Google

Sunday, October 15, 2006

IT Audit Standards

Almost every professional fields has it practice standards, e.g. accounting standards, IT standards. IT standards can be generic(e.g. COBIT) or specific for certain topics (BS7799 or ISO17799 which covers IT security)

IS Auditing Standards, Guidelines and Procedures are available at the ISACA website.

The IS Auditing standards cover all the aspect of IT audit process from planning, field work, report writing and communication to the management.

Although it is not mandatory, it is a good start to familiarise and learn about the best practices in the IT audit industry.

Labels: ,

technorati tags:

Sunday, October 08, 2006

Timing IT Audits

by: Joshua Feinberg

IT audits should be short and sweet. Typically within about four hours, you should know exactly what is going on within the company's system, what needs to be done next, how you are going to prioritize the to-do list and what additional hardware, software or other products the company needs to buy.

Because you are proposing a lot of follow-up items, there will be plenty of time to come back for more in-depth work later, so you don't want to get too involved right away. IT audits should provide an overview of issues, not immediate solutions or total fixes.

A Checklist Keeps You On Time
Limiting IT audits to four hours is as easy as coming up with about a dozen different areas you will be addressing. Because you can't look at every single PC or item in one four-hour period, keeping it to these twelve most important things can help you stay on target. The following is an example list of items and their time allocations:

1. Half an hour to an hour on the primary server, which maybe another 20 minutes allotted to a secondary (if available).

2. A few minutes (15) on LAN hub infrastructure

3. A search for various routers and hub switches, 10 to 15 minutes at a time while making some notes on what you find or additional observations about LADs or surge protection.

4. Half an hour to 45 minutes on a few “representative PCs.”
What Is A “Representative Pc”?
A representative PC is one attached to the most important PC users in the company. You can find out who these people are by asking your company contact directly. Looking at two to four representative PCs will give you a good idea of what is happening with configurations, drive mappings, network protocols, and what kind of shape they are in.

IT audits should give you plenty of information about what the hot spots are for a company, what can wait a few weeks or a few months to address and also what can go into the to-do list for a long-term plan. But they should be as short as possible while still giving clients a clear idea about how their systems are functioning.

About The Author
Joshua Feinberg helps computer consultant business owners get steady, high-paying clients. Sign-up now for Joshua's free audio training that shows you how to use field-tested, proven Small Biz Tech Talk tools at http://www.SmallBizTechTalk.com/blog.

Labels:

technorati tags:

Sunday, October 01, 2006

Application Controls

In short, application controls can be categorised into :-
- Data origination - preparation
- Input
- Processing
- Output

Data needs to be prepared from the source documents before data is entered (input) into the application system, processed and finally generating the required information in the form of output required.

COBIT version4 has also added one more item i.e. Boundary Controls i.e. the required controls between two parties (sender and receier)

As per COBIT, followings are the recommended controls:-

Data Origination/Authorisation Controls

AC1 Data Preparation Procedures
Data preparation procedures are in place and followed by user departments. In this context, input form design helps ensure that errors and omissions are minimised. Error-handling procedures during data origination reasonably ensure that errors and
irregularities are detected, reported and corrected.

AC2 Source Document Authorisation Procedures
Authorised personnel who are acting within their authority properly prepare source documents and an adequate segregation of duties is in place regarding the origination and approval of source documents.

AC3 Source Document Data Collection
Procedures ensure that all authorised source documents are complete and accurate, properly accounted for and transmitted in a
timely manner for entry.

AC4 Source Document Error Handling
Error-handling procedures during data origination reasonably ensure detection, reporting and correction of errors and irregularities.

AC5 Source Document Retention
Procedures are in place to ensure original source documents are retained or are reproducible by the organisation for an adequate
amount of time to facilitate retrieval or reconstruction of data as well as to satisfy legal requirements.

Data Input Controls
AC6 Data Input Authorisation Procedures
Procedures ensure that only authorised staff members perform data input.

AC7 Accuracy, Completeness and Authorisation Checks
Transaction data entered for processing (people-generated, system-generated or interfaced inputs) are subject to a variety of controls to check for accuracy, completeness and validity. Procedures also assure that input data are validated and edited as close to the point
of origination as possible.

AC8 Data Input Error Handling
Procedures for the correction and resubmission of data that were erroneously input are in place and followed.

Data Processing Controls

AC9 Data Processing Integrity
Procedures for processing data ensure that separation of duties is maintained and work performed is routinely verified. The
procedures ensure that adequate update controls such as run-to-run control totals and master file update controls are in place.

AC10 Data Processing Validation and Editing
Procedures ensure that data processing validation, authentication and editing are performed as close to the point of origination as
possible. Individuals approve vital decisions that are based on artificial intelligence systems.

AC11 Data Processing Error Handling
Data processing error-handling procedures enable erroneous transactions to be identified without being processed and without
undue disruption of the processing of other valid transactions.

Data Output Controls

AC12 Output Handling and Retention
Handling and retention of output from IT applications follow defined procedures and consider privacy and security requirements.

AC13 Output Distribution
Procedures for the distribution of IT output are defined, communicated and followed.

AC14 Output Balancing and Reconciliation
Output is routinely balanced to the relevant control totals. Audit trails facilitate the tracing of transaction processing and the reconciliation of disrupted data.

AC15 Output Review and Error Handling
Procedures assure that the provider and relevant users review the accuracy of output reports. Procedures are also in place for identification and handling of errors contained in the output.

AC16 Security Provision for Output Reports
Procedures are in place to assure that the security of output reports is maintained for those awaiting distribution as well as those already distributed to users.

Boundary Controls

AC17 Authenticity and Integrity
The authenticity and integrity of information originated outside the organisation, whether received by telephone, voice mail, paper document, fax or e-mail, are appropriately checked before potentially critical action is taken.

AC18 Protection of Sensitive Information During Transmission and Transport
Adequate protection against unauthorised access, modification and misaddressing of sensitive information is provided during transmission and transport.

Labels: ,

technorati tags: