Int Aud Chapter 8
Int Aud Chapter 8
!ntroduction
Information Technology (IT) grown positively in Malaysia and aggressively after
has
the launch of the Multimedia super corridor (MSC) in cyberjaya. Entities ranging
from sole proprietorship to big organizations rely on IT to record and process day-
to-day business transactions. Some business organizations merely purchase avail-
able application software in the market to process their business transactions. Those
with a budget for system development might prefer to develop their own system
application. Heavy reliance on computers for processing business transactions has
changed the business scenario. Businesses are now subjected to various IT-related
risks such as: I
Hordwqre Failure
Computer hardware such as central processing unit (cPU), monitor and servers can
if not properly maintained and protected. physical damage to
easily malfunction
computer hardware can be prevented by having and following a proper procedure to
l14
Chapter 8 lnternal Audit Tools and Techniques 115
Computer Crime
Business transactions conducted via the Internet can expose the organization's elec-
tronic data to attacks from hackers, comPetitors, terrorist groups, previous employ-
ees or industrial spies. These identified parties will attack to look for valuable data or
to harm the computer system. There are unlimited types of computer attacks such as
hacking, spamming, spoofing or sending viruses and worms.
Therefore, controlling and protecting business information has become one of
the main priorities in most organizations. An effective control of the processing data
in the information system is important to protect an organizalion's liability and to
ensure security as well as confidentiality. This is where management should regu-
larly monitor and evaluate their systems to ensure effective functionality and adher-
ence to related standards and practices.
IT audit is part ofthe overall audit process to ensure IT control issues are pre-
served at all times. The scope of IT audit is wide since a computer system not only
records transactions but has also become the key business processing system of an
organization. Generally IT audit is concerned with the following issues:
1. Security
. .-'.1i01s
To ensure access to the system and its data is restricted to authorised personnel only.
^.i11
2. Confidentiolity
To ensure that sensitive information of an organization is protected from unauthor-
ised access or disclosure.
. .' .iflc:
. ., lgit-t.
3. Privocy
1.' {;1r To ensure personal information of any third party such as customers' addresses and
contact numbers are treated in accordance with the organization's business policy
'. .1- .Li:
. lltrr.. and protected from unauthorised access or disclosure.
:\ Sttll'
, r:s il.'.' 4. Processing lntegrity
To ensure business data are processed accurately and completely in a timely manner
with proper authorisation.
5. Avoilability
To ensure the operating system and its data are available at all times to meet the
- I .' needs of business operations.
.-'l --c'
: - ,!- "'H.;;T*:."ilT:'":,"?il!Xif;.I,tl.lffi ,l'*"ff f*:',l'J
the Canadian Institute of Chartered Accountants)
Definition of IT Audit
IT audit is one of the branches of the different tlpes of audits that is performed
by an internal auditor. IT audit holds the same definitionas general auditing An
independent examination of the internal controls, records and related information
geneiated from the system in order to form an opinion on the integrity ofthe system
If controls, the compliance with policies and procedures and the recommendations
of control improvements to minimize or limit risks. However, IT audit focuses
more
on the evaluation of an organization's computer Systems and network to ensure:
Elements of lT Audit
A major challenge in performing an IT audit is to determine the scope for the assess-
ment of internal control in the IT environment. Assurance on information systems
can be obtained only if all components are being assessed and evaluated properly.
The major areas of an IT audit are categotized as follows:
E--
Chapter 8 Internal Audit Tools andTechniques
i eccoul'l:' In addition, the Institute of Internal Auditors (IIA) has developed and issued the
', .rr pIOCe:' Guide to the Assessment of IT Rlsft (GAIT). This guideline helps auditors evaluate
-- :tern usi -'
and assess IT general controls that have an impact over financial reporting. The
.Llq areiis; GAIT Practice Guides include three series, which are:
Principle Three The IT general control process risks that need to be identified exist
in processes and at various IT layers: aPplication program code, databases, operating
systems, and networks.
principle Four Risks in IT general control processes are mitigated by the achieve-
ment of IT control objectives, not individual controls'
GAIT Methodology enables organizations to implemdnt the principles and gives
management and auditors guidance around scoping IT general controls and the
tools to defend these decisions.
TABLE 8.I I Highlights of the Objectives of an Audit for Each Determined Area.
