UNIT 3 HARDWARE AUDIT

Competence to be assessed:

Know, identify and select the requirements

and standards for a hardware audit that should be considered to determine the level of
application in the administration, installation, operation, security, as well as the responsible
personnel.

3.1 Purpose of hardware evaluation

Its importance is necessary not only to plan and execute actions or protocols but also to carry out
control procedures that are aimed at ensuring that the activities have been executed according to
the parameters that have been previously established in an audit.

This information must be verified with those responsible for computer security, with those
responsible for the computing center, communications and users that the auditor considers
relevant.

If the company has predefined aspects for hardware evaluation, those guidelines will be taken into
account.

Its purpose is to seek the evaluation of the security in the operation of the hardware where the
main vulnerabilities of the hardware are identified, which are:

 Inappropriate operation
 Maintenance failures
 Inadequate physical security
 Natural disasters

What does it seek to evaluate?

 Hardware distribution (physical location).

 Registration of installed hardware, decommissioning, acquisition process, etc.
 Use of the same: development, operation, maintenance, monitoring and decision making.
 Hardware access (security keys).
 Usage logs (who, when, why, among other points).

3.2 Requirements for hardware evaluation

It is important to know the cost of materials (central unit, peripherals, support, among others)
during the last 5 years. It is also necessary to analyze the use of each hardware element of the
configuration, calculating it in hours/month, ensuring that the configuration used corresponds to
the lowest use/cost value, and examining its coherence.
The IT audit team must have an adequate reference of the environment in which it will operate.

The requirements are as follows:

 The geographic location will be determined.

 Hardware architecture and configuration.
 Auditors, in their initial assessment, must have in their possession the distribution and
interconnection of the equipment.
 Hardware inventory.
 Communication and communication networks

Hardware material resources.

Hardware Review:

 List all hardware.

 Specify its use.
 Make statistics about usage and people.
 Key systems.
 Connection map.
 Priorities.
 Modifications (each team must have a log of their life).
 Testing the hardware: parallel testing and benchmarks.
 Check your real life, etc.

Within the audit there are various questions that can help in carrying out the evaluation of the
security of the company's hardware.

Steps for an evaluation:

 Review and document the existing hardware configuration of each planned domain
controller.
 Use this information to identify the domain controllers in your environment that you can
upgrade, as well as the domain controllers that do not meet the necessary hardware
requirements.
 Requirements that do not meet the hardware requirements will need to be rolled back.

3.3 Administrative Audit

It is to review and evaluate whether the methods, systems and procedures followed in all phases
of the administrative process ensure compliance with policies, plans, programs, laws and
regulations that may have a significant impact on the operation of the reports and ensure that the
organization is complying with and respecting them. Administrative Auditing is a methodical and
orderly examination of a company's objectives, its organic structure and the use of the human
element in order to report the investigated facts.

Its importance: it provides the managers of an organization with an overview of how it is being
managed by the different hierarchical and operational levels, pointing out successes and
deviations in those areas whose revealed administrative problems require greater or prompt
attention.

What is the importance of Administrative Audit?

The evaluation of organizational performance is important because it allows us to establish to

what extent the objectives have been achieved, which are almost always identified with those of
management. In addition to this, the ability and appropriateness of administrative practice are
also valued. A comprehensive evaluation is necessary, that is, one that involves the different
processes and purposes that are present in the organization. Because of this, each administrative
audit must be carried out differently depending on the organization.

Objective of an Audit: to point out faults and problems; to present suggestions and solutions; and
to support company members in carrying out their activities. To this end, the Audit provides
analysis, evaluations, recommendations, advice and information concerning the activities
reviewed.

Objectives of Administrative Audit:

Control: They guide efforts in their application and can evaluate organizational behavior in relation
to pre-established standards.

Productivity: They direct actions to optimize the benefit of resources in accordance with the
administrative dynamics established by the organization.

Organization: They determine that their course supports the definition of the competence,
functions and processes through the effective management of the delegation of authority and
teamwork.

Service: They represent the way in which it can be verified that the organization has a process that
qualitatively and quantitatively links it to the expectations and satisfaction of its clients.

