|
IT AUDIT MANUAL
PART 1 IT AUDIT FRAMEWORK
INTRODUCTION
The use of Information and Communication
Technology (ICT) within government entities has become increasingly
significant in recent years, particularly following greater use of
the Internet and organisational intranets. Technology has increased
the amount of data and information being processed and it has
significantly impacted the control environment. ICT is also now a
key component of government entities business strategies and core
business processing activities. The management of ICT risk has
therefore been elevated within entities and now forms a key part of
corporate governance. Accordingly, the effective and efficient
management of ICT is vital to the success of most entities.
As computer technology has advanced,
Government organisations have become increasingly dependent on
computerised information systems to carry out their business
operations and service delivery and to process, maintain and report
essential information. There are also an increasing range of ICT
vulnerabilities and threats that have to be effectively and
efficiently managed. As a consequence, the confidentiality,
integrity, availability and reliability of computerised data and of
the systems that process, maintain and report these data are a major
concern to audit. IT auditors evaluate the effectiveness and
efficiency of IT controls in information systems and related
operations to ensure they are operating as intended.
IT AUDIT
IT audit is the process of collecting and
evaluating evidence to determine whether a computer system has been
designed to maintain data integrity, safeguard assets, allows
organisational goals to be achieved effectively and uses resources
efficiently. An effective information system leads the organisation
to achieve its objectives and an efficient information system uses
minimum resources in achieving the required objectives. IT auditors
must know the characteristics of users of the information system and
the decision-making environment in the auditee organisation while
evaluating the effectiveness of any system.
Use of computer facilities has brought
about radically different ways of processing, recording and
controlling information and has combined many previously separated
functions. The potential for material systems error has thereby been
greatly increased causing great costs to the organisation. The
highly repetitive nature of many computer applications means that
small errors may lead to large losses. For example, an error in the
calculation of income tax to be paid by employees in a manual system
will not occur in each case, but once an error is introduced in a
computerised system, it will affect each case. This makes it
imperative for the auditor to test the invisible processes and to
identify the vulnerabilities in a computer information system, as
through errors and irregularities, the costs involved can be high.
Increasing use of computers for processing
organisational data has added new scope to the review and evaluation
of internal controls for audit purposes. The IT internal controls
are of great value in any computerised system and it is an important
task for an auditor to see that not only adequate controls exist,
but that they also work effectively to ensure results and achieve
objectives. Also internal controls should be commensurated with the
risk assessed so as to reduce the impact of identified risks to
acceptable levels. IT auditors need to evaluate the adequacy of
internal controls in computer systems to mitigate the risk of loss
due to errors, fraud and other acts and disasters or incidents that
cause the system to be unavailable.
NEED FOR IT AUDIT
Management employing the use of
information systems have objectives and
expectations of what they intend to
achieve from the large investment made in utilising technology.
Reasons for implementing ICT within the organisation include the
desire to obtain business value through reduced costs, greater
effectiveness, enhanced efficiency and/or increased service
delivery. It is against these objectives that an IT auditor is
required to provide management assurance. Typically, management’s
goals and objectives in utilising technology to support business
processes include:
• Confidentiality;
• Integrity;
• Availability;
• Reliability; and
• Compliance with legal and regulatory
requirements.
Underpinning these goals and objectives is
the need to ensure information technology, and the controls
supporting such technology, assists the organisation to achieve its
business objectives (effectiveness) with appropriate use of
resources (efficiency).
Confidentiality
Confidentiality concerns the protection of
sensitive information from unauthorised disclosure.Consideration
needs to be given to the level of sensitivity to the data, as this
will determine how stringent controls over its access should
be.Management need assurance of the organisation’s ability to
maintain information confidential, as compromises in confidentiality
could lead to significant public reputation harm, particularly where
the information relates to sensitive client data.
Integrity
Integrity refers to the accuracy and
completeness of information as well as to its validity in accordance
with business values and expectations. This is an important audit
objective to gain assurance on because it provides assurance to both
management and external report users that the information produced
by the organisation’s information systems can be relied and trusted
upon to make business decisions.
Availability
Availability relates to information being
available when required by the business process now and in the
future. It also concerns the safeguarding of necessary resources and
associated capabilities. Given the high-risk nature of keeping
important information stored on computer systems, it is important
that organisations gain assurance that the information they need for
decision-making is available when required. This implies ensuring
that the organisation has measures in place to ensure business
continuity and ensuring that recovery can be made in a timely manner
from disasters so that information is available to users as and when
required.
