Continuous auditing

Continuous auditing is the application of automated tools to provide assurance on financial and non-financial data within a company. Continuous auditing uses a set of tools to check whether a company’s financial information is handled correctly and if internal controls are functioning to prevent errors and fraud (Wikipedia).

According to ISACA, continuous auditing has been defined as a methodology or framework that enables auditors (external and internal) to provide written results on the subject matter using one or a series of reports issued simultaneously. The ability to report on events in a real-time or near real-time environment can provide significant benefits to the users of audit reports. Continuous auditing is therefore designed to enable auditors to report on subject matter within a much shorter timeframe than under the traditional model. Theoretically, in some environments it should be possible to decrease the reporting timeframe to provide almost instantaneous auditing.

http://www.youtube.com/watch?v=pzT1Y8cYp_g

CobiT: Helping to align IT with Business Strategy

Summary of CobiT, and how it impacts alignment of IT with Business Strategy, and uses performance measures.
K2 Performance Group
http://www.k2performancegroup.com

Security concerns regarding Cloud Computing

Gartner defines cloud computing as a style of computing where massively scalable IT-related capabilities are provided “as a service” using Internet technologies to multiple external customers.

Besides the benefits, there are risks associated with cloud computing, e.g.:-

User administration occurs over the Internet, if there is no encrypted line or secure line, communication over Internet happens in clear text.

Usage of browsers e.g. IE, Firefox may have vulnerabilities if not updated with latest security patches.

Auditors need to review the criticality of application data sent over the cloud, cloud vendor's policy on vulnerability and commitment to security breaches.

As per other outsourcing risk, auditor needs to determine whether an independent auditor's report or audit rights is included in the contract or service level agreement.

What is ITIL?

Information Technology Infrastructure Library is a set of concepts and techniques for describing, managing and documenting information technology (IT) services.

What is Cloud Computing

Confused about the term "Cloud Computing"? Want to be "with the times" when you talk about new technology buzzwords? This video boils down a section of Cloud Computing, that of Cloud Infrastructure and Cloud Hosting in a way that everyone can understand!

Audit Program for Auditing Small or Medium size Computer Operation (IT Operation)

1) Inventory

•Identify the hardware and operating systems in used.

•Determine if there is a contract for the hardware and operating systems support.

•Identify the vendor and services performed

2) Maintenance

•Is there a maintenance agreement on the computer equipment available? Ensure that maintenance is performed as scheduled in the agreement.

3) Computer Room Physical Security and operational controls

Assess the adequacy of physical and operational controls of the computer operations area including:-
a. Computer room housekeeping.
b. Computer room security.
c. Expansion possibilities.
d. Personnel safety.

Computer room housekeeping.

•Is the computer room maintained in an orderly manner? Ensure that paper supplies / boxes are neatly kept to minimize outbreak of fire from spreading.

•Are wires/cables neatly arranged to prevent tripping or accidental disconnection?

Computer room security.

•Is there a dedicated computer room to house the computer equipments e.g. server, network equipment, switch, hub, etc.?

•Are computer devices e.g. servers and cabling protected to prevent unauthorized access or interception?

•Are there any procedures for granting access to the computer room? Evaluate the effectiveness of the procedures.

•Is the door to the computer room always locked to prevent unauthorized access?

•Is there any physical access control system installed. Evaluate the adequacy of the system. Ensure that only authorized personnel are granted access to the computer room.


Operational controls
•Are there are any fire suppression systems installed in the computer room? Evaluate the adequacy of the system. Determine if staff are trained on its usage.

•How many fire extinguishers are available on the premise? Are the fire extinguishers serviced regularly?

•Is the operating environment conducive for a computer system to be operating at desired levels? Temperature and humidity should be controlled at tolerable levels to ensure optimum usage and protection of computer hardware/software.

•Is there an Uninterruptible Power Supply (UPS) available?

4) Backup

•Determine the frequency and type of backup performed e.g. system, data. Ensure that backup media are not exposed to environmental damage.

•Are backup media appropriately labeled to avoid confusion?

•Are backup media securely stored?

•Determine if data and program files are adequately retained and backed-up at off-site facilities.

5)Disaster Recovery

Review contingency plans to determine if management has provided for alternative processing for users in the event of loss or interruption of the main computer facility.

6)Insurance Coverage

Review the adequacy of insurance coverage for IT equipments i.e. :-
•Are all computer system related hardware are insured against damage or loss?
•If insured, obtain the insurance policy to ensure completeness and adequacy of the coverage

7)Software Licenses
•Are all software installed in the computers licensed copies?
•Account for the original software packages purchased.

8)Output control / Report printing

•How are outputs e.g. reports distributed to user departments? Controls should be in place to ensure all reports are distributed safely to user departments.

•Is there acknowledgement of receipt? Can these reports be intercepted without being noticed?

•Is there adequate control over the printing, storage and/or destruction of sensitive documents or reports? These documents should be shredded when no longer required. Observe whether such practice is enforced.

IT Policies

Policies are highlevel documents which represent the corporate philoshopy of an organization. For policies to be effective, it must be clear and concise.

Manage should review all policies periodically. Policies need to be updated to reflect new technology and significant changes in business processes. Policies formulated must enable the achievement of business objectives and controls implementation.

IS auditors should reach an understanding of policies as part of the audit process and should test these for compliance. Controls should flow from the policies and the IS auditors should use policies as a benchmarking for evaluating compliance. If policies hinder the achievement of business objectives, these must be reported for improvement.

Internet Security

Connection to Internet presents security issues. Organization must have adequate control to protect the data availability, confidentiality and integrity.

The company internal network should be separated from the external network (e.g. Internet). Typically a firewall separates an the internal network from the external network. Firewalls are an essential part of network security. They are used to protect the internal network from external threats that can compromise data, assets and resources—and even reputation.

Public and Private Network

During the application audit, determine whether the application data travels through public networks or private networks.

Public networks uses public telephone lines. This may be the most economical, but lower quality and security measures may be ineffective.The major concern in using public network for electronic data exchange is security. Unprotected data sent accross the Internet is susceptible to being viewed, copied or modified by unauthorised persons.

On an unsecured network, packets can be intercepted by a perpetrator, the contents changed, then forwarded on to their destination with erroneous information. This kind of attack is also known as MiddleMan attack. For example, an intruder can modify an order placed to a supplier over an unsecured network, by, lets say, changing the order quantity from 10,000 to 10

Private line are dedicated facilities e.g. satellites or telephone lines, leased from a common carrier. No dial-up access is required and security is enhanced. Leased lines are expensive to setup and maintain. Businesses relied on private lease lines to link offices so that workers could share information over WAN (Wide Area Network) and providing high degree of privacy.

Another solution that is relatively less expensive to solve the security problem is via Virtual Private Network (VPN). Using VPN, a company can connect each offices or LAN to a Internet Service Provider (ISP) and routes data through Internet. The success of VPN depend on secure encryption that protect data while in transit on the Internet.

Audit checklist for Disaster Recovery (DR) testing

Is all the user representatives included in the DR test?

Is all the critical DR activities, the sequence and time required to completed the tasks documented? For example Pre-restoration activities, restoration activities, checking of reports after restoration, system configuration and setup of user profile, installation of necessary tools, etc.

Is the system performance monitored in terms of time required to complete the necessary tasks? Is it within the estimated time?

Can the necessary reports and documents be printed successfully?

Have the users representative and IT personnel sign-off the test?