4. lnstalialionControis
aqemenl !!-) its operation of applications system.
r, Loa.ii Ar..a ilet\^Joik i rnt, .,''' 'j t t.: .; .11 -'r:! -:,:f, lihf!r;,i t,{ a-(j-!i ta iC{ ai,fea i)t rPl'^i{ll k
Chapter 8 Internal Audit Tools and 119
Examples of audit programs for each of the mentioned areas are depicted as follows
f,.
3 ryqYw
Review the appropriateness of the level of segregation of duties between the following
{I:s
I
i. applicationdevelopment
:.: q()dl'
ii. technical support
:: : lll PrL) -
t- iii. computeroperations
- \N).
iv. securityadministration
v. user department
, - ngloulla
. : rlm tht Audit Program - Logical Access Controls
= |isPe: 1 . Review the User Security Administrator and check the following:
- ,,rldit, t. . There is a procedure in place for issuing, approving and monitoring application access.
. User access control reports are periodically reviewed for accuracy and completeness by
. -.,1 acces,
user management.
:-'. -,lk art-
2. Cheek v\E €ttffir' lmt*m {acilE*qs is Fnrited to only ttrs secu
rity administrator.
) Verify whether user iDs are irsec to identify users accessing the system.
4 Verify that a user security administration procedure rs in place to ensure that unique user lDs
are assigned to system users.
'6.;,
th': Check whether a user lD has heen disabled if it has been inactive for more than 90 days
- =- !'Jre
: -r-llsiticr. a-
7. Check whether user lDr are ar..iiomaticaily disalried after 3 conseciltive rinsuccessful loc ,,n
attempts"
:.- ] 8. C heck that u nattended term inals a re a utomatica lly logged off after a period of N min ut rs of
inactivity.
-- . .a: ma- -
120 Part Three
-r rr::
' -'lfiL]t:it i ! :: .;:t 'r {
,-i:''.'-'
-li :ri
2. ReviewlIieadequat;lofthev:]riou!r:'::'Jt' r'rf :'':;r'ir'nr:"'ril-'i'ii;:' 'irr;.:
. Automat;a fire dete(licn S, alarr s;-i1''r'
. Reqular check & servlce fl;r til4 rv!;:err;
. Regulations cc;mplied with fire :)t;lliliri!r[rr] -iv!i€riil
Obtain and review the procurement pro{-ediiras arid ensrJre lhai ai rii@!i'!3'.@&|l$ i:r:,
Check whether the audit tem is able to generate an audit trail showing activities of
the users in the system s as user lD, date and time, terminal number and activities
performed.
R.yie'.v ille pirIr,iaai arie: i l{j arilriai lah'rDorre:rrs and r-heck the followinq:
' Tire rel ,/er. di'{: :c! ried :i, seau!'e rocms,'{ abin,}1s with adeqLiate snvi16nrngltrl g6ntrolr
' Only an aul.trai'sea irr!:an ii ailc-,u,,ed tr: cperate the equipment.
. Secundarv !i-rs,'lia ie.i. flrrkeite! anLJ cariridges) are str:r'ed securely.
Revie * tne c.Jfn!'il:er cjiraster re.oveiv plalt for ':ll critical lo<:al area network systems' En
, Spare detJ'i.e;q \,vith -cuffiJ:renl aapa.ity and speed lor backup purpose.
. 'l-he
lrecueni:y;rri.J re-fentron r:f backuF otihe sei'vers and workstations.
. Doai.rnientatirrr'; +'iC i.,strnu cf backup anC recovery procedures.
. UrlinlefrLrpiiL:le i:':*rer tLrppiy systdm io Ijroiecl .fitical networi( servers and their
aaJmPOneri':i
Steps in lT Audit
M
r:-.....-.-.'.'.'. -'- '..-.'---..
lat.
..:::
i,.:
t.'
i !rJ:- ':ri ,i:l,l)'
, . i:,.r'
Part Three lnternal Auditing Process and Techniques
Preliminory Review
This is the process where the auditor needs to gather information on the IT depart-
ment as a basis for preparing an audit plan. The information required includes audi-
tee's strategies and responsibilities in managing and controlling IT operations.
GENERAL CONTROLS
Logical access control To ensure a proper control in Using of password and User lD
place for infrastructure, aPPli- to access information on orga-
cations and data. nization in the computer.
. ,,1 ds Backup and contingency plan To ensurethat a prrlpei'ba.kup Wefl -written busi ness contin-
: iaape and continqenr',' pian is ir: Place qenry and disaster recovery
tor uncvpe( teci em-iqerl( ie( 5.rla n:.
such as fire, virus atlack, po\,ve!'
fai!ure or naturai riiraster.
feqLrrfea
,egin the Processing control To ensure proper control for Review system documentation
ariety of data processing so that the to ensure key computations
process is complete, accurate are fully documented.
; reports and authorised.
)n'I oper-
e level of Output control
rtive tests
ae audit
:',.r-tctions. Auditing of System Development Life Cycle
The system development life cycle (SDLC), also known as Software Development
Process, is a method whereby a system analyst will create or alter the information
: .npleted system to produce a high-quality system to meet the user's expectation. SDLC con-
sists of seven phases that management should follow closely in order to develop a
solid information system.
These seven phases will also give proper evaluation and management of risk
associated with the system development Process. Each stage has to be completed
i'pplication before management could move on to the next. This will ensure success in the devel-
re adminis- opment process. Figure 8.1 shows the seven phases of the SDLC.
ce, physical
;overy Plan Phose 1: Systems plonning
the control
During this phase, management will plan a system to meet the organization's mis-
u for exam-
sion and objectives. The plan will include general guidelines for system develop-
ment, time frame and budget. Several documents will be generated from this phase,
rn controls.
124 Part Three Internal Auditing Process and Technicltre:
l. Systems planaing
,*i
W
W
both long-term
which consists of a long-term plan, policies for selecting 1T projects,
and short-term IT budgets, a project proposal and a project schedule'
-
.i:llea- . Review the project proposal generated during the system planning phases.
, uaa,, This is to ensure issues such as control procedures and governance activities
--.
are properly addressed.
. Review the relevant documents generated during system testing. This is to
ensure the output generated meets the requirements needed by the end users;
' .r;-r ti,c and to comply with the organizationt policies, as well as conform to rules
and regulations stipulated by the regulatory body.
'. llLlra. : '
. Review and examine various documents generated at every phase of the
..'. -11il:- - SDLC processes. This is to determine that the project is run smoothly. Other
- -'-- +1-
than that, an internal auditor could also use the other tools of assessment
:r:..ra: such as an inquiry and a checklist. Results from this process will help an
. i'
internal auditor evaluate ifthe project is developed in the best interest ofthe
: :i-r1---' organization.
-.:a !'i-. 2. The role of an internal auditor is to provide an independent view on issues dur-
ing the development process.
An internal auditor who is independent of the SDLC is able to provide inde-
pendent or unbiased opinions in regard to any issues derived during the devel-
, a.i!gU
a
opment of the project. This is important as the project has two parties, that is,
. --'t-ir.::: the management (end users of the system) and system analyst (could be staff of
--i:. 1 the organization or a third-party developer), where both parties have their own
- -r:
interest in regard to the newly developed system. Therefore, the presence of an
126 Part Three lnternal Auditing Process and Techniques
internal auditor is needed to ensure that the project is carried out effectively
without jeopardising the interest of the parties involved. However, in providing
advice an internal auditor must maintain his or her integrity by remaining in an
advisory capacity. An internal auditor should not be directly involved with the
actual design or testing activities of the new system.
3. An internal auditor is involved in auditing the SDLC.
An audit on the SDLC is important to assure the management that the actual
development of the project complies with the necessary requirements stated in
the SDLC methodology. The objectives of the audit are:
. To ascertain that the standards and procedures for the SDLC are made avail-
able and followed accordingly;
. To ascertain that resources are effectively and efficiently utilised to enable the
project to meet its deadline;
. To ascertain that proper authorisation/approval is sought at each stage prior
to the commencement of further tasks;
. To ascertain that project documentation is current and properly maintained
for future review;
. To ascertain that test documentation, including test plans and results, is ade-
quately maintained; and
. To ascertain that proper change request procedures exist to ensure all changes
are authorised and attended to on a timely basis.
Auditing of E-commerce
Electronic commerce, commonly known as e-commerce, is the Process by which
organizations conduct their business over electronic systems such as the Internet and
other computer networks with their customers, suppliers and other external business
partners. According to the IT Audit Assurance Guidance (issued by ISACA, 2010)
e-commerce includes both business-to-business (B2B) and business-to-consumer
(B2C) models, but it does not include existing non-Internet e-commerce methods
that are based on private networks, for example, Electronic Data Interchange (EDI)
and SWIFTnet.
