Basic Concepts of Information System Auditing

Transcription

1 Basic Concepts of Information System Auditing 1 Chapter I Basic Concepts of Information System Auditing Rafael Rodríguez de Cora INTRODUCTION The challenge of Information System Auditing, as it is known nowadays, is a consequence of a most important current trend, namely the change from an Industrial to an Information Society. We are involved in profound changes of all kinds leading us into the 21st century. Organizations depend on the economical, industrial and social environment in which they develop, so, if technological tendencies, economical environments and industries change, they have to adapt fast to the new circumstances in order to survive. Such a fast change is affecting the whole world and its understanding is fundamental for all kinds of organizations, especially in relation to Information Systems and Related Technologies. For better or worst, the whole Society is more and more dependent on information and communication systems. On the other hand, the development of information technologies in the last twenty years has been constant and impressive. The past five years can be considered as a true technological revolution in depth and impact. Nowadays the majority of organizations consider that information and its associated tech- Copyright 2000, Idea Group Publishing.

2 2 Rodriguez de Cora nology represent their most important assets. The quality, control and security requirements that are implemented for other companies assets are also required for information systems and technology. Management must establish an adequate system of internal controls, and such systems should support business processes and resources properly. The planning, control, security and cost reduction involved in Information Systems is currently essential for organizational strategies. Generally speaking, the current situation of Information Systems is frequently characterized by a lack of assimilation of new technologies, a bad use of information and technological resources, a general dissatisfaction of users, obsolescent applications, and a lack of Planning. Applications in the past have not been integrated but designed as partial solutions, and they have been functioning as independent automated or manual islands. Manual processes were difficult to control and expensive to maintain. Eventually there was a lack of standards and methods, and a lack of training and general culture concerning the overall aspects of Information Control and Security. Taking the initiative in dealing with these problems, the professional Organization I.S.A.C.A. (Information Systems Audit and Control Association) published, following its Foundation in December 1995, CobiT (Control Objectives for Information and Related Technology), as a result of four years of intensive research by a broad team of international experts. In the past, Information System Auditing has been used as a technical complement to Financial Auditing. Because of the growing impact of Information and Related Technology in organizations, this issue becomes more and more important and it can only be seen and executed as an independent discipline. The methods and procedures for Information System Auditing are worth considering by organizations and enterprises of any size. As a result of current global competition, the organizations have to restructure their operations towards a more competitive and technological environment, and consequently they have to take advantage of using Information Systems and Technology that are secure and controlled to hold and improve their market

3 Basic Concepts of Information System Auditing 3 position. This fact should both stimulate students and professionals and increase the awareness of society in general of the importance of this key profession for the 21st century. BACKGROUND The evolution of Information Technology has come about thanks to the better or worst utilization made by the users on the one hand, and more or less forced on by the commercial needs of the manufacturers and the advancement of technologies, at the other hand. The Industry of Information Technologies, started from the first initial devices, and has gone through several stages from the sixties to date. (Figure 1) The most significant stages are as follows: Electromechanical devices - Unit Record - (One device for each administrative function, like sorting, calculations, filing, printing, etc.) One Computer for many - Mainframes - (Big Central Computers) One Computer for a few - Minicomputers - (Departmental Computers) One Computer for one user - PC s single user - (Personal Computers) A variety of users share resources - LAN - (Departmental Communications. Local Area Network) A variety of Computers for a wide range of users - WAN - (Network Computing. Wide Area Network) Integration of Information and Communication - World Wide (Global Intercommunication. Information Highway) As a result, these stages have generated the design, creation and utilization of different types of Information Systems, which have also evolved in time: Batch Systems Interactive Systems Office Automation Client/Server Systems Network Computing

4 4 Rodriguez de Cora Figure 1: Information Evolution The Nineties are characterized by what has been called Network Computing by which users can have access to computers of all kinds through global communication networks, as shown below in Figure 2: Figure 2: Network Computing Environment

5 Basic Concepts of Information System Auditing 5 Challenges and Strategies for Complexity This new environment increases the complexity in all kinds of relations. The complexity of systems and technologies, and the new tendencies mentioned, means an increasing complexity in the exchange of products and services, which leads into an increasing complexity in the corporate infrastructure and relations of all kinds. This increased complexity impacts in the general decision making process, and also in the decision making process of Information System design, to support the new business needs of the acquisition, utilization and control of the new technologies. The interrelation of these factors means that the strategies have to be analyzed and designed in an integrated way, as shown in Figure 3 below: Figure 3: Strategic Planning of Information Systems ECONOMICAL STRATEGY (GLOBAL ECONOMÍCS ORGANIZATIONAL STRATEGY INTEGRATION CHANGE MANAGEMENT INFORMATION SYSTEM STRATEGY STRATEGY OF HR

6 6 Rodriguez de Cora GENERAL AUDIT CONCEPTS Definitions and types of Auditing Generally speaking, when it comes to auditing, we speak of a control tool, which involves a methodology to establish criteria, so that we can measure the effectiveness, efficiency and possible deviations from the established objectives of a given system. The environment or application defines the types or functions of auditing (by function of by system), so that we can distinguish: Financial Auditing Production Auditing Human Resources Auditing Environmental Auditing Etc. The type of auditing that is best known applied by organizations and established as compulsory by law is the Financial Auditing. According to its definition it concerns the Independent investigation of the financial situation of an entity, with the intention of expressing an opinion about the financial status in compliance with norms and established procedures and generally accepted accounting principles. Since an independent opinion is required, there is a need for the function of auditing to be performed by external personnel. The people in charge of the External Auditing function in organizations must have strict codes of conduct and professional ethics, and they should have an impartial relationship with the audited entity. The opinion on the financial statements of the company is based on: Reviewing and evaluating the Financial Control System. Performing specific Audit Tests Information System Auditing The new developments in Information and Related Technologies have had an enormous impact and influence on the

7 Basic Concepts of Information System Auditing 7 generation of Financial Statements, administrative systems and procedures, and accounting. As soon as data and management procedures are handled by automated systems, Information Systems Auditing comes into place. This includes new methodologies and control techniques, pertinent to an automated environment. In a similar way to Financial Auditing, Information System Auditing requires an opinion about the Information Systems and data that they process. The data must be accurate, complete and authorized. Errors must be properly detected and corrected in time and there must be planned and accurate procedures to guarantee the continuation of operations. Information System Auditing, which was once a complement to Financial Auditing, has presently its own existence and can be considered as a professional discipline. When we change from a manual to an automated environment, we have to take into account some important differences from a control point of view: Changes of nature in Automated Systems MANUAL Cheap Flexible Unpredictable Errors More division of functions Easier back-up Errors cause minor impact Less need of information AUTOMATED Expensive Inflexible Systematic Errors Less division of functions More difficult or expensive back-up Errors cause major impact More need of information Changes in auditing procedures. Evaluation of automated controls. Evaluation of effective and efficient use of automated systems and resources.

8 8 Rodriguez de Cora Impact on the scope and procedures of the following main circumstances: - Basic accounting controls in computer programs. - Integration of accounting systems through initial data input and databases. - Use of computer capacity for decision making. - Automatic transaction initiation. - Loss of visible Audit Trails. - Use of real-time processing. - Concentration of functions and responsibilities in the Information Service Department. - Accessibility of electromagnetic data and files. Audit perspective for automated systems: Orientation on systems. Orientation on data. Information System Auditing Objectives The general Information System Auditing Objectives are as follows: Validation of the organizational aspects and administration of the Information Service function. Validation of the controls of the system development life cycle. Validation of access controls to installations, terminals, libraries, etc. Automation of Internal Auditing activities. Internal Training. Training members of the Information Service Function Department Collaboration with External Auditors There are good reasons why Management should be primarily interested in Auditing. First of all, control for Information Systems must be exerted in order to prevent: Excessive time and development costs. Unrealistic or impossible objectives to comply with.

9 Basic Concepts of Information System Auditing 9 Rigid systems when they become operational. Non compliance with value added benefits. Costly methods and systems. The lack of control involves many risks. Many Systems fail because of some of the following reasons: Lack of management technical capacity Lack of management support in System development. Inexperience of employees or lack of training. Unrealistic expectations with wrong orientations. Information System Audit Plan To approach an Information System, a Plan has to be developed, similar to the ones used in Financial Auditing. Some of the tasks involved are as follows: Definition of Scope and Objectives. Analysis and understanding of standard procedures. Evaluation of system and internal controls. Audit Procedures and documentation of evidence. Analysis of facts encountered. Formation of opinion over the controls. Presentation of report and recommendations. One of the most difficult things to determine is the objectives and scope of the Audit. As guidance, one can take into account the following variables to determine such scope: Extension and scope of the Financial Audit taking place. Duration and nature of the review, Internal or External Audit. Dimension of the installation and level of complexity. Level of both centralization or distribution of systems and integration of Databases Existence of procedures and norms for the development and production environment.

10 10 Rodriguez de Cora Ideal Information System There are many objectives that can lead towards the implementation of an Information System Audit. In any case, despite the scope considered, we should look for the following main general objectives, when we consider the Services and Infrastructures where Information Systems are developed: The Service should operate as an autonomous department, dependent on General Management. It optimizes the use of technical resources and provides automated services at minimum costs. It anticipates user s future needs without introducing experimental products or not sufficiently tested ones. It operates in accordance with predefined standards and procedures, which guarantee reliable processes and an adequate distribution of results. Users are involved in the design and planning of applications. A cost assigning method, based on actual utilization, is maintained to measure the user s utilization of information resources. Audit Techniques Audit Techniques are of various types but they may be grouped in two types of evidence: Compliance Tests: They verify the correct execution or registration of an operation or process through its repetition or observation. (Test data, logic reviews, and sample of a file). Substantive Tests: They make analytic review of real data, to test its quality, by using certain audit software or packages. (C.A.A.T.). Being more specific than the ones mentioned above, some of the most general audit techniques and tests are as follows: Interviews (management, staff, operators, users). Observation on location of the work environment. Audit Guidelines and Control Objectives (checklists to

11 Basic Concepts of Information System Auditing 11 review controls). Organizational structure, flow charts (of manual and automated operations), file interrelations. System documentation and descriptions of the users environment (standard software, hardware, terminals, etc.) Organizational hierarchy and segregation of duties Use of specific Audit software Statistical sampling Performing other kinds of specific tests to get evidence PAST AND FUTURE TRENDS IN INFORMATION SYSTEMS AUDITING For technical reasons, the Information System Auditing has gone through several phases which, being sometimes confusing, is enlarging, more and more, the distance with Financial Auditing, and integrating itself in today s complex and sophisticated Information Systems. Without clearly delimited borders in time, we can define de following phases: Auditing around the computer: In a first phase, when there were more manual than automated systems, the Financial Auditors treated the computer as a black box and reviewed only the input and output controls, data and procedures, without analyzing the internal process, which required technical knowledge. What was done, in practice, was just to review manually what the computer produced, since this was fairly easy to do as it concerned almost only batch processes. Auditing the computer: A second phase came into being when the concentration of Data and Processes that were inside the computer became more significant, and Financial Auditors had to rely upon Information Technology Specialists to assure that the controls in an automated environment and within the machine were sufficiently reliable and allowed a reasonable guarantee of Information

12 12 Rodriguez de Cora Processing from an Auditor s point of view. Auditing through the computer: The third phase arrived when the Information System Auditing became an object in itself, because of its importance, and transcended Financial Auditing, offering a market of independent consultancy to verify the efficiency and global use of the organization s Information Systems. Auditing with the computer: In this phase Auditors started using the computer in their turn for typical audit tasks like project preparation, statistical sampling, reports, and other activities. Auditors turned either to Information Technology experts who were specialists in the client s environment or to their own in-house specialists to perform tests, statistical samples or data extraction programs (Computer Assisted Audit Techniques). Auditing inside the computer: We are now in a fourth phase, which started a few years ago, where many hardware and software systems incorporate controls and security procedures, which would normally have been compensated manually, or with alternative procedures and controls. In this context, we can quote some advanced technologies, which require, for their own design and for industry and market policies, the incorporation of controls or security mechanisms: Hardware - Parallel processors or clusters - Systems with built-in uninterrupted power supply - Fault Tolerant Systems Operating Systems - Security and access mechanisms on many levels - Security level C2 en UNIX System V ( Orange Book- DOD ) - Built-in Audit subsystems or routines