Reliability
Reliability refers to the degree of
consistency of a system or the ability of a system (or component) to
perform its required function under stated conditions.Reliability is
an important audit objective in order to provide assurance that the
system consistently operates and performs its stated functions as
expected.
Compliance with Legal and Regulatory
Requirements
Compliance deals with complying with those
laws, regulations and contractual obligations to which the business
process is subject, that is, externally imposed business criteria.
Management and key stakeholders require assurance that necessary
compliance procedures have been put in place, as there is a
potential risk that the organisation could incur penalties should
legal and regulatory procedures not be enforced.
IT AUDIT STANDARDS
There is wide recognition that the
specialised nature of IT auditing and the skills necessary to
perform such audits, require standards that apply specifically to IT
auditing. In response to this need, various professional and
government organisations develop and maintain standards and
guidelines for IT auditing.
The professional standards provide a
framework for all audits and auditors and define the mandatory
requirements of the audit. They are a broad statement of auditors
responsibilities and ensure that auditors have the competence,
integrity, objectivity and independence in planning, conducting and
reporting on their work. The guidelines supporting the professional
standards assist the auditor to apply the standards and provide
examples that an IT Auditor might follow to meet these standards.
In addition to IT auditing standards, IT
auditors need to be alert to other laws, regulations, or other
authoritative sources that may impact upon the conduct of an IT
audit.
IT AUDIT OBJECTIVES
The objective of undertaking an IT audit
is to evaluate an auditee’s computerised information system (CIS) in
order to ascertain whether the CIS produces timely, accurate,
complete and reliable information outputs,6 as well as ensuring
confidentiality, integrity, availability and reliability of data and
adherence to relevant legal and regulatory requirements. Audit
objectives will vary according to the nature or category of audit.
The objectives of undertaking an IT audit
as a component of a financial statement audit include to:
• Understand how well management
capitalises on the use of information technology to improve its
important business processes;
• Understand the pervasive effect of
information technology on the client’s important business processes,
including the development of the financial statements and the
business risks related to these processes;
• Understand how the client’s use of
information technology for the processing, storage and communication
of financial information affects the internal control systems and
our consideration of inherent risk and control risk;
• Identify and understand the controls
that management uses to measure, manage and control the information
technology processes; and
• Conclude on the effectiveness of
controls over the information technology processes that have a
direct and important impact on the processing of financial
information.
Where IT audit is involved in the
performance audit, the objectives of the audit are further defined
by what role IT is playing in the audit.
• If the performance audit has an IT
focus, the objective will be to seek assurance that all aspects of
the IT systems, including necessary controls, are being effectively
enforced.
• The performance audit could
alternatively be examining the efficiency and effectiveness of a
business process/government program and as such IT audit is involved
because IT is considered critical in the organization being able to
deliver those services. As such, the focus of the IT audit is to
provide assurance that the IT systems can be relied upon to help
deliver those services. The
efficiency and effectiveness of those
services are then examined from a non-IT perspective after
considering the impact that IT has on the ability of the
organization to deliver those services.
IT CONTROLS
IT controls involve an entity’s board of
directors, management and other top personnel and are designed to
provide reasonable assurance regarding the achievement of objectives
in the categories:
• Effectiveness and efficiency of
operations
• Reliability of financial reporting
• Compliance with applicable laws and
regulations
IT controls in a CIS include the entire
manual and programmed methods, policies and procedures that ensure
the protection of the entity’s assets, the accuracy and reliability
of its records and the operational adherence to the management
standards.
The IDKK IT Audit methodology uses a
top-down, risk-oriented approach in the evaluation of controls. The
following steps provide an overview of the tasks involved in review
of IT controls:
|
|
Phase |
|
Description |
|
Planning |
This phase
facilitates the
IT
auditor in
gaining an
understanding
of
the
agency,
its
organisational
structure
and
operations.
The IT
auditor
obtains
an
understanding
of the
entity’s
computer
related
operations
and
controls
and
related
risks
in
view
of
inherent
IT risks.
From
this understanding
the
auditor
evaluates
the
overall
IT
control
environment
and
makes
a preliminary
risk
assessment.
