for mipa2 nd may 2014 is audit dr. mitil chokshi chokshi & chokshi chartered accountants
Post on 27-Dec-2015
222 Views
Preview:
TRANSCRIPT
For MIPA 2nd May 2014
IS AUDITDR. MITIL CHOKSHI
CHOKSHI & CHOKSHICHARTERED ACCOUNTANTS
For MIPA 2nd May 2014
Contents
Introduction
Guidelines
Need for controls
Internal Control Framework
Security Threats
Information Systems Risks
IS Audit Process
For MIPA 2nd May 2014
Introduction“The process of collecting and evaluating evidence to determine
whether:
•Computer system safeguards assets•Maintains data integrity, confidentiality and availability •Allows organizational goals to be achieved •Determines the efficient use of resources”
Gain understanding of the organisation
Understand Risks and evaluate Controls
Test Controls
For MIPA 2nd May 2014
For MIPA 2nd May 2014
GuidelinesISACA Guidelines
• IS Auditing Standards• IS Auditing Guidelines• IS Auditing Procedures• COBIT (Control objectives for information and related
technology)
ISO 27001
Guidelines by Institute of Internal Auditors
For MIPA 2nd May 2014
GuidelinesCOSO’s Internal Control – Integrated Framework (the COSO Framework) published by the Committee of Sponsoring Organisations of the Treadway Commission
COCO (Criteria of Control) Framework published by the Canadian Institute of Chartered Accountants
For MIPA 2nd May 2014
COSO Framework
Monitoring Applied to the Internal Control Process
For MIPA 2nd May 2014
Need for ControlsThe Organization must protect itself from:
• Corruption of Data and Database.
• Poor decision making due to poor quality of MIS.
• Losses due to abuse of controls.
• Loss of hardware, software and personnel.
• Maintenance of Privacy .
• Malicious Internet Content.
• Authentication and Privilege attacks
For MIPA 2nd May 2014
For MIPA 2nd May 2014
Security Threats
USB devices
Removable media
Internal attack
Network monitoring
Laptop theft
Storage theft
Hardware loss Unprotected Endpoints
Insecure network points
Insecure server rooms
Attacks on physical systems
For MIPA 2nd May 2014
Security Threats
Disgruntled Employees
Password High Privileged Accounts
Privilege Creep
Authentication and Privilege Attacks
Inappropriate Password Policies
Weak Passwords
For MIPA 2nd May 2014
Security ThreatsDenial of Service
Natural Disasters
Targeted DOS Single Point of failure
Power cuts Connection downtime
Bandwidth Exhaustion
Vulnerable Servers
Excess reliance on one person
Lack of documentation
For MIPA 2nd May 2014
Security ThreatsMalicious Internet Content
Social Engineering
Phishing
Drive – by downloads
Malware Web Application
Attacks
Viruses Trojans Worms
For MIPA 2nd May 2014
Security ThreatsExample: Phishing
For MIPA 2nd May 2014
Security ThreatsExample: Drive-by downloads
Unintended Software
For MIPA 2nd May 2014
Security ThreatsExample: Virus Scan
For MIPA 2nd May 2014
Security ThreatsExample: Trojan Horse
For MIPA 2nd May 2014
Security ThreatsExample: Spoofing
For MIPA 2nd May 2014
Security ThreatsExample: Spoofing
For MIPA 2nd May 2014
For MIPA 2nd May 2014
Cash receiptsapplication
controls
Salesapplication
controls
Payrollapplication
controls
Other cycleapplication
controls
GENERAL CONTROLS
Risk of unauthorized changeto application software Risk of system crash
Risk of unauthorizedmaster file update
Risk of unauthorizedprocessing
Relationship Between General and Application Controls
For MIPA 2nd May 2014
Information Systems RisksAccess controls :
• Non-detection of Compromised passwords.
• Unauthorized users can access systems.
• Inappropriate access allowing recognised users greater access
than necessary.
• Unauthorized changes to data in master files.
• Unauthorized changes to systems or programs.
• Denial to access systems, DBMS’s and servers in the event of a
system interruption or disaster.
For MIPA 2nd May 2014
Controls to Mitigate Risks arising from unauthorized Accesses :
• Authentication (identification) controls need to be strong.
• Roles and privileges should be granted on need-to-know basis only to authorized users.
• Job scheduling procedures and stored procedures need to be
secure.
• An alternate method to identify and register users needs to be tested and made available when needed.
Information Systems Risks
For MIPA 2nd May 2014
Input Controls
• Unauthorized data received for computer processing.
• Loss of data or duplication of data.
• Automated segregation of duties and access rights.
• Automated authorization approval
• Incorrect output due to wrong input (GIGO)
Information Systems Risks
For MIPA 2nd May 2014
Mitigating Risks arising from Input Controls:
• Review access rights that set and amend configurable approval and authorization limits.
• Accesses with super user rights.
