To minimize interference because of the system audit process, there must be controls to safeguard operational systems and audit tools during system audits.
To assist with an audit using this methodology, the auditor should develop a questionnaire that contains questions pertinent to the controls implemented by the organization. There are examples of both standards documents and checklists included with the appendix to this book. Obviously in cases where you are only evaluating the security of a certain area within your organization, not all controls are relevant. It is important to use your judgment based on individual requirements to decide which controls should be used.
In the individual system chapters of this book, a number of tools that may be used in the creation of the checklist have been included.
Read moreNavigate DownView chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597492669000072
Security Policy Overview
Craig Wright, in The IT Regulatory and Standards Compliance Handbook, 2008
Simple Steps to Assess the Security Posture
To ensure compliance of systems with organizational security policies and standards, the security of IT systems should regularly reviewed and checked.
System Audit Considerations
To minimize interference either to or from the system audit process controls should be implemented to safeguard the operational systems and audit tools for the duration of any system audit. Here are some of the policy questions to ask in an audit [from SANS] that may be used when determining the effects of policy:
▪Do the managers know the mission statement?
▪If you wander around the organization without a badge, does anyone challenge you?
▪Were you able to call someone who was willing to send you documents that have not been approved for public release?
▪Did you run a password assessment tool, and discover that half the passwords are named after the employees' favorite sports teams [that's a bad sign]?
A few simple questions can help determine the level of security controls at a site. Here are some ways to assess the level of security controls in an organization:
▪Evaluate the commitment of senior management to physical, information, and intellectual property security. At the same time, evaluate the level of risk senior management is willing to accept. If there is no commitment from senior management, there cannot be a culture of security.
▪Evaluate the presumption of privacy, including phone and network monitoring.
▪Do employees have a reasonable expectation that the files on their computers and their phone and Internet communications are protected?
▪Does company policy allow random physical searches, and is there an active search program?
▪Is the perimeter configured to allow all connections initiated inside the organization?
▪What is the level of employee awareness of security practice?
▪Do employees know procedures for developing and protecting information systems?
▪Is the employee able to add software or modify settings on the desktop system?
▪Are administrators able to make changes without going through a formal configuration-management approval program?
▪Can the internal auditors name a dozen technical security protective or detective controls without looking for them?
Understand where the organization is on the path towards developing a culture of security, and this will better help in differentiating the difference from perception and reality. This is necessary if a baseline that may be used to evaluate policy is to be established. This process most commonly starts with a mission, vision statement or high level policy that communicates the core vision. Communication and the dissemination of the vision is a slow process that never ends if it is to remain effective.
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597492669000060
External Auditing
Stephen D. Gantz, in The Basics of IT Audit, 2014
Relevant source material
External IT auditors work from a foundation of general auditing standards and guidance, including procedures and guidelines used in conventional financial and operational audits. In addition to Generally Accepted Auditing Standards and International Standards on Auditing [ISA], guidance widely used in external auditing includes the Statements on Auditing Standards and Statements on Standards for Attestation Engagements issued by AICPA [16] and ISA and International Standards for Attest Engagements [ISAE] published by the International Federation of Accountants [17]. Procedural guidance and standards specifically focused on external auditing applicable to IT audits include:
•ISO 19011, Guidelines for Auditing Management Systems[1].
•Guidance from AICPA on Reporting on Controls at a Service Organization[18,19].
•ISAE 3402, Assurance Reports on Controls at a Service Organization[20].
•ISACA’s Standards for IS Auditing[21].
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780124171596000043
IT Audit Components
Stephen D. Gantz, in The Basics of IT Audit, 2014
Utilization
In the utilization phase, the system or services the project is intended to deliver are available for use, where the focus of the project shifts from preparing for deployment to actively operating and maintaining the system in a manner that continuously satisfies user needs. A system in the utilization phase is typically subject to routine operational audits to evaluate the ongoing efficiency and effectiveness of the system and the business processes it supports. Organizations may also perform a variety of IT-specific audits addressing the system overall or any of its components. In contrast, audits of IT projects in the utilization phase focus on verifying that the system when deployed will provide the intended functionality and comply with applicable technical requirements and standards, relying on documented evidence such as test results, control assessments, and approvals from authorized personnel within the organization. Project audits at this phase also seek to ensure that the resources specified and provisioned for the operational system are correct and sufficient and that necessary support functions are in place so that administrative and support responsibilities can successfully be transitioned.