The
results
of the
assessment
will
guide
the extent
of
procedures
to be
employed
in subsequent
phases of the
audit. |
|
Verification
and
Testing |
During
this
phase
of
auditing,
IT auditors
obtain detailed
information
on
control
policies,
procedures
and
objectives
and
perform
tests
of
control
activities.
The objectives
of these
tests
are
to
determine
if controls
are
operating
effectively.General
controls
as
well
as application
controls
must
be
effective
to
help
ensure
the confidentiality,
integrity, availability
and reliability
of critical
computer
processed
data. |
|
Reporting Phase |
During
the
reporting
phase,
the
IT
auditor
draws
conclusions
and
develops
a report
in
order to
communicate
the objectives
of
the audit,
the audit
scope, the
methodology
adopted
and
the
findings,
conclusions and recommendations. |
In CIS environment, the control components
found in manual systems must still exist. However, the use of
computers affects the implementation of these components in several
ways. IT controls are used to mitigate the risks associated within
the IT environment and application systems and are broadly
classified into three categories. These controls are part of the
overall internal control process within any auditee’s organisation:
• General Controls
• Application Controls
• Specific Controls
General Controls
General controls include controls over
data centre operations, system software acquisition and maintenance,
access security and application system development and maintenance.
They create the environment in which the application systems and
application controls operate. Examples include IT policies,
standards and guidelines pertaining to IT security and information
protection, application software development and change controls,
segregation of duties, business continuity planning.IT project
management, etc.
General IT controls are concerned with the
auditee’s IT infrastructure, including any IT related policies,
procedures and working practices. They are not specific to
individual transaction streams or particular accounting packages or
financial applications. In most instances the general controls
elements of an IT review will concentrate on the auditee’s IT
department or similar function.
Categories of general control include:
• Organisation and Management (IT policies
and standards);
• IT Operation Controls;
• Physical Controls (access and
environment);
• Logical Access Controls;
• Acquisition and Programme Change
Controls; and
• Business Continuity and Disaster
Recovery Controls.
Application Controls
Application controls pertain to specific
computer applications. They include controls that help to ensure the
proper authorisation, completeness, accuracy and validity of
transactions, maintenance and other types of data input. Examples
include system edit checks of the format of entered data to help
prevent possible invalid inputs, system enforced transaction
controls that prevent users from performing transactions that are
not part of their normal duties and the creation of detailed reports
and transaction control totals that can be balanced by various units
to the source data to ensure all transactions have been posted
completely and accurately.
Application controls are unique to an
application and may have a direct impact on the processing of
individual transactions. These controls are used to provide
assurance (primarily to management) that all transactions are valid,
complete, authorised and recorded.
Since application controls are closely
related to individual transactions it is easier to see why testing
the controls will provide the auditor with audit assurance as to the
accuracy of a particular account balance. For example, testing the
controls in a payroll application would provide assurance as to the
payroll figure in an auditee’s accounts. It would not be obvious
that testing the auditee’s general IT controls (e.g. change control
procedures) would provide a similar level of assurance for the same
account balance.
As they are related to transaction streams
application controls normally include:
• Controls over the input of transactions;
• Controls over processing;
• Controls over output; and
• Controls over standing data and master
files.
Many application controls are simply
computerised versions of manual
controls, e.g. computerised authorisation
by a supervisor using an access code rather
that putting a signature on a piece of
paper.
Specific Controls
Specific control issues that cover the
following:
• Network and Internet controls including
the risk associated with networks and
internet controls.
• End user computing controls including
risks associated with end user computing and the associated
controls.
• e-Governance
• IT Security Policy
• Outsourcing Policy
Information System Development Audit
Information system development audit
ensure control over the entire development process from the initial
idea or proposal to acceptance of a fully operational system are
complied satisfactorily.
While the IT Auditor may not be an IT
developer, programmer or technician,
the auditor’s overall contribution
generally is to ensure:
• Controls are identified and developed
into the new system;
• Controls exist to manage the project and
development project decisions are transparent;
• Predetermined standards are set (and
followed);
• Development specifications make sense
and are cost effective;
• That future technology improvements are
considered;
• Systems are robust and reliable, secure
from unwanted interference and
auditable; and
• The development objectives are clear and
achievable.
Efficiency of systems is an important
aspect of system capability that leads to effective use of
resources. A key is controlling system development to prevent cost
overruns and systems that do not perform as required.