The use of e-commerce may expose a company's sensitive information, as well
as programs and hardware equipment to potential sabotage by external parties,
especially hackers. There are indefinite numbers of threats in regard to the use of
e-commerce as a business model, which include:
. virus infections;
. hacking;
. cybercrime and
. failure ofthe system and infrastructure.
Frqud DetectionTool
Auditors could use highly sophisticated software to identify unexpected or unex-
plained patterns in data that may indicate a possible fraud case. For example,
software may warn the user the existence of duplicate payments, long overdue out-
standing accounts, sudden write-offs, unusual expensive acquisition or overrides of
authorisation limit.
Advontoges of CAATs
CAAIs are suitable to audit large volume of transactions. It is valuable to orga-
nizations with complex processes, distributed operations and high transaction
volumes. The use of CAAIs will help auditors scrutinise all business data and
highlight any unusual transactions.
As businesses expand, most of the companies prefer the company data being
kept electronically rather than in printed form. Therefore, the use of CAATs is
important for auditors to gain access to audited data in a much efficient way.
Direct access to an organization's data will eventually reduce the time and effort
spent in performing audit procedures with assured accuracy.
Using CAATs in performing substantive testing will provide total assurance to
the area being audited. It allows auditors to point out errors or fraud easily in
order to provide effective recommendations. This will also increase the credibil-
ity of auditors in the eyes of the management.
har :cnntques 129
[hem.
rg and installing the software;
tions,
r lim- he staff in using the software;
ed br ring the software and
es such as telephone charges to contact the service
rvice centre is located abroad.
Uertaln audrt soltwar< may have compatibility issues with the existing software
or unex-
applications used by r company. The use of CAATs may not be suitable with
example,
complex operating syr ems. Therefore, it becomes problematic for auditors to
rdue out-
use the software to gai access to the auditee's database pertaining to the audited
errides of
transactions.
The installation and use of a new audit software may sometimes require cer-
tain computer resources or facilities. Normally there are a few system require-
ments that need to be addressed by the management for the purpose of
tol
installation; for example, the tlpe of processor, size of memory and storage
ud
required, compatibility with DVD-ROM drive and the Internet connection
n( for registration purpose. Problems may also arise when auditors use the soft-
ware to perform audit procedures. This is a tlpical situation where the aud.it
process is in conflict with the normal processing of a company's transactions,
which may result in server failure.
cAATs, which are used to extract business data, have various security issues.
Sensitive business data such as customers' details, business plans and strate-
gies could be compromised by irresponsible persons, if not handled properly.
Inadequate control procedure on handling business data could also contrib-
ute to this issue.
to orga
rsactiol
lata anr
ta bein
IAATs:
rent wa I sunrtnnnBv
nd effo The lob of internai auditors il regarci to an I'I audit is very challenging as it invt,lves
reviewing anil reporiiitg '-ulrlit ii:rdings that:ire highly technical. To perfbrnr audit
lrance' procecli.ires etfectivei,v, ;:r,i,-litors shouicl possess aclequate iT knowledge, techrrical
easily shills anci experiences. This rtoril];rlso ena,ble ar.idilors to triuslate the audit find,ngs
credib into value-adcled iect,n-rn'iendalicns tirat cor:]d;rssist an organization in achieving its
'Lr,-rsi
rress olrject rr r:
130 Part Three Interual Autlitittg Pro.!'.s ttrl'l-t','hq,rtt ;"
Anantha Sirvana, S. (200,r)LIsinu (.A.:. t: to !r:p;rcr1 i.-! ALrriit. l5A()t\ !tturtrLt.i Vrrlulrc I
T1-re Institntc of Internal Auditor {l()i.}, r i. )i-} -v[etkt,lL.-iutr, :l ll-s(-&nsei {tpl.\r(tL;th to Lt\..:
ing thi: scope of l'l gentrtsl L t in tr{}i..
'1'he lnstitute of Internal Auditors (2(Xr! ) {;rriri L. io /lrt' A-s-srr.ssrlr,ni ir/ 1?'Ri-iA ({;AI}- ).