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780124171596000067
Internal Auditing
Stephen D. Gantz, in The Basics of IT Audit, 2014
Establishing the IT audit program
The audit program is the formally defined department, business unit, or function within an organization responsible for planning, performing, and reporting the results of all internal audit activities. The scope of operations for an internal audit program typically comprises all types of audits the organization conducts, including financial and non-IT operational audits as well as audits of IT controls, procedures, environments, and capabilities. Large organizations or organizations of any size that specialize in IT-intensive operations or that provide IT services may have dedicated IT audit programs. In many cases, however, IT auditing is a specialized function within a more broadly focused internal audit program. As shown in Figure 3.2, the internal audit program operates under the supervision of a Chief Audit Executive [CAE] and reports through the CAE to the audit committee of the organization’s Board of Directors. The existence and exact composition of the audit committee depends on the type of organization, but audit committee members typically must not be part of the management team to ensure the committee’s independence. The audit committee in many large organizations is responsible for overseeing both external and internal audit activities, regardless of how many different business units or functions have responsibility for performing or supporting various types of auditing. The CAE [or equivalent role designated with an alternate title] is responsible for the internal audit program, which typically comprises multiple audit managers and groups of auditors with specialized expertise suited to conducting the different types of internal audits needed by the organization.
Figure 3.2. An internal audit program works under the supervision of an audit executive or comparable member of the senior management team and reports to the audit committee of the organization’s Board of Directors.
Smaller organizations may not have boards of directors or dedicated executive oversight for auditing, but organizations of any size with a formal internal audit program need a member of the executive team with responsibility for the program and a full understanding of the key audiences and stakeholders for internal audits.
The general characterization of an internal audit program and its reporting structure comes primarily from the context of publicly traded companies [or, to be more specific, issuers of securities as these companies are referred in United States or European Community regulations], as current U.S. regulations applicable to such organizations require, as a condition of listing on a regulated exchange, the existence of an audit committee within boards of directors and mandate external and internal examination of internal controls with results reported to the audit committee [8,9]. While public sector organizations often do not have individual boards of directors, in government agencies in the United States and many other countries the position of Inspector General is functionally equivalent to the CAE in a commercial organization, and offices of inspectors general serve as internal audit programs. Not all organizations recognizing the need for or value of internal auditing have the same formal management and oversight, although boards of directors are typically in place in many privately held commercial firms and nonprofit organizations. Even without formal organization structure and reporting relationships, the functional roles and responsibilities for internal auditing summarized in Table 3.1 are similar across most organizations. More variation exists regarding the presence of a dedicated IT audit function—some organizations maintain IT auditing capabilities only to satisfy requirements associated with financial, operational, or compliance audits, often relying on internal auditors whose skills and experience include IT subject areas. Organizations with formal IT governance, IT-centric risk management, or control certification programs may be more likely to have dedicated IT audit programs.
Table 3.1. Internal Audit Roles and Responsibilities
RoleResponsibilitiesCEA [alternately called Chief Auditor, Director of Audit, Lead Auditor, or equivalent title]•
Oversees the internal audit function with the organization
•Reports directly to the audit committee
Audit committee•Subset of the Board of Directors, typically comprising only independent directors
•Provides oversight of internal and external auditing
•Required for public company boards of directors under the Sarbanes–Oxley Act
Management team•Key members of the management team, such as the CEO, COO, and CFO, typically in consultation with the full Board of Directors, approve budgets and resource allocations for the internal audit program
Board of Directors•Considers audit reports and recommendations and makes decisions regarding actions to take in response to audit findings
Audit Manager•Responsible for ensuring the proper conduct of specific types of audits [financial, operational, IT] within the audit program
•Supervises one or more teams of internal auditors
Auditor•Performs audits, working alone or as part of a team depending on the type and scope of audit activities needed
•Develops and maintains knowledge and subject matter expertise relevant to the types of audits performed
•Reports to the Audit Manager and/or the CAE
Operations Manager•Ensures access is afforded to auditors when components or processes under the Manager’s responsibility are audited
•Furnishes or assigns resources as needed to support audits and, as applicable, provide information to auditors
Operations staff•Supports or facilitates audits of components or processes operated by staff
•May be observed, interviewed, asked to demonstrate controls, or otherwise provide evidence to auditors
With respect to IT auditing, the word program is often used to refer to the department or functional unit within an organization that performs audits. In some published reference books and available online sources of guidance from professional associations, however, the term connotes a set of explicit procedures for completing particular types of IT audits. This second usage of audit program has the same meaning as protocol, checklist, or guide in referring to step-by-step instructions and examination methods used in IT auditing. Internal IT auditors need to be aware of the correct organization-specific connotation of these terms, and when incorporating externally developed guidelines and materials should both recognize and seek to avoid the potential for confusion from different usage or interpretation of these terms by different sources.