PART
2 IT CONTROL AUDIT
SCOPE
The purpose of the IT Control Audit module
of these Guidelines is to provide guidance and procedures to IT
Auditors for application in the areas of risks, controls and audit
considerations related to Information Systems. It also assists IT
Auditors in the scope of issues that generally should be considered
in any review of computer related controls over the integrity,
confidentiality and availability of electronic data.
DEFINITION OF IT CONTROLS
The capabilities of computer systems
have advanced rapidly over the past several decades. In many
organisations, the entire data has been computerised and all the
information is available only in digital media. In this changed
scenario, auditors have to adapt their methodology to changed
circumstances. While the overall control objectives do not
change in an IT environment, their implementation does.
The approach of auditors to evaluate internal controls has to change
accordingly.
IT Controls in a computer
information system are all the manual and programmed
methods, policies and procedures that ensure the protection
of the entity’s assets, the accuracy and reliability of its
records and the operational adherence to the management
standards
CONTROLS IN A COMPUTERISED ENVIRONMENT
In an IT environment, the control
components found in manual systems must still exist. However, the
use of computers affects the implementation of these
components in several ways. Information Technology controls are
used to mitigate the risks associated with application systems
and the IT environment and broadly classified into two
categories.
Presence of controls in a
computerised system is significant from the audit point of
view as these systems may allow duplication of input or processing,
conceal or make invisible some of the processes and in
some of the auditee organisations where the computer systems are
operated by third party service providers employing their own
standards and controls, making these systems vulnerable to
remote and unauthorised acces.
IT Control Audit involves two
types of testing – compliance and substantive testing. Compliance
testing determines if controls are being applied in the manner
described in the programme documentation or as described by
the auditee. In other words, a compliance test determines
if controls are being applied in a manner that
“complies with” management policies and procedures. Substantive
audit “substantiates” the adequacy of existing controls in
protecting the organisation from fraudulent activity and
encompasses substantiating the reported results of
processing transactions or activities. With the help of CAATTs
software, IT Auditor can plan for 100 per cent substantive testing
of auditee’s data.
Controls play a more important role
in IT environment than in the manual system. Auditors rely
on assessment of controls to do their audit. However, the
controls have changed in IT environment. So, as auditors we have to
be aware of the impact of computer on the controls. In an IT
environment, there are new causes and sources of error, which bring
new risks to the entity.
General Controls
General Controls include
controls over data centre operations, system software acquisition
and maintenance, access security and application system development
and maintenance. They create the environment in which the
application systems and application controls operate16. Examples
include IT policies, standards and guidelines pertaining to IT
security and information protection, application software
development and change controls, segregation of duties, business
continuity planning, IT project management, etc
General controls are
concerned with the organisation’s IT infrastructure, including
any IT related policies, procedures and working practices.
They are not specific to individual transaction streams or
particular accounting packages or financial applications.
In most instances the
general controls elements of an IT review will concentrate on
the organisation’s IT department or similar function. The major
categories of general controls that an auditor should consider are
-
Organisation And Management Controls
-
IT Operation Controls
-
Physical Controls
-
Logical Access Controls
-
IT Acquisition Controls
-
Programme Change Controls
-
Business Continuity and Disaster Recovery Controls
Application Controls
Application Controls pertain
to specific computer applications. They include controls that
help to ensure the proper authorisation, completeness,
accuracy and validity of transactions, maintenance and other types
of data input. Examples include system edit checks of the
format of entered data to help prevent possible invalid
inputs, system enforced transaction controls that prevent
users from performing transactions that are not part of their
normal duties and the creation of detailed reports and transaction
control totals that can be balanced by various units to the source
data to ensure all transactions have been posted completely and
accurately. Application controls include: Input, Processing, Output
and Master/Standing Data Files controls
Specific Controls
Specific Controls are peculiar to a
particular environment and emphasis controls which are
related to issues such as: network and internet, end user
computing, e-governance, IT security and outsourcing
PRELIMINARY EVALUATION
Guidelines should encompass preliminary
evaluation of the computer systems covering;
-
How the computer function is organised
-
Use of computer hardware and software
-
Applications processed by the computer and their relative
significanceto the organisation and
-
Methods and procedures laid down for implementation of new
applicationsor revisions to existing applications
In the course of preliminary
evaluation, the auditor should ascertain the level of control
awareness in the auditee organisation and existence (or
non-existence) of control standards. The preliminary evaluation
should inter alia identify potential key controls and any
serious key control weaknesses. For each control objective
the auditor should state whether or not the objective has been
achieved; if not, he should assess the significance and risks
involved due to control deficiencies
The results of preliminary
assessments provide the basis for determining the extent and type of
subsequent testing. If IT auditors obtain evidence at a later stage
that specific control objectives are ineffective, they may
find it necessary to re- evaluate their earlier
conclusions and other planning decisions based on the
preliminary assessment
During the preliminary
assessment phase of IT auditing, the IT auditor may gain an
understanding of the entity’s operations and identifies the computer
related operations that are significant to the audit. This would
also facilitate IT auditor in assessing inherent risk and control
risk, making a preliminary assessment on whether general IT controls
are likely to be effective and identifying the general controls that
would require to be tested.
