controls because they representanother opportunity for errors omissions or falsification
Many other control classifications described in this guidemay be useful in assessing their effectiveness For exampleautomated controls tend to be more reliable than manualcontrols and nondiscretionary controls are more likely to beapplied consistently than discretionary controls Other control classifications include mandatory voluntary complementary compensating redundant continuous on-demand and event-driven
52 Governance Management TechnicalAnother common classification of controls is by the groupresponsible for ensuring they are implemented and main-tained properly For the purpose of assessing roles andresponsibilities this guide primarily categorizes IT controls
as governance management and technical Information securi-ty program elements for these three categories are describedin Appendix A (page 25) The first two levels mdash gover-nance and management mdash are the most applicable to thescope of this guide although it may also be useful to under-stand how higher-level controls specifically are establishedwithin the technical IT infrastructures Technical controlswill be the subject of more topic-specific GTAGs
521 Governance Controls
The primary responsibility for internal control resides withthe board of directors in its role as keeper of the governanceframework IT control at the governance level involvesensuring that effective information management and security principles policies and processes are in place andperformance and compliance metrics demonstrate ongoingsupport for that framework
Governance controls are those mandated by and controlled by either the entire board of directors or a boardcommittee in conjunction with the organizationrsquos executivemanagement These controls are linked with the concepts of corporate governance which are driven both by organizational goals and strategies and by outside bodiessuch as regulators
An important distinction between governance and management controls is the concept of ldquonoses in fingersoutrdquo The boardrsquos responsibility involves oversight ratherthan actually performing control activities For example theaudit committee of the board does no auditing but it does oversee both the internal and external auditing of theorganization
522 Management Controls
Management responsibility for internal controls typicallyinvolves reaching into all areas of the organization with special attention to critical assets sensitive information andoperational functions Consequently close collaborationamong board members and executive managers is essentialManagement must make sure the IT controls needed toachieve the organizationrsquos established objectives are appliedand ensure reliable and continuous processing These controls are deployed as a result of deliberate actions bymanagement to
bull Recognize risks to the organization its processes and assets
bull Enact mechanisms and processes to mitigate and manage risks (protect monitor and measure results)
523 Technical Controls
Technical controls form the foundation that ensures the reli-ability of virtually every other control in the organizationFor example by protecting against unauthorized access andintrusion they provide the basis for reliance on the integri-ty of information mdash including evidence of all changes andtheir authenticity These controls are specific to the
GTAG ndash Understanding IT Controls ndash 5
4
Figure 3 - Some Control Classifications
GTAG mdash Understanding IT Controls mdash 5
5
technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization
53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems
The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below
531 Policies
All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies
IT policy statements include but are not restricted tobull A general policy on the level of security and privacy
throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of
the system and data processedbull A statement on the classification of information and
the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access
bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems
bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications
bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures
bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of
Figure 4 ndash IT Controls
The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal
Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)
a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS
Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants
532 Standards
Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently
Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for
bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization
bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited
bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls
that should apply to sensitive processes and information
bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly
bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers
As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them
533 Organization and Management
Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented
5331 Separation of Duties
Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information
Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum
GTAG mdash Understanding IT Controls mdash 5
6
GTAG mdash Understanding IT Controls mdash 5
7
Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts
5332 Financial Controls
Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects
5333 Change Management
Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations
5334 Other Management Controls
Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications
534 Physical and Environmental Controls
IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications
Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is
restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data
away from environmental hazards such as low-lyingflood plains or flammable liquid stores
When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable
535 Systems Software Controls
Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2
Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs
IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the
Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability
Some key technical controls the CAE should expect tofind in a well-managed IT environment include
bull Access rights allocated and controlled according tothe organizationrsquos stated policy
bull Division of duties enforced through systems softwareand other configuration controls
bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored
bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a
stated requirementbull Change management processes mdash including patch
management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data
536 Systems Development and
Acquisition Controls
Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner
Some basic control issues should be evident in all systemsdevelopment and acquisition work
bull User requirements should be documented and theirachievement should be measured
bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system
bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct
bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided
bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be
subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls
Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered
537 Application-based Controls
The objective of internal controls over application systems is toensure that
bull All input data is accurate complete authorized and correct
bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data
from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application
bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters
bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized
bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input
bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct
bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources
GTAG mdash Understanding IT Controls mdash 5
8
GTAG mdash Understanding IT Controls mdash 5
9
54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are
bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations
bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting
bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located
55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them
Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite
Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite
Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly
Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)
The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)
Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include
bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services
bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of effectivecontrols
bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services
bull The efficient use of a customer support center or helpdesk
bull A security-conscious culture among end usersthroughout the organization
Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees
The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control
GTAG mdash Importance of IT Controls mdash 6
10
2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley
GTAG mdash IT Roles in the Organization mdash 7
Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained
Overall the objectives for the use of IT within any organization are
bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite
bull To protect stakeholder interestsbull To enable mutually beneficial relationships with
customers business partners and other outside parties that accomplish business objectives
bull To identify and respond to threats and potential violations of control appropriately
Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members
71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires
bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458
bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets
bull Approval of the data classifications structure and therelated access rights
The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important
711 Audit Committee
The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for
bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting
bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting
bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately
bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to
new systems development and acquisitionbull Examining internal and external audit plans and
work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring
the resolution of issues raisedbull Understanding the IT topics that impact ethics
monitoring
712 Compensation Committee
The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves
713 Governance Committee
The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should
bull Ensure that potential and current board membershave a suitable IT knowledge or background
bull Assess board committeesrsquo performance in terms oftheir oversight of IT
bull Review any external regulatory governance assessments in relation to IT topics
bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency
714 Risk Management Committee
The risk management committee is responsible for oversight
11
GTAG mdash IT Roles in the Organization mdash 7
of all risk analysis and assessment risk response and riskmonitoring Its role includes
bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization
bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance
bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash
including IT risks mdash and considering it against the organizationrsquos risk appetite
bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate
bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks
715 Finance Committee
The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data
72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so
that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions
721 Chief Executive Officer
The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will
bull Define corporate objectives and performance measures in relation to IT
bull Act as custodian over the organizationrsquos critical success factors in relation to IT
bull Understand and approve the short-term and long-range strategy for IT
bull Approve IT resources for the organization includingstructure and oversightmonitoring
bull Determine IT issues for periodic management boardand staff discussion
bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas
722 Chief Financial Officer
The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of
bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining
technologically competitivebull The technologies used to implement financial
applicationsbull The operation of specific financial applications
IT Controls and Ethics
As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior
12
GTAG mdash IT Roles in the Organization mdash 7
13
bull The limitations and benefits of ITbull The IT control structure for general controls that
apply to all business systems and data as well as controls that are specific to financial applications
The CFO should operate as the highest-level control ownerfor financial systems and data
723 Chief Information Officer
The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should
bull Understand the business requirements that drive theneed to implement IT
bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business
strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks
bull Design implement and maintain an IT internal control framework
bull Plan source and control IT resourcesbull Explore assess select and implement technology
advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels
of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian
and IT control owner bull Measure the operational performance of IT in support
of business objectives byndash Setting expectationsndash Evaluating results
bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors
724 Chief Security Officer
The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO
bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy
bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks
bull Acts as a key link between the compliance legalCIO and audit functions
bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive
bull Is responsible for business continuity planningincluding incident handling and disaster recovery
bull Ensures that security staff provide support for imple-menting controls at all levels
bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization
725 Chief Information Security Officer (CISO)
Information security is a subset of the overall security roleThe CISO
bull Develops and implements the information security policy in coordination with the CSO
bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives
bull Ensures alignment of information security and busi-ness objectives
bull Manages operational information risks throughoutthe organization
bull Oversees security within the IT organizationbull Provides education and awareness on information
security issues and new best practicesbull Develops end-user policies for the usage of IT
information in conjunction with the humanresources function
bull Coordinates information security work with the chief risk officer (CRO) and CIO