Quality: They aim to raise the organization's performance levels in all its contents and areas - in
order to produce highly competitive goods and services.

Change: They become an instrument that makes the organization more transparent and receptive
(flexibility.)

Learning: They allow it to become an institutional learning mechanism so that the organization can
assimilate its experiences and capitalize on them to turn them into opportunities for
improvement.

3.4 Audit of Existing Facilities

In these times, it is not only a matter of establishing quality standards in the execution of a new
installation, but also of ensuring that existing installations continue to be appropriate for the risk
they protect.

To determine the characteristics of an already assembled installation, we carry out the process we
call “Reverse Engineering”.
On-site inspection of facilities: In this phase, the characteristics of the installation are inspected,
such as: dimensions, components, quality of elements, coverage, among others, in order to gather
all the information that allows us to recalculate the installation.

Installation Recalculation: With the data collected and the most up-to-date calculation tools, we
determine the functional parameters of the installation. We then compare them with those that
would be required by current regulations for the type of risk being protected.

Proposal for Improvements: If there were deviations between the calculated parameters of the
installation and those that would be necessary for risk protection, through the hiring of
organizations that can make proposals for corrective actions such as CEPRETEC. Corrective actions
would be proposed from an objective and common sense perspective, and would be presented in
order of priority.

3.5 Operation and security in hardware audit

We can define security as that activity aimed at giving data processing reasonable protection. And
we say reasonable because there is never absolute certainty. The topic is fundamental because
today, the systems area constitutes the point where most of the company's information is
concentrated.

It is clear that the information used by entities in general has varied in recent decades. The needs
for generating that information and the means to process it have changed as well. Although there
are certain differences between computerized and conventional systems, it can be stated that
electronic data processing does not affect the objectives of internal control, management
responsibility and the limitations inherent to the internal control system, but it does affect the
approach to its evaluation and the type of audit evidence obtained.

Systems Security

Systems security (real time)

Relevant differences with respect to other modes of operation

Specific controls for this type of modality.

The objective is, then, the security of that information, so we must implement controls to reduce
or avoid the risks. These controls will determine the degree of reliability of the information
provided.

Organizations, especially small and medium-sized ones, lack documentation, standards for
preparation, as well as internal controls.

The internal control structure to be evaluated should not be differentiated according to the size of
the company. The difference lies in the intensity of some controls, especially those of:

 Separation of duties
 Archives
 Physical security
Security of systems with real-time processing

The controls seen above must also be applied in real-time processes, but others that are specific to
this type of processing must also be added.

Problems that may occur in real-time processing

Regarding the process An application may become more expensive if it does not
necessarily need to be updated in real time (Salaries)

Regarding administrative It is harder to detect errors, since the update modifies

management the file at the time.

Regarding use  Development and implementation are more

expensive
 It is more difficult to implement internal control, as
processing documentation is minimized.
 Direct relationship between the user and the
equipment

Security measures required by the real-time process

Physical control techniques  Protective devices for terminals (locks, readers)

 Location of terminals in supervised areas
 Disconnection of terminals at certain times
 Access to files at a certain time
 Automatic disconnection of unused terminals

Logical control techniques  Passwords for access

 No-display of passwords
 Set authorization level parameters
 Automatic disconnection of terminals after “X”
unsuccessful access attempts

Telecommunications control  Encrypted or coded transmissions

techniques  Using information interception detectors
 Telephone number distribution and control for call
stations

Entry control and validation  Written instructions to guide operators

 Entry validation (scheduled tests)
 The operator must review the data entered
 Control totals are reconciled (manual vs computer)
 Transaction entry date and timestamps

Maintenance  Whoever executes or approves maintenance is not

accountable for the facts
  Control access for maintenance
 Report of the “was and is” on the master files
File Controls
Integrity  “Was and is” report reviewed by appropriate
personnel
 Balancing record counts and control totals

Transaction  record count, control totals

balance control  unbalanced data report
 These errors must be corrected before reprocessing.
Controls of
 operator familiarization with system procedures
Prosecution  operator familiarization with alternative procedures
Processing
 Date and time stamping of transactions
capacity

Process  reasonableness checks of results (by program)

Outcome  Use management reports to detect major errors
Testing  Identify and report capacity overflows
Exit Controls
Exit test  Reports designed to avoid errors of interpretation

IN OPERATION (concurrent tests)

In the real system, real transactions and simulated transactions are entered. The technique is
called ITF (integrated test facilities or mini company).