AUDIT
OF GENERAL CONTROLS
The IT auditor will focus
on general controls that normally pertain to an entity’s
major computer facilities and systems supporting a number of
different IT applications, such as major data processing
installations or local area networks. If general controls are
weak, they severely diminish the reliability of controls associated
with individual IT applications i.e. Application controls
The manual identifies critical
elements that are basic and essential for ensuring adequate controls
availability. The IT auditor may use the information for evaluating
the practices adopted by auditee’s organisation
Organisational and Management Controls
These are the high level controls adopted
by management to ensure that the computer systems function correctly
and that they are satisfying business objectives. The aim of IT
auditor will be to determine whether the controls that the
auditee organisation has put in place are sufficient to
ensure that the IT activities are adequately controlled. In
carrying out an assessment, IT auditor should cover the
following areas
Control Objectives
IT Planning and Senior Management
Involvement
·
To ensure that in IT
planning and implementation, there exists an active
involvement of Senior Level Management so that IT is given
the proper recognition, attention or resources it requires to meet
business objectives. Also there exists a formal IT organisation
structure with all staff knowing their roles and responsibilities,
preferably by having written down and agreed job
descriptions.
Formal Organisational Chart and Job
Description
Personnel and Training Policies
Documentation and Document Retention
Policies
Internal Audit Involvement
Legal and Regulatory Compliance
-
To ensure compliance with the legal and regulatory
requirements. This will vary from one country to
another. Legal and regulatory requirements may include
data protection and privacy legislation to protect
personal data on individuals, computer misuse legislation to
make attempted computer hacking and unauthorised computer access
a criminal offence; copyright laws to prevent the theft of
computer software
Segregation of Duties
To ensure segregation of duties is a proven way of ensuring that
transactions are properly authorised, recorded and that assets
are safeguarded. Separation of duties occurs when one person
provides a check on the activities of another. It is also used to
prevent one person from carrying out an activity from start to
finish without the involvement of another person
Risk Areas
An IT auditor should be aware of the
following critical elements
-
Inadequate management involvement may lead to a direction-less
IT function which, in turn does not serve the business needs.
This may give rise to problems with the financial systems being
unable to meet new reporting requirements (which may occur due a
change in national accounting standards, or a change in
government requirements)
-
Poor reporting structuresleading to inadequate decision making.
This may affect the organisation’s ability to deliver its
services and may affect its future as a going concern (one of
the fundamental accounting principles)
-
Inappropriate or no IT planning leading to business growth being
constrained by a lack of IT resources ; e.g. the manager
reports to the chief executive that the system is unable to
cope with an increase in sales. Overloading a computer
system may lead to degradation or unavailability through
communication bottle- necks or system crashes
-
Ineffective staff who do not understand their jobs
(either through inadequate recruitment policies or a lack of
staff training or supervision). This increases the risk of
staff making mistakes and errors
-
Disgruntled staff being able to sabotage the system, for example
when staff find out they are going to be disciplined or make
redundant
-
Ineffective internal audit function which cannot
satisfactorily review the computer systems and associated
controls
-
Loss of the audit trail due to inadequate document retention
policies (includes both paper and magnetic, optical media); and
-
Security policies not in place or not enforced, leading to
security breaches, data loss, fraud and errors
Management establishes and approves the
policies. The policies are usually high level statements of
intent. The policies may feed into standards. Detailed
procedures (and controls) flow from the standards. It is
important here that while reviewing an organisation’s IT policies
and standards, the auditor should bear in mind that each
auditee organisation is likely to be different and
have different organisational and management requirements. The
auditor may assess whether the client’s organisational structure
and the place of IT within the structure is appropriate
Audit Procedures
IT Planning and Senior Management
Involvement
The roles and responsibilities of
senior management in relation to their systems should be
considered in audit. The auditor should review the high
level controls exercised by senior management. An important
element in ensuring that projects achieve the desired
results is the involvement of senior management. Important
considerations for auditor are whether a relevant committee are
established involving senior management in computerisation project
of the organization
This committee are involved in the
formulation of Information Strategic Plan which should cover the
following aspect:
-
Effective management of information technology is a business
imperative and increasingly a source of competitive advantage.