Internal audit program charter
The audit program charter describes the purpose of the internal audit program, including external and internal needs the program is intended to address and, in particular, the relationship between the audit program and governance, risk management, compliance, and other enterprise management functions. No matter where the internal audit program is positioned within the structure of the organization, its existence, purpose, and authority needs to be formally documented and communicated throughout the organization to help ensure that internal auditing activities are viewed in the proper context. Organizations that do not communicate this type of information about their internal audit programs are likely to encounter misperceptions or fear about internal audits and may find operations personnel hesitant or resistant to cooperate with auditors. Audit program charter templates and associated guidance on creating charters are publicly available from professional associations such as the IIA [10] or ISACA [11]. Recommended contents for an audit program charter include clear statements of purpose, authority, and commitment to independence and objectivity; descriptions of roles and responsibilities including reporting relationships within the organization; delineation of scope of audit program activities; explanation of basic operating structure; and any standards, frameworks, or guidelines explicitly adopted or adhered to by the audit program. The charter also specifies the types of activities to be conducted by the audit program, including developing and maintaining organizational audit strategy and audit plans, as well as structuring and performing audits and reporting their results. The audit charter typically describes the roles and responsibilities for functions or personnel outside the audit program, including establishing points of contact for program communications to management and to the departments, or business units responsible for aspects of the organization that will be audited. In summary, the audit charter touches on all of the areas for which the audit program is responsible, including those illustrated in Figure 3.3.
Figure 3.3. The internal IT audit program’s responsibilities include defining strategic and operational planning, selecting auditing tools, procedures and resources, conducting audits and reporting their results, and ensuring audit program quality.
Internal IT auditing has its own domain-specific principles, practices, assumptions, and vocabulary, all of which may be well understood by personnel working within the audit program but less familiar to others in the organization who interact with auditors. Clarity of purpose, intent, and terminology can be just as important for operations staff and managers responsible for parts of the organization subject to internal audit as they are for auditors. The internal audit program can facilitate such an understanding by making audit plans and procedures available to those in the organization who will undergo audits or will provide support to audit activities.
Internal audit program responsibilities
As the organizational function that manage and conducts IT and other types of audits, the responsibilities of the internal audit program include creating and executing the overall audit strategy for the organization and, potentially, domain-specific strategies or plans for IT, operational, and compliance and other types of internal audits. The audit strategy declares goals and objectives that the internal audit program seeks to achieve and specifies outcomes or performance metrics against which to measure the success of the program in meeting its objectives. The internal audit program executes the strategy using one or more audit plans that define what will be audited, by whom, at what frequency, and with what protocols, standards, or criteria. Both the audit strategy and audit plans typically refer to a formally documented audit universe—an inventory of all assets, business processes, programs, functions, and components within the organization that may be subject to audit. The audit strategy may explain the process and criteria by which organizational decisions are made about what to audit and when. Audit plans reflect the application of prioritization criteria to establish the set of audit activities that will be undertaken during the period the plan covers. Organizations often update or revise their audit strategies when significant changes occur in mission focus, operating environment, regulatory requirements, or market conditions. Audit plans typically span a shorter time horizon than strategies reflecting annual or quarterly budgeting and investment cycles or schedules associated with major projects or organizational initiatives. Regardless of intended duration, audit program managers need to align audit plans with known or anticipated audit needs and the availability of program funding, auditors, or other resources.
The audit program [or different units with the program where an organization maintains separate audit teams to address different domains or types of audits] develops or selects the audit methodologies, procedures, and protocols to be used in each type of audit the organization needs to perform. The breadth of processes, operating environments, technologies, and controls potentially subject to IT auditing can present many challenges, from specifying the right set of audit criteria to apply to ensuring the reliability and validity of audit procedures conducted by different teams or individuals. Defining standard audit protocols is one way to help ensure the quality and consistency of internal IT audits, especially for types of audits an organization needs to perform more than once. It can be equally important for auditors to have explicit instructions when conducting a particular type of audit for the first time, to make sure the audit covers the subject matter at an appropriate depth and level of rigor. While organization-specific characteristics may justify the use of internally developed audit protocols, for a large proportion of IT audits there are available checklists, technical configuration specification, and sources of procedural guidance that organizations can use as-is or adapt to suit different IT audit needs. External guidance is often available addressing IT audits in particular industries, such as the IT Examination Handbook[12] from the Federal Financial Institutions Examination Council [FFIEC] or the American Institute of Certified Public Accountants’ [AICPA] guide, Reporting on Controls at a Service Organization[13]. In addition to purpose-specific audit protocols, an audit program also typically defines policies and standards addressing how auditors should perform their examinations, preferred testing methods for different kinds of controls, types of evidence required to substantiate findings, and formats and templates to be used to produce reports and other audit documentation. Available management standards used to assess the quality of internal auditing, such as ISO 19011, can provide guidance to organizations regarding the policies, procedures, and other elements the audit program should have in place [6]. Organizations seeking to operate their internal audit programs in accordance with relevant international standards should plan to undertake periodic quality audits of the audit program itself, following standards such as ISO 19011 or the American Society for Quality’s Auditing Handbook[14].