13 Basic Concepts of Information System Auditing 13 Databases - On-line Back-ups - Mirroring - Two-phase commits - Fourth Generation Languages (4GL s) - Security and access mechanisms on many levels - Transaction Generators for Audit purposes Communications - Message switching - Encryption - Fire Walls - Etc. CONTROL CONCEPTS The accelerated change in technology also affects the nature and mechanisms of controls. Control technologies are changing in two different ways. On the one hand as mentioned before, basic manual and automated controls are now part of the design of modern hardware and software systems. On the other hand, new control technology, which did not exist before, is available now. Audit standards and objectives do not vary between manual and automated systems. But the scope, the emphasis on every type of control, and the methods and procedures do vary substantially with every kind and level of the system automation. The ISACF (Information Systems Audit and Control Foundation) released in 1996 a product called CobiT: Control Objectives for Information and related Technology, to define an applicable control methodology. In 1998 the second version of CobiT was released, which is now available. Control Objectives The Management responsibility is to safeguard the organization s assets. Nowadays for many organizations, the information and its supporting technology are considered as the most important assets.

14 14 Rodriguez de Cora In general, the major control objectives are considered to be as follows: Safeguarding of assets Guarantee data accuracy, reliability and authorization Operation efficiency Compliance with organizational policies and procedures Lack of control can generally mean the following risks: Erroneous decisions Fraud Business interruption Excessive costs Competitive disadvantages Illegal situations IT Control Objective is defined as a statement of the result or purpose which is desired to be achieved by implementing control procedures in a particular IT activity: In order to provide the information that the organization needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes. (ISACA, 1998) Control Environment Controls can be grouped according to the following three environments: A USERS B D.P. a) Accounting Controls - Procedures, etc. b) Processing Controls - Data completeness and reliability c) Environmental Controls - (All others) C

15 Basic Concepts of Information System Auditing 15 When analyzing a system internal controls, the manual and the automated part should not be separated. It should always be oriented towards the control guarantee of the system as a whole. This means that analyzing and obtaining an understanding of the Information System must take place in the context of the whole System Life Cycle. On the other hand, the conclusions achieved about the adequately or deficiency of controls must focus on a global mode. This means that we can find that one kind of control may be deficient, but it can be compensated by another type of control or a general procedure. Control Scope The Control Scope defines to which resource it applies to in a given moment of the Audit, such as the facilities, the systems or specific data. In particular, CobiT defines the following resources: Data: External and internal data objects, structured and non-structured data, graphics, sound, etc. Application Systems: That is, the sum of manual and programmed procedures. Technology: Hardware, operating systems, database management systems, networking, multimedia, etc. Facilities: Resources to house and support, Information Systems. People: Including staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor Information Systems and Services. (ISACA, 1998) IT Domains & Processes The CobiT framework consists of Control Objectives and an overall structure for their classification. CobiT considers the management of IT resources, on three levels of IT efforts: Activities and Tasks, which are needed in order to achieve a measurable result. Processes, which are defined as a series of joined activities or tasks with natural (i.e. control) breaks, one layer

16 16 Rodriguez de Cora up. Domains, which are groups of processes naturally grouped together. (ISACA, 1998) Each of these categories in their turn establishes and includes a number of controls, control objectives and methodology to perform the Audit more specifically. CobiT identifies the following four Domains: Planning and Organisation This domain covers strategy and tactics for Information Systems and is concerned with the way IT can best contribute to the achievement of the business objectives. The implementation of the strategic vision needs to be planned, communicated and managed, and a proper organization and technological infrastructure must be provided. Acquisition and Implementation IT solutions need to be identified, developed or acquired as well as implemented and integrated into the business process. In addition, this domain covers changes in and maintenance of existing systems. Delivery and Support Actual delivery of required services is also a concern. In order to deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls. Monitoring All IT processes need to be regularly assessed over time by internal and external audit, according to their quality and compliance with control requirements. (ISACA, 1998)

17 Basic Concepts of Information System Auditing 17 DEVELOPMENT OF THE AUDIT FUNCTION Planning and Scope Normally an Audit Program consists of the following phases or steps: Preliminary evaluation of the Audit to define objectives and scope. Investigation of norms, procedures and controls to comply with defined objectives and to identify potential existing risks. Program elaboration and detailed work schedule, including necessary logistics and formalities. Team selection and definition and other resources to carry out the program. Definition of Audit tests to be performed and tools to use: - Checklists - Tests - Verifications in-situ - Etc. Performance of Audit work through the knowledge and analyses of information, collection of evidence, and compliance testing and verification. Examination of existing controls and risk assessment, exposing deficiencies and documenting findings. Verifying results and proposed objectives. Preparation of the Audit opinion and elaboration of the Audit report including recommendations. Review and filing of work papers. Audit Work Team In an Audit Work Team, people with different levels normally use the work papers: Manager: Responsible for the Audit and quality control, to guarantee that the work is completed and has been done in compliance with standards and procedures, and conclusions are well documented.

18 18 Rodriguez de Cora Senior/Team leader: Responsible for the work papers, scope of the Audit and supervision of the work team Staff: Responsible for the performance of the Audit and the documentation of the work done. Risk Assessment Risks to an Information System are normally understood as potential or real circumstances, which might cause loss of value to the organization s assets. In particular the risks which affects data, are as follows: Manipulation errors. Intentional Frauds. Sabotages. Filtration of confidential information. Natural disasters. General environmental accidents. These risks can have immediate consequences, as follows: Data corruption, affecting its reliability. Interruption of processes, limiting data availability. Destruction of data, resulting in a lack of integrity. Revelation or subtraction of data, resulting in a lost of privacy or confidentiality. In any case, this problem leads to economical loss, which can be very serious, affecting the image, or even creating a base of illegal situations in the organization. The causes that generate a lack of security can be accidental or deliberate. When implementing controls to minimize the risk, one should take into account that the cost of this implementation should always be cheaper and more effective than that of the potential risk. Risk evaluation and quantification should always take place, although total security does not exist. There is always a trade-off between the cost of risk and the cost of control.

19 Basic Concepts of Information System Auditing 19 Audit Work Papers and Audit Administration For the administration of the Audit, the Audit Team must use a standard set of work papers. To carry out the Audit and serve as a support of opinions and evidence, the Auditors must prepare the following set of documents: Proposal or Presentation of the Audit. - Progress Reports. - Work Papers. Permanent File. - Other Work Papers. - Preliminary Reports. - Final Audit Report (opinion). Proposal: Generally speaking the proposal to a customer, or the preceding Audit presentation to an organization should have the following structure: - Introduction. - Scope and conditions. - Work Team. - Audit Plan and Schedules - Special Requirements or needs. - Fees (and expenses) Progress Report At least one or more periodical progress reports should be made throughout the Audit work: They identify past or future problems or incidents, proposing solutions. They are also useful in reporting scope deviations and possible changes in the planning and budgets. Permanent File The permanent file contains information of interest for the auditor about a system or specific area. The information obtained and the date of the audit needs to be updated in subsequent system audits. The permanent files must be designed in a way that contains the basic documentation about the system or area under review.

20 20 Rodriguez de Cora Other Work Papers - Audit Programs. - List of pending issues. - Recommendations and follow-up about weak points. - Administration. - Assignment and control of resources. - Time and expense reports. - Invoicing management. - Meetings. - Preliminary. - Periodical. - Final. Preliminary Reports Draft reports, which are to be discussed with the client for possible comments and observations. Final Opinion Report Final Audit Report, which will be sent to the Board of Directors of the customer or organization which asked for the Audit. It must be clear and consistent, resuming the Audit results. It must contain specific recommendations resulting from the Audit, and describing the impact of the detected lack of controls. The contents of the working papers are fundamental because they are used to support the opinion. The aspects, which have to be taken into account are as follows: Complete Information. Precise Information. Relevant Information Standard format and uniform structure.