The rapid pace of technological changes together with the
declining unit costs, are providing organisations with
increasing potential for:
-
Enhancing the value of existing products or services;
-
Providing new products and services; and
-
Introducing alternative delivery mechanisms
-
To benefit from information technology requires: foresight to
prepare for the changes; planning to provide an economical and
effective approach; as well as, effort and commitment in making
it happen
-
İnformation technology planning provides a structured means of
addressing the impact of technologies, including emerging
technologies, on an organisation. Through the planning process,
relevant technologies are identified and evaluated in the
context of the broader business goals and targets. Based on a
comparative assessment of relevant technologies, the direction
for the organisationcan can be established
-
The implementation of information technologies may be a complex,
time consuming and expensive process for organisations.
Information technology planning provides a framework to approach
and schedule, wherever possible, necessary information
technology projects in an integrated manner. Through this
process, performance milestones can be agreed upon, scope of
specific projects established, resources mobilised and
constraints or limitations identified. Without effective
planning, the implementation of information technologies may be
misguided, haphazard, delayed and more expensive than justified
Personnel and Training
Staff employment policies
should be adopted to ensure that appropriate staff are chosen.
There should also be policies and procedures to deal with the other
end of the employment cycle, i.e. termination (whether voluntary
or compulsory). When emploting new members of IT staff, the
organisation would be expected to take account of:
-
Background Checks: including taking up references (in some
countries it may be possible to check for criminal convictions);
-
Confidentiality Agreements: these state that the employee
will not reveal confidential information to unauthorised third
parties; and
-
Codes of Conduct: including contractual relationships with
relatives, the acceptance of gifts, conflicts of interest etc.
Documentation and Document Retention
Policies
The auditor may also need to
examine client documentation to test check individual
transactions and account balances. The policy on documentation
should state that all system documentation should be kept up to date
and that only the latest versions should be used. The
policy may also state that backup copies of
documentation should be stored in a secure off-site location
Ultimately, if the
organisation does not retain sufficient, appropriate evidence the
auditor would have difficulty in being able to provide an
unqualified audit opinion. The auditor should consider two types
of documentation according to the audit approach:
-
Compliance Testing: the auditor would require evidence of
controls in operation during the accounting period. This
evidence may consist of reconciliations, signatures, reviewed
audit logs etc.
-
Substantive Testing: assurance may require the auditor to
examine evidence relating to individual transactions. The audit
may need to be able to trace transactions from initiation
through to their summarisation in the accounts. Where
transaction details are recorded in computer systems they should
be retained for audit inspection.
There may be other non audit requirements
which require the organisation to retain transaction
documentation, e.g. specific requirements of legislations and
regulations
Internal Audit Involvement
The external auditor may assess
about the quality of internal audit’s work acceptable, in
terms of planning, supervision, review and documentation. The
external auditor can view the organisation’s internal audit
function as part of the overall control structure (since
they prevent, detect and correct control weaknesses and
errors)
The external auditor should consider
whether the IT audit department has the staff necessary to carry
out competent reviews on the organisation’s computer systems.
Legal and Regulatory Compliance
It may be assessed whether the
organisation is aware of local requirements and have taken
appropriate measures to ensure compliance
Segregation of Duties
Evidence of separation of duties can be
obtained by obtaining copies of job descriptions, organisation
charts and observing the activities of IT staff. Where
computer systems use security profiles to enforce separation
of duties, the auditor should review on-screen displays or
printouts of employees security profiles in relation to their
functional responsibilities
The ability to apply and enforce
adequate separation of duties is largely dependent upon the
size of the IT department and the number of computer staff
involved. Lack of segregated duties in a small computer department
can be addressed by compensating controls, e.g. regular management
checks and supervision, the use of audit trails and manual
controls. However, in a large computer department the
following IT duties should be adequately segregated:
In addition to segregated duties within
the IT department, there should be no staff with dual IT
department and finance department duties. The computer
department should be physically and managerial separate from
end users, such as finance and personnel. Segregation of duties
reduces the risk of fraud since collusion would be required to
bypass the control
IT Operation Controls
Control Objectives
The roles of IT operations include the
following:
-
Capacity Planning: i.e. ensuring that the computer
systems will continue to provide a satisfactory level of
performance in the longer term. This will involve IT operation
staff having to make estimates of future CPU requirements, disk
storage capacity and network loads capacity
-
Performance Monitoring: monitoring the day to day performance of
the system in terms of measures such as response time.