Special audit records are generated within the main processing records (and must be properly
identified).

The technique is only applicable in organizations that have supervisory bodies that allow it,
otherwise it could be considered fraud.

It requires little technical expertise and provides the auditor with the element of surprise, but it
may have problems in its implementation or control if the simulated transactions are not properly
identified.

PHYSICAL AND LOGICAL SECURITY

Physical security and logical security are related to preventive measures against impacts on the
organization. The information must be classified according to its main characteristics and the
impact of different events must be considered (quantitatively if possible). Additionally, the
probability of occurrence of each fortuitous event must be considered in order to try to minimize
all risks.

Physical Security – Risks

 Typical of the geographical area: fires, floods, storms, epidemics, earthquakes

  Specific to the neighborhood: they can be permanent (for example, if the organization is
located next to a service station) or temporary (for example, if there are construction
works in the vicinity of the organization)
 Specific to the entity: these are the risks of the building, such as the materials with which
it is built, the physical arrangement of the electrical equipment, soundproofing, etc.

Logical security

Data may be subject to unauthorized access, modification, and destruction.

For this reason, logical security measures must be implemented that ensure:

 Identification: of the person who wants to access this data

 Authentication: of that person. It must be certified that the person who identifies himself
is who he says he is (“something that one knows, something that one has, something that
one is”). If passwords are used, they must be unique, easy to remember, expire after a
certain period of time, and must accept a minimum number of failed attempts. It is
advisable to have a department responsible for managing all keys.
 Authorization: Authorizations must be limited in the use of IS resources (both data and
functions that can be performed with that data)
 Documentation: Records of all events must be kept for monitoring and statistical tracking
purposes.

Contingency plan

The organization must be prepared for the occurrence of accidental events, natural disasters or
intentional acts that endanger its normal operations. COB (continuity of business) must always be
ensured. The main causes of lack of prevention are:

 “It can’t happen to us”

 Apathy in senior positions
 Lack of knowledge of how to prepare a plan
 Difficult to quantify benefits

All risks must be analyzed, critical resources established, a project drawn up, the plan developed
and the relevant tests performed.

Emergency phase: If a serious event occurs, the reconstruction and recovery environment must be
established and the damage that has occurred must be minimized (prevention measures will be
essential to avoid serious damage).

Linkage Phase: Processing alternatives must be provided to maintain operational capacity and
environmental recovery tasks must be facilitated.

Backup phase: it is necessary to continue operating with alternative processing by providing the
necessary backup copy sets for this.

Recovery Phase: The IS must be fully restored to normal operation by discontinuing operation with
alternate processing and converting operations and files from link mode to normal mode
3.6 Personnel responsible for the area

The main objective of the auditor is to evaluate and follow up in a timely manner the set of IT
audit projects that will be executed within a given period in order to support business strategies,
considering the various internal and external factors that relate to the organization.

Each of these projects must be framed within the limits defined for the function, that is, it must
focus on the control, security and auditing of the different elements that maintain direct or
indirect contact with information technology.

IT auditors will direct and enthusiastic involvement of IT staff and users involved during the audit.

The person responsible for the IT audit function (external or internal) who reviews the different IT
areas must coordinate with the person responsible for traditional auditing, senior management
and the IT manager through formal and periodic meetings in order to achieve common objectives
for the good of the business.

Minimum functions

A. Evaluation and verification of controls and procedures related to the IT function within the
organization.
B. Validation of the controls and procedures used to ensure stable and efficient use of IT
resources within the organization.
C. Evaluation, verification and timely implementation of the controls and procedures
required to ensure proper use and exploitation of the IT function.
D. Permanent assurance of the existence and compliance of controls and procedures that
regulate the activities and use of IT resources in accordance with the organization's
policies.
E. Develop IT auditing in accordance with national and international standardized norms and
policies.
F. Evaluate the risk areas of the IT function and justify your assessment with senior business
management.
G. Prepare an IT audit plan within the timeframes determined by the person responsible for
the function
H. Obtain formal approval of the plan's projects and disseminate them among those involved
in the plan.
I. Efficiently manage or execute the projects contemplated in the IT audit plan.