bull Advises the CEO CRO CIO and board on IT risk issues
bull Acts as a key link for the CAE when internal auditing performs IT control-related audits
726 Chief Legal Counsel (CLC)
Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves
bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto
bull Ensuring financial reports and presentations complywith laws and regulations
bull Understanding IT legal issues and advising on legalrisks related to IT
bull Managing organizational reputation in relation tolegal issues compliance and public relations
bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols
regarding suspected criminal activity
727 Chief Risk Officer
The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes
bull Analysis and assessment of IT risk exposures including information compromises such as loss
damage unauthorized disclosure and interruptedaccess
bull Assessment of IT events such as interruptions disasters and changes
bull Analysis and assessment of business risk as it is affected by IT risk
bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks
73 Audit
731 Internal Auditing ndash CAE and Audit Staff
Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves
bull Advising the audit committee and senior management on IT internal control issues
bull Ensuring IT is included in the audit universe andannual plan (selecting topics)
bull Ensuring IT risks are considered when assigningresources and priorities to audit activities
bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff
bull Ensuring that audit planning considers IT issues foreach audit
bull Liaising with audit clients to determine what theywant or need to know
bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable
evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the
audit processesbull During systems development or analysis activities
operating as experts who understand how controlscan be implemented and circumvented
bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks
732 External Auditor
Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include
bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits
bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements
GTAG mdash IT Roles in the Organization mdash 7
14
3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)
81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance
It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization
The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as
ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo
In addition the CAE should consider risk tolerance COSOdefines risk tolerance as
ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo
Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with
the organizationrsquos risk appetitebull The internal control framework is adequate to ensure
that the organizationrsquos performance remains withinthe stated risk tolerances
82 Risk Considerations in Determining the Adequacy of IT Controls
Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness
When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE
should consider the processes established by management to determine
bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for
each business function and processbull IT risks faced by the organization and quality of
service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they
providebull Harmful IT incidents in the past 24 months
The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project
821 The IT Infrastructure
Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems
The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security
The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers
GTAG mdash Analyzing Risk mdash 8
15
822 IT Risks Faced by the Organization
The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls
823 Risk Appetite and Tolerance
Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation
The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite
824 Performing Risk analysis
Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas
There are eight basic questions associated with the riskassessment process The first five include
bull What are the assets at risk and the value of theirconfidentiality integrity and availability
bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets
bull If a threat event happened how bad could its impact be
bull How often might the event be expected to occur (frequency of occurrence)
bull How certain are the answers to the first four questions (uncertainty analysis)
The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient
825 Value of Information
Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security
Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories
bull Exclusive possession ndash cost in the event of a breachof confidentiality
bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability
826 Appropriate IT Controls
Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)
The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework
83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them
In general there are several ways to mitigate the poten-tial impact of risks
bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low
bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors
bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider
bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects
GTAG mdash Analyzing Risk mdash 8
16
84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include
bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective
controls effectivebull Do the controls provide evidence when control
parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken
bull Is evidence retained (audit or management trail)
85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization
IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other
It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls
bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been
defined assigned and acceptedbull Are IT infrastructure equipment and tools
logically and physically securedbull Are access and authentication control
mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance
with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)
bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved
bull Are change and configuration management and quality assurance processes in place
bull Are structured monitoring and service measurementprocesses in place
bull Are specialist IT audit skills available (eitherinternally or outsourced)
Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf
GTAG mdash Analyzing Risk mdash 8
Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management
(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network
and perimeter)5 Malware protection (including worms and viruses)
Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo
1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each
person with computer access8 Dont use vendor-supplied defaults for passwords
and security parameters9 Track all access to data by unique ID
10 Regularly test security systems and processes11 Implement and maintain an information
security policy12 Restrict physical access to data
17
91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation
A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily
Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work
The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process
especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override
Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)
The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
GTAG mdash Monitoring and Techniques mdash 9
COSO Model for Technology Controls
Monitoringbull Monthly metrics from technology
performance bull Technology cost and control
performance analysisbull Periodic technology
management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas
Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to
plan and return on investmentbull Documentation and approval of IT plans
and systems architecturebull Compliance with information and
physical security standardsbull Adherence to business continuity risk
assessmentbull Technology standards
compliance enforcement
Information and Communicationbull Periodic corporate communications (intranet e-mail
meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution
Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business
areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls
considered Importantbull Overall technology policy and Information
security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units
Figure 5 - COSO Model for Technology Controls
18
compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)
92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks
Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows
921 Ongoing Monitoring
bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment
bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered
specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached
bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached
922 Special Reviews
bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances
bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk
GTAG mdash Monitoring and Techniques mdash 9
Suitable Recognized Framework
ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo
mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003
19
101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business
The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems
A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance
Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities
Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample
bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method
bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files
bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach
102 Testing IT Controls and Continuous Assurance
In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data
1021 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-
20
GTAG mdash Assessment mdash 10
How Auditing Contributes to IT Controls
During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management
ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events
1022 Automated Internal Control Analysis Tools
Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use
1023 Automated Risk Analysis
Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools
Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right
103 Audit CommitteeManagementAudit Interfaces
It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues
The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations
ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their
value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting
A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially
Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework
The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist
GTAG mdash Assessment mdash 10
Figure 6 ndash Audit Interfaces
21
Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda
Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process
The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members
22
GTAG mdash Conclusion mdash 11
Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg
121 Governance (Board of Directors)bull Oversee risk management and compliance programs
pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security
bull Strive to protect the interests of all stakeholdersdependent on information security
bull Review information security policies regardingstrategic partners and other third parties
bull Strive to ensure business continuitybull Review provisions for internal and external audits of
the information security programbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
122 Managementbull Establish information security management policies
and controls and monitor compliancebull Assign information security roles responsibilities
and required skills and enforce role-based information access privileges
bull Assess information risks establish risk thresholdsand actively manage risk mitigation
bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties
bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture
during acquisition development operations andmaintenance
bull Protect the physical environmentbull Ensure internal and external audits of the informa-
tion security program with timely follow-upbull Collaborate with security staff to specify the informa-
tion security metrics to be reported to management
123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements
bull User identification and authentication
bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms
and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the
technical metrics to be reported to management
23
GTAG mdash Appendix A mdash Information Security Program Elements mdash 12
There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments
For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries
This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors
131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)
However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of
ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews
Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls
Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant
to IT Controls
The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls
13111 Sections 103 and 802
These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting
One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained
13112 Section 201
This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors
13113 Section 301
Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT
13114 Section 302 and 404
Section 302 of the act requires the CEO and CFO mdash who
24
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
25
are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges
They must disclosebull ldquoAll significant deficiencies in the design or opera-
tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo
bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo
Section 404 requires the CEO and CFO to produce an annual audit report that
bull Assesses the effectiveness of the internal controlstructure over financial reporting
bull Discloses all known internal control weaknessesbull Discloses all known frauds
This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley
13115 Section 409
Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses
132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management
A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means
bull Senior management is actively involvedbull The bank has an OR management system processes
policies and procedures enterprisewidebull The bank has the right governance and sufficient
resources to manage operational risksbull The bank has an OR management function that is
responsible forndash Designing and implementing the OR management
frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement
methodologyndash Designing and implementing an OR management
reporting systemndash Developing strategies to identify measure monitor
and control or mitigate ORbull An OR measurement system is closely integrated into
the day-to-day risk management processbull The OR exposures and loss experiences are regularly
reportedbull The OR management system is documentedbull Internal and external auditors regularly review the
OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function
The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required
First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy
Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange
The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA
bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
bull Internal loss data must be linked to the bankrsquos current business activities
bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA
bull According to the internal loss collection processndash OR losses related to credit risk and historically
included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately
ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge
bull The OR measurement system must use relevantexternal data
Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including
bull Strategies and processesbull Structure and organization of the risk management
functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including
operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)
133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)
The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)
134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999
The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)
135 US Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg
136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)
Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers
26
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
GTAG ndash Appendix B - Compliance with Laws and Regulations - 13
27
137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls
GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14
28
141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors
1411 Category 1 ndash All Auditors
Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge
1412 Category 2 ndash Audit Supervisors
Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must
bull Understand the threats and vulnerabilities associatedwith automated business processes
bull Understand business controls and risk mitigation thatshould be provided by IT
bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments
bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits
bull Ensure the effective use of IT tools in audit assess-ments and testing
bull Approve plans and techniques for testing controlsand information
bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses
bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas
bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected
1413 Category 3 ndash Technical IT Audit Specialists
Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology
IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence
The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications
Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals
4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
29
151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg
152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control
In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience
153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language
154 ITGI Control Objectives for Information and Related Technology (CobiT)
Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance
155 ISO 17799 (Code of Practice for Information Security Management)
ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading
The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to
ISOIEC 177992000 bull Part 2 is a specification for implementing an
information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002
1551 What Is Information Security
BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities
Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately
Information security is characterized within BS 7799 asthe preservation of
bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access
bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods
bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired
Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met
1552 How to Establish Security Requirements
BS 7799 states that it is essential that an organization
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
30
identify its security requirements There are three mainsources
bull Assessing risks to the organization BS 7799 does notprescribe a methodology
bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy
bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations
1553 Assessing Security Risks
BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically
1554 Selecting Controls
Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com
1555 Topics Addressed in BS 7799
1 Scope2 Terms and definitions3 Security policy
31 Information security policy document32 Review and evaluation
4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing
5 Asset classification and control51 Accountability for assets52 Information classification
6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions
7 Physical and environmental security71 Secure areas72 Equipment security73 General control
8 Communications and operations management
81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software
9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking
10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes
11 Business continuity management111 Business continuity management process
12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations
156 ISF Standard of Good Practice for Information Security
The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom
157 Generally Accepted Information Security Principles (GAISP)
The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including
bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-
tive-level information management (exposure draft distributed September 1999)
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
bull Detailed Principles ndash guidance for operational infor-mation security management (under development)
GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details
1571 Pervasive Principles
The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology
bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable
bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-
trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties
bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations
bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance
bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance
bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information
bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat
Figure 7 ndash Security Management
31
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
32
events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents
bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness
bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives
158 AICPACICA Trust Services Principles and Criteria
The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas
bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple
bull Communications ndash The organization has communi-cated its defined policies to authorized users
bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies
bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies
Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices
1581 Security Principle ndash The system is protected
against unauthorized access (both physical
and logical)
In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components
1582 Availability Principle ndash The system is
available for operation and use as
committed or agreed
The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties
Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does
5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties
6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
33
address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance
1583 Processing Integrity Principle ndash System
processing is complete accurate timely
and authorized
Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing
The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems
Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond
the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed
1584 Privacy Principle and Components ndash
Personal information is collected used
retained and disclosed in conformity with the
commitments in the organizationrsquos privacy
notice and with the AICPACICA Trust
Services Privacy Criteria
The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are
bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures
bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed
bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information
bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice
bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes
bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate
bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual
bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical
bull Quality ndash The organization maintains accurate
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
34
complete and relevant personal information for thepurposes identified in the notice
bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes
1585 Confidentiality Principle ndash Information
designated as ldquoconfidentialrdquo is protected as
committed or agreed
The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential
Information that may be subject to confidentialityincludes
bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry
Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness
Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous
access controls can help protect the information while it isstored on computer systems
1586 Certification Authority (CA) Principle
The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols
159 IIA Systems Assurance and Control (SAC)
The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411
1510 Corporate Governance
15101 OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy
15102 EU Commission
The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society
GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16
35
The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states
ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo
The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework
161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations
These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT
The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control
The third category deals with complying with those lawsand regulations to which the entity is subject
Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that
bull They understand the extent to which the entityrsquosoperations objectives are being achieved
bull Published financial statements are being preparedreliably
bull There is compliance with applicable laws and regulations
Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time
162 COSO Internal Control mdash Integrated Framework
Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are
1621 Control Environment
The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors
1622 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change
1623 Control Activities
Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties
1624 Information and Communication
Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and
GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16
36
control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders
1625 Monitoring
Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board
There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions
There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective
The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework
GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
37
Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems
Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes
CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives
1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks
10 Manage projects11 Manage quality
Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as
well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems
12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes
Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems
18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations
Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources
31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit
This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment
CobiT is comprised ofbull An executive summary which provides an overview
of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-
level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective
bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives
bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives
Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work
GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
38
bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources
bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective
Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg
CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise
39
The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7
that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations
The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security
These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the
ldquoTechnologyrdquo section of httpwwwtheiiaorg
The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement
181 Metrics for Boards of DirectorsTrustees
Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident
bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a
comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program
principles for which approved policies and controls have been implemented by management
ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified
bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated
committee meetings for which information security is on the agenda
ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders
ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods
bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-
party relationships for which information security requirements have been implemented in agreements
bull Strive to ensure business continuityndash Percentage of organizational units with an
established business-continuity planbull Review provisions for internal and external audits of
the information security programndash Percentage of required internal and external audits
completed and reviewed by the boardndash Percentage of audit findings that have not
been resolvedbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
7 httpreformhousegovTIPRC
GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18
40
and policies established by the board as part of an effectiveinformation security program
bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program
elements for which approved policies and controls are operational
ndash Percentage of staff assigned responsibilities for information security policies and controls who have
acknowledged accountability for their responsibili-ties in connection with those policies and controls
ndash Percentage of information security policy compliance reviews that noted violations
ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls
bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting
period who satisfactorily completed security-awareness training before being granted network access
ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy
ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users
ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance
ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle
bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators
bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have
been reviewed this reporting period including+ Employees with high-level system and application
privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors
ndash Percentage of users who have undergone back-ground checks
bull Assess information risks establish risk thresholds and
actively manage risk mitigationndash Percentage of critical information assets and
information-dependent functions for which some form of risk assessment has been performed and documented as required by policy
ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified
ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy
bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that
are related to third-party relationshipsndash Percentage of critical information assets or
functions to which third-party personnel have been given access
ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy
ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically
ndash Percentage of security incidents that involve third-party personnel
ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures
ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements
ndash Percentage of out-of-compliance review findings that have been corrected since the last review
bull Identify and classify information assetsndash Percentage of information assets that have been
reviewed and classified by the designated owner in accordance with the classification scheme established by policy
ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy
ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans
ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned
ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy
bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to
systems architecture identified in the most recent risk assessment that have been mitigated adequately
ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms
ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture
bull Protect the physical environmentndash Percentage of critical organizational information
assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media
ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented
ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding
ndash Percentage of servers in locations with controlled physical access
ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule
ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule
ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness
bull Collaborate with security personnel to specify theinformation security metrics to be reported to management
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
41
GTAG mdash Appendix H mdash CAE Checklist mdash 19
42
1 Identify the IT control environment of the organization including
a Values
b Philosophy
c Management style
d IT awareness
e Organisation
f Policies
g Standards
2 Identify relevant legislation and regulation impactingIT control such as
a Governance
b Reporting
c Data protection
d Compliance
3 Identify the roles and responsibilities for IT control inrelation to
a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee
b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO
c Auditi Internal Auditii External Audit
Action Questions
1 Do corporate policies and standards that describe theneed for IT controls exist
2 What legislation exists that impacts on the need forIT controls
3 Has management taken steps to ensure compliancewith this legislation
4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles
5 Is the allocation of responsibilities compatible withthe need to apply division of duties
6 Are IT responsibilities documented
7 Are IT control responsibilities communicated to thewhole organization
8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls
9 What evidence is there of individual role holdersexercising their responsibilities
10Does internal auditing employ sufficient IT audit specialists to address the IT control issues
CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas
GTAG mdash Appendix H mdash CAE Checklist mdash 19
43
4 Identify the risk assessment process Does it cover
a Risk appetite
b Risk tolerances
c Risk analysis
d Matching risks to IT controls
5 Identify all monitoring processes including
a Regulatory
b Normal in-house
c Other than internal auditing
6 Identify information and communication mechanisms
a Control information
b Control failures
11 How is the risk appetite and tolerance of the organization determined
12 Is the risk appetite and tolerance of the organization authorized at board level
13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control
14 Is a formal risk analysis process used by theorganization
15 Is the process understood by all those with responsibility for IT control
16 Is the process used consistently throughout theorganization
17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards
18 Are there monitoring processes carried out bymanagement outside of internal audit
19 What metrics are provided to the board of directors its committees and management inrelation to IT security
20 What additional reports are provided to theboard of directors and to management on a regular basis
21 Is management always provided with reportswhen there are IT control failures
22 Do the board of directors and its committeesreceive similar reports of IT control failures
Action Questions
GTAG mdash Appendix I mdash References mdash 20
44
The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT
echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues
201 Governance
Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm
Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg
Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap
Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716
IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503
Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896
202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk
Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg
Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity
Generally Accepted Information Security Principles(GAISP) Information Systems Security Association
Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml
Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml
ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg
Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3
OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html
Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm
Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices
203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg
DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml
GTAG mdash Appendix I mdash References mdash 20
45
ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm
ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler
IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm
ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca
NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml
NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml
NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml
NSA Configuration Guides httpwwwnsagovsnac
SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg
204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg
Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov
Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca
Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
46
GTAG mdash Appendix J mdash Glossary mdash 21
A listing of technical terms used in the guide with a simpleplain English definition
Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases
Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence
CAE ndash Chief audit executive
CEO ndash Chief executive officer
CFO ndash Chief financial officer (and controller)
CIO ndash Chief information officer
CISO ndash Chief information security officer
CLC ndash Chief legal council
COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg
CRM ndash Customer resource management
CSO ndash Chief Security Officer
Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda
Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders
Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable
efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms
Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices
General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)
GLBA ndash US Gramm-Leach-Bliley Act
Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives
GTAG ndash Global Technology Audit Guide
HIPAA ndash US Health Information Portability andAccountability Act
Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization
Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel
Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use
Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology
ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg
IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information
IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures
ITPI ndash IT Process Institute See httpwwwitpiorg
Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing
Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo
Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely
Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo
47
GTAG mdash Appendix J mdash Glossary mdash 21
GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22
48
This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control
The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication
221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects
The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide
231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role
Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute
Michael R Dickson Business Technology Group LLC
Clint Kreitner PresidentCEO CIS The Center forInternet Security
Alex Lajoux NACD National Association of CorporateDirectors
Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA
Mark Salamasick CIA University of Texas at Dallas
Karyn Waller AICPA American Institute of CertifiedPublic Accountants
232 Partner Organizations
AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants
CIS ndash Clint Kreitner Center for Internet Security
CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute
ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association
NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors
SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO
233 Project Review Team
Peter Allor ISS Internet Security Systems
Jack Antonelli ADP
Ken D Askelson CIA JC Penney Co Inc
Becky Bace Infidel Inc
Kevin Behr IPSI Institute for Integrated Publication andInformation Systems
Jeff Benson BearingPoint
Robert S Block Chairman 3D Business Tools USA
Sylvia Boyd The IIA
Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA
Larry Brown Options Clearing Corp
Stephanie Bryant University of South Florida
Phil Campbell Specialized IT LLC USA
John Carlson BITS Banking Industry TechnologySecretariat
Chris Compton Intrusion Labs
Guy Copeland CSC Computer Sciences Corp
Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA
Bob Daniels EDS
Bob Dix US House of Representatives
49
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
50
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
5
Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA
Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program
Greg Garcia ITAA Information Technology Association ofAmerica
Russ Gates Dupage Consulting LLC
Lou Giles Chevron Phillips Chemical Co
Doug Guerrero EDS
Kai Tamara Hare Nuserve
Michael S Hines CIA Purdue University
Bob Hirth Protiviti
Don Holden CISSP Concordant Inc USA
Dave Kern Ethentica
Gene Kim CTO Tripwire Inc USA
Jim Kolouch BearingPoint
David Kowal VP JP Morgan Chase
Paul Kurtz CSIA Cyber Security Industry Alliance
Cindy LeRouge PhD Decision SciencesMIS Department
John Cook School of Business St Louis University USA
Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants
Debbie Lew Guidance Software
Brenda Lovell CIA CCSA CGAP The IIA
Warren Malmquist Adolph Coors Co
Stacy Mantzaris CIA IIA
Dennis Miller Heritage Bank
Patrick Morrissey Auditwire
Bruce Moulton Symantec
Paul Moxey ACCA Association of Chartered CertifiedAccountants
Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA
Fred Palmer Palmer Associates
Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc
Bernie Plagman TechPar Group
Heriot Prentice MIIA FIIA QiCA The IIA
Dick Price Beacon IT Ltd BS 7799 Consultancy USA
Michael Quint Corporate Compliance Officer EDSCorporate Audit USA
Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA
Amy Ray Bentley College
Martin Ross GSC Global Security Consortium
Chip Schilb EDS USA
Howard Schmidt eBay
Mark Silver Symantec
George Spafford President Spafford Global ConsultingSaint Joseph IL USA
Adam Stone Assurant
Jay H Stott CIA Fidelity Investments
Dan Swanson CIA IIA
Jay R Taylor CIA CISA CFE General MotorsCorporation
Bill Tener University amp Community College System ofNevada
Archie Thomas
Fred Tompkins BearingPoint
Don Warren Rutgers University
Dominique Vincenti CIA The IIA
Mark Winn Intrusec
Amit Yoran
234 IIA International Affiliates
Frank Alvern CIA CCSA Nordea Bank Norway
Alexandre Alves Apparecido Brazil
Dror Aviv Israel
David F Bentley England UK and Ireland
Gerardo Carstens CIA IIA Argentina
Richard Cascarino South Africa
Iftikhar Chaudry Pakistan
Hisham T El Gindy Manager KPMG Hazem Hassan Egypt
Dr Ulrich Hahn CIA Switzerland
Rossana S Javier Makati City Philippines
Andras Kovacks Hungary
Christopher McRostie Australia
Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan
Kyoko Shimizu CIA Japan
John Silltow Security Control and Audit Ltd UnitedKingdom
Ken Siong International Federation of Accountants
Anton van Wyk PwC South Africa
Nick Wolanin Adjunt Senior Lecturer Australian Graduate
Julie Young Australia
235 Other International
Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada
P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates
Ariel Peled President ISSA Israeli Chapter
P Shreekanth India
Karen Woo Selangor Malaysia
236 IIA International Advanced Technology Committee
Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa
Alexandre Alves Apparecido Brasil Telecom Brazil
Ken D Askelson CIA JC Penney Co Inc USA
Dror Aviv CFSA IIA Israel
Donald L Bailey Grant Thornton LLP USA
EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)
Norman F Barber Microsoft Corp USA
David F Bentley QiCA Consultant England
Claude Cargou GIE AXA France
Michael P Fabrizius CIA Bon Secours Health SystemInc USA
Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan
Douglas Guerrero EDS Corp USA
Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland
David J Hill IBM Corp USA
Michael S Hines CIA Purdue University USA
Mark J Hornung Ernst amp Young LLP USA
Gene Kim CTO Tripwire Inc USA
David S Lione KPMG LLP Southeast Region USA
Peter B Millar ACL Services Ltd Canada
Allan M Newstadt CIA World BankInternationalFinance Corp USA
Brenda J S Putman CIA City Utilities of Springfield USA
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