-
Initial Program Loading: booting up the systems, or installing
new software.
-
Media Management: includes the control of disks and tapes, CD
ROMS, etc
-
Job Scheduling: a job is normally a process or sequence
of batch processes which are run overnight or in background
and which update files etc. Jobs are normally run periodically,
either daily, weekly, monthly, quarterly or annually.
-
Back-ups and Disaster Recovery: backups of data and
software should be carried out by IT operations staff
on a regular basis.
-
Help Desk and Problem Management: help desks are the
day-to-day link between users with IT problems and the IT
department. They are the ones users call when they have a
printer problem or they forget their password. Problems may
be encountered with individual programmes (applications
and system), hardware, or telecommunications.
-
Maintenance: both hardware and software.
-
Network Monitoring and Administration: The
IT operations function is given the responsibility to
ensure that communication links are
maintained and provide users with the
approval level of network access
Risks Areas
The risks associated with poorly
controlled computer operations are:
-
Wrong Applications Run, Incorrect Versions or Wrong
Configuration Parameters: e.g. the system clock and date being
incorrect which could lead to erroneous interest charges,
payroll calculations etc
-
Loss or Corruption of Financial Applications or the Underlying
Data Files: may result from improper or unauthorised use
of system utilities. The IT operations staff may not know
how to deal with processing problems or error reports. They may
cause more damage then they fix
-
Delays and Disruptions in Processin: wrong priorities may be
given to jobs
-
Lack of Backups and Contingency Planning: increases the risk of
being unable to continue processing following a disaster
-
Lack of System Capacity: the system may be unable to process
transactions in a timely manner because of overload, or lack of
storage space preventing the posting of any new transactions;
-
High Amount of System Downtime to Fix Faults: when the
systems are unavailable a backlog of unposted transactions may
build up
-
Unresolved Users Problems: due to a poor help-desk
function. Users may attempt to fix their own problems
Audit Procedures
Service Level Agreements (SLA)
It is increasingly common for IT
departments to draw up and agree service level agreements with the
rest of the organisation, i.e. the user departments. This
allows users to specify and agree, preferably in writing,
what levels of service, in terms of quantity and quality they
should receive. SLAs are infect internal service delivery
contracts.
A typical SLA would contain the
following:
-
General provisions (including the scope of the agreement, its
signatories, date of next review)
-
Brief description of services (functions applications and
major transaction types)
-
Service hours (normal working hours and special occasions such
as weekends and bank holidays)
-
Service availability (percentage availability, maximum
number of service failures and the maximum downtime per
failure);
-
User support levels (help desk details)
-
Performance (response times, turnaround times )
-
Contingency (brief details of plans);
-
Security (including compliance with the organisation’s IT
security policy)
-
Restrictions (maximum number of transactions, users)
Management Control, Review and
Supervision
Operations staff should be supervised by
management. From the standpoint of separation of duties,
operations staff should not be given the job of inputting
transactions or any form of application programming.
The organisation’s IT systems may
have on them software utilities which could conceivably
be used to make unauthorised amendments to data
files. Operations staff with access to such software should be
supervised to ensure that they only use the utilities for authorised
purposes.
Management will be unable to provide
continuous monitoring of operations staff and may place some
reliance on the automatic logging and monitoring facilities built
into the systems. The events which are recorded in the logs will
depend on the parameters set when the systems were installed. As
with most logging systems, a large quantity of data can be
produced in a short period.
Effective supervision over IT
operations staff is often difficult to achieve, due to their high
level of technical knowledge. They could do things to the system
which management would not detect, or even recognize the
significance of, if they did detect a change. Therefore to a
certain extent management must place a high degree of trust on IT
operations staff and that trust will be based on appropriate staff
selection and vetting procedures (as per the organisational and
management controls discussed in the previous topic.
Training and Experience
&nbs | 
Türkçe
English 