21 ORGANIZATIONAL ASPECTS Basic Concepts of Information System Auditing 21 Organization Information System Auditing can be made by: Departments of Organization and Methods. Quality control departments. Internal Audit Services. External Audit Firms. If done internally, the Information System Auditing Function should be under the Internal Auditing Function, and be independent of the Information Services Function, which is one of the objectives of the Audit. There are two types of Information System Auditors: IT Specialists supporting Auditing. Auditors with IT expertise. The size and organization structure of the Information System Audit Function will depend on the size of the organization and for technical considerations or policies it can be separated functionally from Financial and Operational Audit Departments Educational Plan The IS Auditor must have a general understanding of Auditing, regarding both the applications to be reviewed and the auditee environment. It is also essential to have an understanding of Information Technology, the technological environments and the business of the audited firm. Auditors can be trained and educated on four different and complimentary ways: Academic means A list of colleges and universities offering courses and degrees in IS controls is now available. This information will also be used to disseminate information about ISACA, interchange ideas with students and teachers interested in learning more

22 22 Rodriguez de Cora about the IS audit profession, encourage ISACA Standards and Code of Ethics, and provide a forum for ideas and suggestions from within the academic community. Professional Experience The IS Audit training and experience achieved on the job have become the basic involvement into the profession of the majority of today s IS Auditors. These Professionals were normally trained by the big auditing firms or great financial and insurance institutes, either as External Consultants or Internal IS specialists. Professional Associations Several professional associations exist all over the world in the areas of IS Audit, Control and Security. They define and certify standards of competence, subscribe professional ethics and norms of conduct, and organize courses and seminars. One of the most important ones is I.S.A.C.A, which regards itself as a professional association for IT Governance, Audit, Control and Security. Specific Seminars Several courses and specific seminars are continually offered comprising technological subjects and Audit related fields, to promote the continuous education policy of ISACA. This is part of a certification program for IS Auditors called CISA - (Certified Information Systems Auditor). Benefits of becoming CISA A growing number of organizations are recommending that employees become certified. The CISA designation assures employers not only that their staff is able to apply state-of -theart information system audit, security and control practices and techniques, but also that these skills are maintained. For these reasons, many employers require the achievement of the CISA designation as a strong factor for employment and/or advanced promotion

23 Basic Concepts of Information System Auditing 23 Norms of conduct Because of the nature of its activities, the Auditor is subject to rigid professional ethics and restricted to adhere to professional standards. Professional ethics and chiefly independence are the fundamentals of conduct in Audit practice. As a result, in recent times multinational audit firms, which had other activities, were obliged to separate these activities, so that they did not have other influences, or interests concerning the auditee. In this sense, there are several publicized standards, which Auditors must follow up. They cover several areas of professional practice in relation with the following professional ethics: Supporting the establishment of and compliance with standards, procedures, and controls for Information Systems Complying with Information System Auditing standards as adopted by the Information Systems and Control Association (ISACA) Serving in the interest of their employers, stockholders, clients and the general public in a diligent, loyal and honest manner and not being knowingly party to any illegal or improper activities. Maintaining the confidentiality of information obtained in the course of their duties. The information shall not be used for personal benefit nor released to inappropriate parties. Performing their duties in an independent and objective manner and avoiding activities, which threaten, or may appear to threaten, their independence. Maintaining competency in the interrelated field of auditing and information systems through participation in professional development activities. Using due care to obtain and document sufficient factual material on which to base conclusions and recommendations. Informing the appropriate parties of the results of audit work performed. Supporting the education of management, clients, and

24 24 Rodriguez de Cora the general public to enhance their understanding of auditing and information systems Maintaining high standards of conduct and character in both professional and personal activities. REFERENCES Alonso Rivas, G. (1988). Auditoría Informática. Ed. Díaz de Santos. Colección Manuales y Desarrollo de Sistemas. (1993) Metodología de planificación. Métrica Versión 2. Ed. MAP. (Handbook) (1992) Electronic Data Processing. Ed. Federal Financial Institutions Examination Council. Information System Audit and Control Foundation, (1998) CobiT Ed. Information Systems and Control Foundation. ISACA, (1998) Review Technical Information Manual Ed. Information Systems and Control Association. McClure, Carma. (1992) Case la automatización del software. Ed. Rama. Plans, J. (1984) La Calidad Informática. Ed. Deusto. Rao Vallabhaneni, S. (1998) CISA Examination Textbooks. Ed. SRV Professional Publications. Weber, R. (1988) EDP Auditing. Conceptual Foundations and Practice. Ed. McGraw Hill. WEB SITES