Managing the audit function in IT

Once the function is formalized in any of the organizational situations indicated, a mechanism for
administering and controlling the function is defined.

This mechanism will ensure that the resources and projects involved in the performance and
management process of IT auditing comply with the basic principles of an administrative process.
Among others, the most important and indispensable elements are planning, personnel, control
and performance monitoring.
Main objectives of IT audit management, once it begins to perform its functions, are to make it an
efficient and value-added area.

Ensure that the audit function covers and protects against the greatest risks and exposures
existing in the IT environment in the business.

Ensure that IT resources (hardware, software, telecommunications, services, personnel, etc.) are
geared towards achieving the organisations' objectives and strategies.

Ensure the formal formulation, development and dissemination of policies, controls and
procedures inherent to IT auditing that guarantee the optimal and efficient use and exploitation of
each of the IT resources in the business.

Ensure formal compliance with the policies, controls and procedures defined in each IT audit
project through timely monitoring.

Ensure that the business achieves the expected results through coordination and mutual support
with:

 Audit
 Computing
 External advisors
 Senior management.

In order for the objectives and goals of the IT audit function to be successfully achieved, the
following must be considered:

1. Develop and formalize IT audit plans.

2. Manage the function efficiently.
3. Manage and control IT audit projects in a timely manner.
4. Periodically review and evaluate the performance of IT auditors.
5. Evaluate the performance of the IT function.
6. Align products with financial, operational and administrative audits.
7. Coordinate efforts with users and IT staff.

3.7 Determine the level of application of any of the standards considered for the hardware
audit.

In a financial audit based on risk analysis, the study and review of the information systems on
which the management of an entity is based (public company or foundation, city council,
autonomous community administration, etc.) has become an activity of growing importance, to
the extent that this management is fundamentally based on information systems that, in general,
have been acquiring increasing complexity, which has generated a series of new audit risks
(inherent and control) that must be considered in the audit strategy.

Entity level

Controls at this level reflect the way an organization operates, and include high-level policies,
procedures, and other practices that set the guidelines for the organization. They are a
fundamental component of the COSO model and must take into account the IT operations that
support financial information.

The control environment and commitment to ethical behavior is a work “philosophy” that must
emanate from the top down, from senior management positions to the rest of the organization. It
is essential that the appropriate tone for control is set by the organization's top management,
sending a message to the entire organization that controls must be taken seriously.

Entity-level controls have significant influence on the rigor with which the internal control system
is designed and operates across all processes. The existence of rigorous IT governance at this level,
such as well-defined and communicated policies and procedures, often suggests a more reliable IT
operating environment.

Conversely, organizations with weak controls at this level are more likely to have difficulty
performing control activities regularly. Consequently, the strength or weakness of entity-level
controls will have an effect on the nature, extent and timing of audit testing.

IT systems level

Information technology services form the foundation of operations and are delivered throughout
the organization. They typically include network management, database management, operating
system management, storage management, facilities and services management, and security
administration. All of this is usually managed by a centralized IT department.

Controls at the IT system level consist of processes that manage specific IT system resources
related to its general support or to the main applications; they are more specific than those
established at the entity level and are normally related to a particular type of technology.

Management processes/applications level

Management processes (or business processes) are the mechanisms that an entity uses to develop
its mission and provide a service to its recipients or users.

Inputs, processing and outputs are aspects of management processes that are increasingly
automated and integrated into complex computer systems.

If the auditor reaches a favourable conclusion on the IT controls at the entity and IT systems level,
the effectiveness of the IT controls in the significant applications to be reviewed should be
assessed and verified before reviewing their application controls.

http://auditoriainformaticaritaneoletyivan.blogspot.mx/2015/04/unidad-3-auditoria-del-
hardware.html

http://ing-informatica.esy.es/uncategorized/unidad-3/