51
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23
52
Kyoko Shimizu CIA Shin Nihon amp Co Japan
Brian M Spindel CIA SecurePipe Inc USA
Rajendra P Srivastava University of Kansas USA
Jay Stott CIA Fidelity Investments USA
Jay R Taylor CIA CISA CFE General Motors Corp USA
Thomas Jason Wood CIA Ernst amp Young LLP USA
Akitomo Yamamoto IIA Japan
237 The Writing Team
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR International
Charles H Le Grand CIA CHL Global
238 IIA Headquarters Staff Production Team
Michael Feland
Trish Harris
Tim McCollum
Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business
Contin
u
ity Manag
ement
Th
is G
TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization
could potentially encounter if a natural or
man-made disruptive event t
hat affects the exte
nded ope
ra
bility of the organization were to occur The guide includes disaster rec
o
very
planning for continuity of critical information technology infrastructure and business application systems
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an
d su
pport management in
its
deve
lopm
ent and maintenance
of a
BCM pr
o
gram
Vis
it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme
nts
Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250
wwwtheiiaorg
ISBN 0-89413-570-8ISBN 978-0-89413-623-8
GTAG mdash Understanding IT Controls mdash 5
5
technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization
53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems
The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below
531 Policies
All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies
IT policy statements include but are not restricted tobull A general policy on the level of security and privacy
throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of
the system and data processedbull A statement on the classification of information and
the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access
bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems
bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications
bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures
bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of
Figure 4 ndash IT Controls
The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal
Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)
a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS
Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants
532 Standards
Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently
Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for
bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization
bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited
bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls
that should apply to sensitive processes and information
bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly
bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers
As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them
533 Organization and Management
Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented
5331 Separation of Duties
Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information
Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum
GTAG mdash Understanding IT Controls mdash 5
6
GTAG mdash Understanding IT Controls mdash 5
7
Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts
5332 Financial Controls
Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects
5333 Change Management
Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations
5334 Other Management Controls
Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications
534 Physical and Environmental Controls
IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications
Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is
restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data
away from environmental hazards such as low-lyingflood plains or flammable liquid stores
When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable
535 Systems Software Controls
Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2
Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs
IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the
Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability
Some key technical controls the CAE should expect tofind in a well-managed IT environment include
bull Access rights allocated and controlled according tothe organizationrsquos stated policy
bull Division of duties enforced through systems softwareand other configuration controls
bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored
bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a
stated requirementbull Change management processes mdash including patch
management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data
536 Systems Development and
Acquisition Controls
Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner
Some basic control issues should be evident in all systemsdevelopment and acquisition work
bull User requirements should be documented and theirachievement should be measured
bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system
bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct
bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided
bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be
subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls
Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered
537 Application-based Controls
The objective of internal controls over application systems is toensure that
bull All input data is accurate complete authorized and correct
bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data
from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application
bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters
bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized
bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input
bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct
bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources
GTAG mdash Understanding IT Controls mdash 5
8
GTAG mdash Understanding IT Controls mdash 5
9
54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are
bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations
bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting
bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located
55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them
Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for
bull Compliance with applicable regulations and legislation
bull Consistency with the organizationrsquos goals and objectives
bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite
Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite
Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly
Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)
The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)
Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include
bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services
bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors
bull Ability to allocate resources predictablybull Consistent availability and reliability of information
and IT services across the organization and for customers business partners and other externalinterfaces
bull Clear communication to management of effectivecontrols
bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services
bull The efficient use of a customer support center or helpdesk
bull A security-conscious culture among end usersthroughout the organization
Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees
The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control
GTAG mdash Importance of IT Controls mdash 6
10
2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley
GTAG mdash IT Roles in the Organization mdash 7
Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure
There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained
Overall the objectives for the use of IT within any organization are
bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite
bull To protect stakeholder interestsbull To enable mutually beneficial relationships with
customers business partners and other outside parties that accomplish business objectives
bull To identify and respond to threats and potential violations of control appropriately
Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members
71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires
bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458
bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets
bull Approval of the data classifications structure and therelated access rights
The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important
711 Audit Committee
The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for
bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting
bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting
bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately
bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to
new systems development and acquisitionbull Examining internal and external audit plans and
work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring
the resolution of issues raisedbull Understanding the IT topics that impact ethics
monitoring
712 Compensation Committee
The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves
713 Governance Committee
The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should
bull Ensure that potential and current board membershave a suitable IT knowledge or background
bull Assess board committeesrsquo performance in terms oftheir oversight of IT
bull Review any external regulatory governance assessments in relation to IT topics
bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency
714 Risk Management Committee
The risk management committee is responsible for oversight
11
GTAG mdash IT Roles in the Organization mdash 7
of all risk analysis and assessment risk response and riskmonitoring Its role includes
bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization
bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance
bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash
including IT risks mdash and considering it against the organizationrsquos risk appetite
bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate
bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks
715 Finance Committee
The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data
72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so
that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions
721 Chief Executive Officer
The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will
bull Define corporate objectives and performance measures in relation to IT
bull Act as custodian over the organizationrsquos critical success factors in relation to IT
bull Understand and approve the short-term and long-range strategy for IT
bull Approve IT resources for the organization includingstructure and oversightmonitoring
bull Determine IT issues for periodic management boardand staff discussion
bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas
722 Chief Financial Officer
The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of
bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining
technologically competitivebull The technologies used to implement financial
applicationsbull The operation of specific financial applications
IT Controls and Ethics
As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior
12
GTAG mdash IT Roles in the Organization mdash 7
13
bull The limitations and benefits of ITbull The IT control structure for general controls that
apply to all business systems and data as well as controls that are specific to financial applications
The CFO should operate as the highest-level control ownerfor financial systems and data
723 Chief Information Officer
The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should
bull Understand the business requirements that drive theneed to implement IT
bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business
strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks
bull Design implement and maintain an IT internal control framework
bull Plan source and control IT resourcesbull Explore assess select and implement technology
advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels
of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian
and IT control owner bull Measure the operational performance of IT in support
of business objectives byndash Setting expectationsndash Evaluating results
bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors
724 Chief Security Officer
The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO
bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy
bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks
bull Acts as a key link between the compliance legalCIO and audit functions
bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive
bull Is responsible for business continuity planningincluding incident handling and disaster recovery
bull Ensures that security staff provide support for imple-menting controls at all levels
bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization
725 Chief Information Security Officer (CISO)
Information security is a subset of the overall security roleThe CISO
bull Develops and implements the information security policy in coordination with the CSO
bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives
bull Ensures alignment of information security and busi-ness objectives
bull Manages operational information risks throughoutthe organization
bull Oversees security within the IT organizationbull Provides education and awareness on information
security issues and new best practicesbull Develops end-user policies for the usage of IT
information in conjunction with the humanresources function
bull Coordinates information security work with the chief risk officer (CRO) and CIO
bull Advises the CEO CRO CIO and board on IT risk issues
bull Acts as a key link for the CAE when internal auditing performs IT control-related audits
726 Chief Legal Counsel (CLC)
Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves
bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto
bull Ensuring financial reports and presentations complywith laws and regulations
bull Understanding IT legal issues and advising on legalrisks related to IT
bull Managing organizational reputation in relation tolegal issues compliance and public relations
bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols
regarding suspected criminal activity
727 Chief Risk Officer
The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes
bull Analysis and assessment of IT risk exposures including information compromises such as loss
damage unauthorized disclosure and interruptedaccess
bull Assessment of IT events such as interruptions disasters and changes
bull Analysis and assessment of business risk as it is affected by IT risk
bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks
73 Audit
731 Internal Auditing ndash CAE and Audit Staff
Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves
bull Advising the audit committee and senior management on IT internal control issues
bull Ensuring IT is included in the audit universe andannual plan (selecting topics)
bull Ensuring IT risks are considered when assigningresources and priorities to audit activities
bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff
bull Ensuring that audit planning considers IT issues foreach audit
bull Liaising with audit clients to determine what theywant or need to know
bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable
evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the
audit processesbull During systems development or analysis activities
operating as experts who understand how controlscan be implemented and circumvented
bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks
732 External Auditor
Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include
bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits
bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements
GTAG mdash IT Roles in the Organization mdash 7
14
3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)
81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance
It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization
The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as
ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo
In addition the CAE should consider risk tolerance COSOdefines risk tolerance as
ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo
Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with
the organizationrsquos risk appetitebull The internal control framework is adequate to ensure
that the organizationrsquos performance remains withinthe stated risk tolerances
82 Risk Considerations in Determining the Adequacy of IT Controls
Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness
When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE
should consider the processes established by management to determine
bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for
each business function and processbull IT risks faced by the organization and quality of
service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they
providebull Harmful IT incidents in the past 24 months
The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project
821 The IT Infrastructure
Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems
The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security
The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers
GTAG mdash Analyzing Risk mdash 8
15
822 IT Risks Faced by the Organization
The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls
823 Risk Appetite and Tolerance
Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation
The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite
824 Performing Risk analysis
Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas
There are eight basic questions associated with the riskassessment process The first five include
bull What are the assets at risk and the value of theirconfidentiality integrity and availability
bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets
bull If a threat event happened how bad could its impact be
bull How often might the event be expected to occur (frequency of occurrence)
bull How certain are the answers to the first four questions (uncertainty analysis)
The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient
825 Value of Information
Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security
Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories
bull Exclusive possession ndash cost in the event of a breachof confidentiality
bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability
826 Appropriate IT Controls
Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)
The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework
83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them
In general there are several ways to mitigate the poten-tial impact of risks
bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low
bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors
bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider
bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects
GTAG mdash Analyzing Risk mdash 8
16
84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include
bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective
controls effectivebull Do the controls provide evidence when control
parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken
bull Is evidence retained (audit or management trail)
85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization
IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other
It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls
bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been
defined assigned and acceptedbull Are IT infrastructure equipment and tools
logically and physically securedbull Are access and authentication control
mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance
with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)
bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved
bull Are change and configuration management and quality assurance processes in place
bull Are structured monitoring and service measurementprocesses in place
bull Are specialist IT audit skills available (eitherinternally or outsourced)
Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf
GTAG mdash Analyzing Risk mdash 8
Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management
(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network
and perimeter)5 Malware protection (including worms and viruses)
Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo
1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each
person with computer access8 Dont use vendor-supplied defaults for passwords
and security parameters9 Track all access to data by unique ID
10 Regularly test security systems and processes11 Implement and maintain an information
security policy12 Restrict physical access to data
17
91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation
A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily
Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work
The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process
especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override
Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)
The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
GTAG mdash Monitoring and Techniques mdash 9
COSO Model for Technology Controls
Monitoringbull Monthly metrics from technology
performance bull Technology cost and control
performance analysisbull Periodic technology
management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas
Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to
plan and return on investmentbull Documentation and approval of IT plans
and systems architecturebull Compliance with information and
physical security standardsbull Adherence to business continuity risk
assessmentbull Technology standards
compliance enforcement
Information and Communicationbull Periodic corporate communications (intranet e-mail
meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution
Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business
areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls
considered Importantbull Overall technology policy and Information
security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units
Figure 5 - COSO Model for Technology Controls
18
compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)
92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks
Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows
921 Ongoing Monitoring
bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment
bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered
specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached
bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached
922 Special Reviews
bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances
bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk
GTAG mdash Monitoring and Techniques mdash 9
Suitable Recognized Framework
ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo
mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003
19
101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business
The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems
A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance
Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities
Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample
bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method
bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files
bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach
102 Testing IT Controls and Continuous Assurance
In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data
1021 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-
20
GTAG mdash Assessment mdash 10
How Auditing Contributes to IT Controls
During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management
ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events
1022 Automated Internal Control Analysis Tools
Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use
1023 Automated Risk Analysis
Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools
Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right
103 Audit CommitteeManagementAudit Interfaces
It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues
The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations
ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their
value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting
A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially
Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework
The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist
GTAG mdash Assessment mdash 10
Figure 6 ndash Audit Interfaces
21
Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda
Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process
The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members
22
GTAG mdash Conclusion mdash 11
Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg
121 Governance (Board of Directors)bull Oversee risk management and compliance programs
pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security
bull Strive to protect the interests of all stakeholdersdependent on information security
bull Review information security policies regardingstrategic partners and other third parties
bull Strive to ensure business continuitybull Review provisions for internal and external audits of
the information security programbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
122 Managementbull Establish information security management policies
and controls and monitor compliancebull Assign information security roles responsibilities
and required skills and enforce role-based information access privileges
bull Assess information risks establish risk thresholdsand actively manage risk mitigation
bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties
bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture
during acquisition development operations andmaintenance
bull Protect the physical environmentbull Ensure internal and external audits of the informa-
tion security program with timely follow-upbull Collaborate with security staff to specify the informa-
tion security metrics to be reported to management
123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements
bull User identification and authentication
bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms
and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the
technical metrics to be reported to management
23
GTAG mdash Appendix A mdash Information Security Program Elements mdash 12
There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments
For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries
This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors
131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)
However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of
ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews
Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls
Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant
to IT Controls
The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls
13111 Sections 103 and 802
These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting
One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained
13112 Section 201
This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors
13113 Section 301
Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT
13114 Section 302 and 404
Section 302 of the act requires the CEO and CFO mdash who
24
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
25
are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges
They must disclosebull ldquoAll significant deficiencies in the design or opera-
tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo
bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo
Section 404 requires the CEO and CFO to produce an annual audit report that
bull Assesses the effectiveness of the internal controlstructure over financial reporting
bull Discloses all known internal control weaknessesbull Discloses all known frauds
This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley
13115 Section 409
Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses
132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management
A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means
bull Senior management is actively involvedbull The bank has an OR management system processes
policies and procedures enterprisewidebull The bank has the right governance and sufficient
resources to manage operational risksbull The bank has an OR management function that is
responsible forndash Designing and implementing the OR management
frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement
methodologyndash Designing and implementing an OR management
reporting systemndash Developing strategies to identify measure monitor
and control or mitigate ORbull An OR measurement system is closely integrated into
the day-to-day risk management processbull The OR exposures and loss experiences are regularly
reportedbull The OR management system is documentedbull Internal and external auditors regularly review the
OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function
The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required
First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy
Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange
The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA
bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
bull Internal loss data must be linked to the bankrsquos current business activities
bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA
bull According to the internal loss collection processndash OR losses related to credit risk and historically
included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately
ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge
bull The OR measurement system must use relevantexternal data
Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including
bull Strategies and processesbull Structure and organization of the risk management
functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including
operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)
133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)
The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)
134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999
The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)
135 US Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg
136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)
Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers
26
GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13
GTAG ndash Appendix B - Compliance with Laws and Regulations - 13
27
137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls
GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14
28
141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors
1411 Category 1 ndash All Auditors
Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge
1412 Category 2 ndash Audit Supervisors
Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must
bull Understand the threats and vulnerabilities associatedwith automated business processes
bull Understand business controls and risk mitigation thatshould be provided by IT
bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments
bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits
bull Ensure the effective use of IT tools in audit assess-ments and testing
bull Approve plans and techniques for testing controlsand information
bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses
bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas
bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected
1413 Category 3 ndash Technical IT Audit Specialists
Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology
IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence
The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications
Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals
4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
29
151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg
152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control
In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience
153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language
154 ITGI Control Objectives for Information and Related Technology (CobiT)
Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance
155 ISO 17799 (Code of Practice for Information Security Management)
ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading
The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to
ISOIEC 177992000 bull Part 2 is a specification for implementing an
information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002
1551 What Is Information Security
BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities
Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately
Information security is characterized within BS 7799 asthe preservation of
bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access
bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods
bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired
Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met
1552 How to Establish Security Requirements
BS 7799 states that it is essential that an organization
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
30
identify its security requirements There are three mainsources
bull Assessing risks to the organization BS 7799 does notprescribe a methodology
bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy
bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations
1553 Assessing Security Risks
BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically
1554 Selecting Controls
Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com
1555 Topics Addressed in BS 7799
1 Scope2 Terms and definitions3 Security policy
31 Information security policy document32 Review and evaluation
4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing
5 Asset classification and control51 Accountability for assets52 Information classification
6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions
7 Physical and environmental security71 Secure areas72 Equipment security73 General control
8 Communications and operations management
81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software
9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking
10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes
11 Business continuity management111 Business continuity management process
12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations
156 ISF Standard of Good Practice for Information Security
The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom
157 Generally Accepted Information Security Principles (GAISP)
The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including
bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-
tive-level information management (exposure draft distributed September 1999)
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
bull Detailed Principles ndash guidance for operational infor-mation security management (under development)
GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details
1571 Pervasive Principles
The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology
bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable
bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-
trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties
bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations
bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance
bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance
bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information
bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat
Figure 7 ndash Security Management
31
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
32
events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents
bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness
bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives
158 AICPACICA Trust Services Principles and Criteria
The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas
bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple
bull Communications ndash The organization has communi-cated its defined policies to authorized users
bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies
bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies
Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices
1581 Security Principle ndash The system is protected
against unauthorized access (both physical
and logical)
In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components
1582 Availability Principle ndash The system is
available for operation and use as
committed or agreed
The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties
Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does
5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties
6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
33
address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance
1583 Processing Integrity Principle ndash System
processing is complete accurate timely
and authorized
Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing
The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems
Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond
the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed
1584 Privacy Principle and Components ndash
Personal information is collected used
retained and disclosed in conformity with the
commitments in the organizationrsquos privacy
notice and with the AICPACICA Trust
Services Privacy Criteria
The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are
bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures
bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed
bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information
bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice
bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes
bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate
bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual
bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical
bull Quality ndash The organization maintains accurate
GTAG mdash Appendix D mdash Compliance Frameworks mdash 15
34
complete and relevant personal information for thepurposes identified in the notice
bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes
1585 Confidentiality Principle ndash Information
designated as ldquoconfidentialrdquo is protected as
committed or agreed
The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential
Information that may be subject to confidentialityincludes
bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry
Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness
Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous
access controls can help protect the information while it isstored on computer systems
1586 Certification Authority (CA) Principle
The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols
159 IIA Systems Assurance and Control (SAC)
The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411
1510 Corporate Governance
15101 OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy
15102 EU Commission
The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society
GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16
35
The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states
ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo
The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework
161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories
bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations
These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT
The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control
The third category deals with complying with those lawsand regulations to which the entity is subject
Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that
bull They understand the extent to which the entityrsquosoperations objectives are being achieved
bull Published financial statements are being preparedreliably
bull There is compliance with applicable laws and regulations
Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time
162 COSO Internal Control mdash Integrated Framework
Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are
1621 Control Environment
The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors
1622 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change
1623 Control Activities
Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties
1624 Information and Communication
Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and
GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16
36
control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders
1625 Monitoring
Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board
There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions
There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective
The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework
GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
37
Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems
Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes
CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives
1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks
10 Manage projects11 Manage quality
Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as
well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems
12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes
Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems
18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations
Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources
31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit
This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment
CobiT is comprised ofbull An executive summary which provides an overview
of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-
level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective
bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives
bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives
Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work
GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17
38
bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources
bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective
Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg
CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise
39
The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7
that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations
The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security
These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the
ldquoTechnologyrdquo section of httpwwwtheiiaorg
The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement
181 Metrics for Boards of DirectorsTrustees
Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident
bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a
comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means
bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program
principles for which approved policies and controls have been implemented by management
ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified
bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated
committee meetings for which information security is on the agenda
ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders
ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods
bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-
party relationships for which information security requirements have been implemented in agreements
bull Strive to ensure business continuityndash Percentage of organizational units with an
established business-continuity planbull Review provisions for internal and external audits of
the information security programndash Percentage of required internal and external audits
completed and reviewed by the boardndash Percentage of audit findings that have not
been resolvedbull Collaborate with management to specify the informa-
tion security metrics to be reported to the board
182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
7 httpreformhousegovTIPRC
GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18
40
and policies established by the board as part of an effectiveinformation security program
bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program
elements for which approved policies and controls are operational
ndash Percentage of staff assigned responsibilities for information security policies and controls who have
acknowledged accountability for their responsibili-ties in connection with those policies and controls
ndash Percentage of information security policy compliance reviews that noted violations
ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls
bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting
period who satisfactorily completed security-awareness training before being granted network access
ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy
ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users
ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance
ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle
bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators
bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have
been reviewed this reporting period including+ Employees with high-level system and application
privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors
ndash Percentage of users who have undergone back-ground checks
bull Assess information risks establish risk thresholds and
actively manage risk mitigationndash Percentage of critical information assets and
information-dependent functions for which some form of risk assessment has been performed and documented as required by policy
ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified
ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy
bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that
are related to third-party relationshipsndash Percentage of critical information assets or
functions to which third-party personnel have been given access
ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy
ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically
ndash Percentage of security incidents that involve third-party personnel
ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures
ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements
ndash Percentage of out-of-compliance review findings that have been corrected since the last review
bull Identify and classify information assetsndash Percentage of information assets that have been
reviewed and classified by the designated owner in accordance with the classification scheme established by policy
ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy
ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans
ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned
ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy
bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to
systems architecture identified in the most recent risk assessment that have been mitigated adequately
ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms
ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture
bull Protect the physical environmentndash Percentage of critical organizational information
assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media
ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented
ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding
ndash Percentage of servers in locations with controlled physical access
ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule
ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule
ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness
bull Collaborate with security personnel to specify theinformation security metrics to be reported to management
GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18
41
GTAG mdash Appendix H mdash CAE Checklist mdash 19
42
1 Identify the IT control environment of the organization including
a Values
b Philosophy
c Management style
d IT awareness
e Organisation
f Policies
g Standards
2 Identify relevant legislation and regulation impactingIT control such as
a Governance
b Reporting
c Data protection
d Compliance
3 Identify the roles and responsibilities for IT control inrelation to
a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee
b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO
c Auditi Internal Auditii External Audit
Action Questions
1 Do corporate policies and standards that describe theneed for IT controls exist
2 What legislation exists that impacts on the need forIT controls
3 Has management taken steps to ensure compliancewith this legislation
4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles
5 Is the allocation of responsibilities compatible withthe need to apply division of duties
6 Are IT responsibilities documented
7 Are IT control responsibilities communicated to thewhole organization
8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls
9 What evidence is there of individual role holdersexercising their responsibilities
10Does internal auditing employ sufficient IT audit specialists to address the IT control issues
CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas
GTAG mdash Appendix H mdash CAE Checklist mdash 19
43
4 Identify the risk assessment process Does it cover
a Risk appetite
b Risk tolerances
c Risk analysis
d Matching risks to IT controls
5 Identify all monitoring processes including
a Regulatory
b Normal in-house
c Other than internal auditing
6 Identify information and communication mechanisms
a Control information
b Control failures
11 How is the risk appetite and tolerance of the organization determined
12 Is the risk appetite and tolerance of the organization authorized at board level
13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control
14 Is a formal risk analysis process used by theorganization
15 Is the process understood by all those with responsibility for IT control
16 Is the process used consistently throughout theorganization
17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards
18 Are there monitoring processes carried out bymanagement outside of internal audit
19 What metrics are provided to the board of directors its committees and management inrelation to IT security
20 What additional reports are provided to theboard of directors and to management on a regular basis
21 Is management always provided with reportswhen there are IT control failures
22 Do the board of directors and its committeesreceive similar reports of IT control failures
Action Questions
GTAG mdash Appendix I mdash References mdash 20
44
The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT
echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues
201 Governance
Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm
Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg
Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap
Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716
IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503
Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896
202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk
Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg
Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity
Generally Accepted Information Security Principles(GAISP) Information Systems Security Association
Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml
Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml
ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg
Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf
ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3
OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html
Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm
Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices
203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg
DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml
GTAG mdash Appendix I mdash References mdash 20
45
ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm
ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler
IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm
ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca
NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml
NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml
NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml
NSA Configuration Guides httpwwwnsagovsnac
SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg
204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg
Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov
Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca
Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC
46
GTAG mdash Appendix J mdash Glossary mdash 21
A listing of technical terms used in the guide with a simpleplain English definition
Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases
Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence
CAE ndash Chief audit executive
CEO ndash Chief executive officer
CFO ndash Chief financial officer (and controller)
CIO ndash Chief information officer
CISO ndash Chief information security officer
CLC ndash Chief legal council
COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg
CRM ndash Customer resource management
CSO ndash Chief Security Officer
Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda
Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders
Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable
efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms
Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices
General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)
GLBA ndash US Gramm-Leach-Bliley Act
Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives
GTAG ndash Global Technology Audit Guide
HIPAA ndash US Health Information Portability andAccountability Act
Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization
Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel
Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use
Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology
ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg
IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information
IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures
ITPI ndash IT Process Institute See httpwwwitpiorg
Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing
Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo
Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely
Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo
47
GTAG mdash Appendix J mdash Glossary mdash 21
GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22
48
This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control
The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication
221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects
The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide
231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role
Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute
Michael R Dickson Business Technology Group LLC
Clint Kreitner PresidentCEO CIS The Center forInternet Security
Alex Lajoux NACD National Association of CorporateDirectors
Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA
Mark Salamasick CIA University of Texas at Dallas
Karyn Waller AICPA American Institute of CertifiedPublic Accountants
232 Partner Organizations
AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants
CIS ndash Clint Kreitner Center for Internet Security
CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute
ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association
NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors
SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO
233 Project Review Team
Peter Allor ISS Internet Security Systems
Jack Antonelli ADP
Ken D Askelson CIA JC Penney Co Inc
Becky Bace Infidel Inc
Kevin Behr IPSI Institute for Integrated Publication andInformation Systems
Jeff Benson BearingPoint
Robert S Block Chairman 3D Business Tools USA
Sylvia Boyd The IIA
Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA
Larry Brown Options Clearing Corp
Stephanie Bryant University of South Florida
Phil Campbell Specialized IT LLC USA
John Carlson BITS Banking Industry TechnologySecretariat
Chris Compton Intrusion Labs
Guy Copeland CSC Computer Sciences Corp
Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA
Bob Daniels EDS
Bob Dix US House of Representatives
49
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
50
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
5
Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA
Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program
Greg Garcia ITAA Information Technology Association ofAmerica
Russ Gates Dupage Consulting LLC
Lou Giles Chevron Phillips Chemical Co
Doug Guerrero EDS
Kai Tamara Hare Nuserve
Michael S Hines CIA Purdue University
Bob Hirth Protiviti
Don Holden CISSP Concordant Inc USA
Dave Kern Ethentica
Gene Kim CTO Tripwire Inc USA
Jim Kolouch BearingPoint
David Kowal VP JP Morgan Chase
Paul Kurtz CSIA Cyber Security Industry Alliance
Cindy LeRouge PhD Decision SciencesMIS Department
John Cook School of Business St Louis University USA
Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants
Debbie Lew Guidance Software
Brenda Lovell CIA CCSA CGAP The IIA
Warren Malmquist Adolph Coors Co
Stacy Mantzaris CIA IIA
Dennis Miller Heritage Bank
Patrick Morrissey Auditwire
Bruce Moulton Symantec
Paul Moxey ACCA Association of Chartered CertifiedAccountants
Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA
Fred Palmer Palmer Associates
Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc
Bernie Plagman TechPar Group
Heriot Prentice MIIA FIIA QiCA The IIA
Dick Price Beacon IT Ltd BS 7799 Consultancy USA
Michael Quint Corporate Compliance Officer EDSCorporate Audit USA
Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA
Amy Ray Bentley College
Martin Ross GSC Global Security Consortium
Chip Schilb EDS USA
Howard Schmidt eBay
Mark Silver Symantec
George Spafford President Spafford Global ConsultingSaint Joseph IL USA
Adam Stone Assurant
Jay H Stott CIA Fidelity Investments
Dan Swanson CIA IIA
Jay R Taylor CIA CISA CFE General MotorsCorporation
Bill Tener University amp Community College System ofNevada
Archie Thomas
Fred Tompkins BearingPoint
Don Warren Rutgers University
Dominique Vincenti CIA The IIA
Mark Winn Intrusec
Amit Yoran
234 IIA International Affiliates
Frank Alvern CIA CCSA Nordea Bank Norway
Alexandre Alves Apparecido Brazil
Dror Aviv Israel
David F Bentley England UK and Ireland
Gerardo Carstens CIA IIA Argentina
Richard Cascarino South Africa
Iftikhar Chaudry Pakistan
Hisham T El Gindy Manager KPMG Hazem Hassan Egypt
Dr Ulrich Hahn CIA Switzerland
Rossana S Javier Makati City Philippines
Andras Kovacks Hungary
Christopher McRostie Australia
Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan
Kyoko Shimizu CIA Japan
John Silltow Security Control and Audit Ltd UnitedKingdom
Ken Siong International Federation of Accountants
Anton van Wyk PwC South Africa
Nick Wolanin Adjunt Senior Lecturer Australian Graduate
Julie Young Australia
235 Other International
Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada
P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates
Ariel Peled President ISSA Israeli Chapter
P Shreekanth India
Karen Woo Selangor Malaysia
236 IIA International Advanced Technology Committee
Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa
Alexandre Alves Apparecido Brasil Telecom Brazil
Ken D Askelson CIA JC Penney Co Inc USA
Dror Aviv CFSA IIA Israel
Donald L Bailey Grant Thornton LLP USA
EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)
Norman F Barber Microsoft Corp USA
David F Bentley QiCA Consultant England
Claude Cargou GIE AXA France
Michael P Fabrizius CIA Bon Secours Health SystemInc USA
Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan
Douglas Guerrero EDS Corp USA
Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland
David J Hill IBM Corp USA
Michael S Hines CIA Purdue University USA
Mark J Hornung Ernst amp Young LLP USA
Gene Kim CTO Tripwire Inc USA
David S Lione KPMG LLP Southeast Region USA
Peter B Millar ACL Services Ltd Canada
Allan M Newstadt CIA World BankInternationalFinance Corp USA
Brenda J S Putman CIA City Utilities of Springfield USA
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323
51
GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23
52
Kyoko Shimizu CIA Shin Nihon amp Co Japan
Brian M Spindel CIA SecurePipe Inc USA
Rajendra P Srivastava University of Kansas USA
Jay Stott CIA Fidelity Investments USA
Jay R Taylor CIA CISA CFE General Motors Corp USA
Thomas Jason Wood CIA Ernst amp Young LLP USA
Akitomo Yamamoto IIA Japan
237 The Writing Team
David A Richards CIA President The IIA
Alan S Oliphant MIIA QiCA MAIR International
Charles H Le Grand CIA CHL Global
238 IIA Headquarters Staff Production Team
Michael Feland
Trish Harris
Tim McCollum
Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business
Contin
u
ity Manag
ement
Th
is G
TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization
could potentially encounter if a natural or
man-made disruptive event t
hat affects the exte
nded ope
ra
bility of the organization were to occur The guide includes disaster rec
o
very
planning for continuity of critical information technology infrastructure and business application systems
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an
d su
pport management in
its
deve
lopm
ent and maintenance
of a
BCM pr
o
gram
Vis
it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme
nts
Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250
wwwtheiiaorg
ISBN 0-89413-570-8ISBN 978-0-89413-623-8