• Maker Checker Controls
• Range check
• Completeness check
• Duplicate check
Information Systems Risks
For MIPA 2nd May 2014
Process Controls
• Wrong Validation of data
• Risks arising out of Editing
Procedures
• Incorrect processing of data
• Absence of Data File Control
Procedures
Information Systems Risks
For MIPA 2nd May 2014
• Parity checking
• Transaction logs
• Version Usage
• File updating and
maintenance authorization
• Sequence check
• Reasonableness check
• Table lookups
• Existence check
• Key verification
• Logical Relationship check
• Limit check
Mitigating Risks arising from Process Controls:
Information Systems Risks
For MIPA 2nd May 2014
Output Controls
• Non-integrity of output
• Untimely distribution of output
• Availability of output to unauthorized users
• Data processing results are unreliable
Information Systems Risks
For MIPA 2nd May 2014
Mitigating Risks arising from Output Controls:
Microsoft Office Word Document
Checklist for mitigating Risk
Information Systems Risks
For MIPA 2nd May 2014
For MIPA 2nd May 2014
Statistics
For MIPA 2nd May 2014
Issues Involved
For MIPA 2nd May 2014
For MIPA 2nd May 2014
Preliminary Steps - Understanding of the Organisational Structure to identify CIO,
CISO, etc.
- Understanding of the System Architecture.
- Understanding components of the systems (number of servers, routers, users, desk users, on/offsite users)
- Reviewing the IS Security Policy
- Performing systems walk - throughs.
- Assessment of the risks and understanding of the related controls.
For MIPA 2nd May 2014
IS Audit Process
For MIPA 2nd May 2014
For MIPA 2nd May 2014
ProceduresInterviews.
- Interviews are a useful audit tool to gather information about internal system controls and risks.
- Employees involved in the day - to - day operations of a functional area possess the best knowledge of that area.
- They are in a position to identify the weak internal system controls and risks.
For MIPA 2nd May 2014
ProceduresPreparation of Checklist & Questionnaire
- A detailed checklist should be prepared after having an understanding of the architecture of the system.
- Checklist should be comprehensive.
Sample Checklist
For MIPA 2nd May 2014
For MIPA 2nd May 2014
Access Controls testing- Procedures
• Verifying access rights allotted vis-à-vis organizational policy for need to know
• Implementation of Password controls
• Process of review of logs of super users, database administrator
• Logs of active users vis-à-vis HR records for exit, leave, etc.
• License control processes
• Virus control procedures
For MIPA 2nd May 2014
Vulnerability testing through internal resources
• Internal Security Vulnerability Assessment (ISVA) is a comprehensive analysis of all of the workstations and servers on your network.
• The ISVA detects and identifies Trojan horses, hacker tools, DDoS (Distributed Denial-of-Service) agents, and spyware through code analysis and signature matching, in much the same way as anti-virus.
• It also identifies specific vulnerabilities such as configuration problems in FTP servers, exploits in Microsoft IIS or problems in NT security policy configuration.
Access controls testing- Procedures
For MIPA 2nd May 2014
Vulnerability testing through external resources
• One of the most common vulnerability assessment activities for companies of all sizes is an external penetration testing scan, typically targeting internet-facing websites.
• Once you set yourself outside of the company, you immediately are given an untrusted status. The systems and resources available to you externally are usually very limited.
Access controls testing- Procedures
For MIPA 2nd May 2014
VIDEO CLIP
For MIPA 2nd May 2014
Input Controls -Procedures
• Verification by entering invalid data
• Verification by entering incomplete data
• Testing Arithmetic Accuracy
For MIPA 2nd May 2014
Processing Controls -Procedures
Integrated Test Facility (ITF) Approach
Parallel Simulation
For MIPA 2nd May 2014
• A dummy ITF center is created for the auditors.
• Creation of transactions to test the controls.
• Creation of Working papers showing expected results from manually
processed information.
• Running of Auditor transactions with actual transactions.
• Comparing of ITF results to working papers.
Integrated Test Facility (ITF) Approach
Processing Controls -Procedures
For MIPA 2nd May 2014
• Processing of real client data on an audit program similar to the client’s program.
• Comparison of results of processing with the results of the processing
done by the client’s program.
Parallel Simulation
Processing Controls -Procedures
For MIPA 2nd May 2014
Computer Operations AuditorsActual
Transactions
ActualTransactions
ComputerApplication
System
ComputerApplication
System
Auditor’sSimulation
Program
Auditor’sSimulation
Program
Actual ClientReport
Actual ClientReport Auditor
SimulationReport
Auditor Simulation
Report
Auditor Compares
Parallel Simulation- Flowchart
Processing Controls -Procedures
For MIPA 2nd May 2014
For MIPA 2nd May 2014
Application Controls -Procedures
Black box testing
• Method of software testing
• Examines the functionality of an application (e.g. what the software does) without peering into its internal structures or workings.
• Can be applied to virtually every level of software testing: unit, integration, system and acceptance.
• Typically comprises most if not all higher level testing, but can also dominate unit testing as well.
Black Box Testing
For MIPA 2nd May 2014
Application Controls -Procedures
White-box testing
• Also known as clear box testing, glass box testing, transparent box testing, and structural testing.
• Method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing).
• Internal perspective of the system, as well as programming skills, are used to design test cases.
• The tester chooses inputs to exercise paths through the code and determine the appropriate outputs.
White Box Testing
For MIPA 2nd May 2014
Output Controls -Procedures• Checking whether output contain key control information
necessary to validate the accuracy and completeness of the information contained in the report such as last document reference period, etc.?
• If the data has to be transferred from one process to another process, verify if no manual intervention is possible and no unauthorized modification to data can be made.
• Verify physical controls over hardcopy printouts.
For MIPA 2nd May 2014
For MIPA 2nd May 2014
Format
Format of IS Audit Report
Microsoft Office Word 97 - 2003 Document
For MIPA 2nd May 2014
top related