Internal IT auditors tasked with performing audits of specific technical components or IT-related processes or functions can often adapt or incorporate externally defined audit protocols or checklists. Where suitable for meeting internal objectives, using these sources saves time compared to developing such protocols from scratch, and also introduces a level of commonality or consistency across audits and auditors that can help ensure the reliability of audits performed by the internal audit program. Achieving audit process consistency also corresponds to a higher degree of maturity for the audit program through implementing well defined and proven program elements. For example, ISACA offers a variety of IT audit and assurance resources based on standards and guidelines in its IT assurance framework [15]
Perhaps the most obvious responsibility assigned to the internal audit program is performing audits. Operating from its position of independence within the organization structure, the audit program assigns auditors and other resources following the audit plans it has developed and approved. The set of audit activities conducted in a given time frame should reflect appropriate organizational priorities based on criteria such as business or asset value, assessed risk, internal policies, or regulations or other external drivers. These priorities affect IT audits as well as other types of audits, although the risk factors and other drivers typically differ for IT audits compared to financial, quality, or operational audits. The performance of each IT audit should follow established audit protocols, leveraging available methodologies and tools as appropriate, and should result in the development and delivery of an audit report and associated supporting evidence. A thorough description of IT auditing appears in Chapter 8. One advantage to internal over external forms of auditing is the flexibility organizations often have to engage in informal or partial audits when resources or audit priorities constrain the ability of the audit program to address all desired areas. IT auditing by definition represents a formally structured process, but that does not mean that auditors or other personnel cannot conduct some types of tests or control examinations as needed, without committing to the full procedural and documentation requirements specified for formal audits. Informal auditing can be especially useful in situations where an organization is working to improve operational controls or remediate weaknesses found in previous audits—informal audits offer an opportunity to verify if corrective actions have been taken and to try to determine if those actions have properly addressed the weaknesses and mitigated corresponding risk.
The results of internal audits are typically documented in formal reports and communicated to the organizational executive in charge of the audit program and the audit committee. The CAE is responsible for providing status reports or updates on internal audit activity to the audit committee to facilitate the effective monitoring and oversight of the internal audit program by the committee. Where weaknesses and corresponding risks have been identified, the audit committee has an important role in reviewing and approving recommendations for corrective action. Members of the audit committee are typically independent directors and therefore may not have the familiarity with day-to-day operations needed to fully understand the implications of audit findings and recommendations. Determining the appropriate courses of action to respond to audit findings often requires collaboration among the audit program, operational personnel, organizational management, and the audit committee.
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780124171596000031
IT Audit Drivers
Stephen D. Gantz, in The Basics of IT Audit, 2014
Government sector laws
Government organizations in the United States, Canada, European Union member nations, and many other countries are subject to separate security, privacy, and information technology management laws that strongly influence their internal and external IT auditing activities. Legislation focused on IT management or operations, such as the Information Technology Management Reform Act of 1996 in the United States, emphasizes the effective allocation of government resources in acquiring, implementing, operating, maintaining, and disposing of information technology [18]. The same IT governance and service management frameworks used in commercial organizations are available for use in the public sector [indeed, Information Technology Infrastructure Library [ITIL] was originally developed by an agency of the government of the United Kingdom], but in many countries formal implementation of such frameworks in government agencies is uncommon. Instead, many government organizations develop and implement information resources management strategies seeking to increase the efficiency of IT operations, particularly by reducing duplication of IT investment across multiple agencies where government-wide laws or regulations do exist, agencies’ IT management practices are subject to both internal examination and external audit by designated national oversight authorities or “supreme audit institutions” such as the US Government Accountability Office, Canada’s Office of the Auditor General, China’s National Audit Office, India’s Comptroller and Auditor General, and Russia’s Accounts Chamber [19]. Government organizations in many countries are also subject to explicit public sector security and privacy legislation that gives special emphasis to protecting government infrastructure and information systems and safeguarding information collected, used, or held by government about their citizens.
The range of sector-specific laws imposing operational requirements or audit needs on organizations means that large or complex organizations with operations that cross industries are subject to multiple, potentially overlapping, sets of laws and regulations. For example, publicly traded diversified services companies like AXA Group, Cigna, and UnitedHealth Group operate as financial services and health insurance firms, subject to laws including Sarbanes–Oxley, GLBA, and HIPAA. Similarly, a government agency involved in health-care delivery or administration is subject to HIPAA in addition to the Federal Information Security Management Act [FISMA], the Privacy Act, and other laws applicable only to government agencies.