SlideShare a Scribd company logo

Information systems and its components iii

Ashish Desai, profile picture
Ashish Desai

This document discusses information systems auditing. It begins by defining IS auditing and outlining its objectives of asset safeguarding, data integrity, effectiveness and efficiency. It then discusses the need for auditing IS, including organizational costs of data loss, costs of incorrect decisions, computer abuse costs, and maintenance of privacy. The document also covers IS audit evidence, inherent limitations of audits, concurrent/continuous auditing techniques, and auditing of environmental, physical, logical and managerial controls as well as application controls and roles/responsibilities.

Education
Related topics:
Information Systems
1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
ashisdesai@gmail.com
Enterprise Information Systems Prepared By: Ashish Desai IPCC NEED FOR AUDIT OF INFORMATION SYSTEMS IS AUDIT AND AUDIT EVIDENCE INHERENT LIMITATIONS OF AUDIT CONCURRENT OR CONTINUOUS AUDIT AUDITING ENVIRONMENTAL CONTROLS AUDITING PHYSICAL SECURITY CONTROLS AUDITING LOGICAL ACCESS CONTROLS MANAGERIAL CONTROLS AND THEIR AUDIT TRAILS APPLICATION CONTROLS AND THEIR AUDIT TRAILS ROLES AND RESPONSIBILITIES INDIVIDUAL ROLES AND RESPONSIBILITIES JOB TITLES AND JOB DESCRIPTIONS SEGREGATION OF DUTIES CONTROLS SOME EXAMPLES OF SEGREGATION OF DUTIES CONTROLS
Enterprise Information Systems 1 ashisdesai@gmail.com IS Auditing is defined as the process of attesting (indicating) objectives that focus on asset safeguarding, data integrity and management objectives (those of the internal auditor) that include effectiveness and efficiency both. This enables organizations to better achieve four major objectives that are as follows: NEED FOR AUDIT OF INFORMATION SYSTEMS Asset Safeguarding Objectives: The information system assets (hardware, software, data information etc.) must be protected by a system of internal controls from unauthorized access. Data Integrity Objectives: It is a fundamental attribute of IS Auditing. The importance to maintain integrity of data of an organization requires all the time. It is also important from the business perspective of the decision maker, competition and the market environment. System Effectiveness Objectives: Effectiveness of a system is evaluated by auditing the characteristics and objective of the system to meet business and user requirements. System Efficiency Objectives: To optimize the use of various information system resources (machine time, peripherals, system software and labor) along with the impact on its computing environment. NEED FOR AUDIT OF INFORMATION SYSTEMS Organizational Costs of Data Loss: Data is a critical resource of an organization for its present and future process and its ability to adapt and survive in a changing environment. Cost of Incorrect Decision Making: Management and operational controls taken by managers involve detection, investigations and correction of the processes. These high-level decisions require accurate data to make quality decision rules. Costs of Computer Abuse: Unauthorized access to computer systems, malwares, unauthorized physical access to computer facilities and unauthorized copies of sensitive data can lead to destruction of assets (hardware, software, data, information etc.) Value of Computer Hardware, Software and Personnel: These are critical resources of an organization, which has a credible impact on its infrastructure and business competitiveness.
Enterprise Information Systems 2 ashisdesai@gmail.com High Costs of Computer Error: In a computerized enterprise environment where many critical business processes are performed, a data error during entry or process would cause great damage. Maintenance of Privacy: Today, data collected in a business process contains private information about an individual too. These data were also collected before computers but now, there is a fear that privacy has eroded beyond acceptable levels. Controlled evolution of computer Use: Use of Technology and reliability of complex computer systems cannot be guaranteed and the consequences of using unreliable systems can be destructive. IS AUDIT AND AUDIT EVIDENCE According to SA-230, Audit Documentation refers to the record of audit procedures performed, relevant audit evidence obtained, and conclusions the auditor reached (terms such as "working papers" or "work papers" are also sometimes used). Evidences are also necessary for the following purposes: Means of controlling current audit work; Evidence of audit work performed; Schedules supporting or additional item in the accounts; and Information about the business being audited, including the recent history. In IS environment, the critical issue is that evidences are not available in physical form, but are in electronic form. INHERENT LIMITATIONS OF AUDIT To be able to prepare proper report, auditor needs documented evidences. Following is list of actions that auditor needs to take to address the problems: Use of special audit techniques, referred to as Computer Assisted Audit Techniques, for documenting evidences. Elaborated under this part, later on. Audit timing can be so planned that auditor is able to validate transactions as they occur in system. As per (SA 200) "Overall Objectives of An Independent Auditor and Conduct of An Audit in Accordance With Standards of Auditing”, any opinion formed by the auditor is subject to inherent limitations of an audit, which include: The nature of financial reporting; The nature of audit procedures; The need for the audit to be conducted within a reasonable period of time and at a reasonable cost. The matter of difficulty, time, or cost involved is not in itself a valid basis for the auditor to omit an audit procedure. Fraud, particularly fraud involving senior management or collusion. The existence and completeness of related party relationships and transactions. The occurrence of non-compliance with laws and regulations.
Enterprise Information Systems 3 ashisdesai@gmail.com CONCURRENT OR CONTINUOUS AUDIT Today, organizations produce information on a real-time, online basis. Real-time recordings needs real-time auditing to provide continuous assurance about the quality of the data. Continuous auditing enables auditors to significantly reduce and perhaps eliminate the time between occurrence of the client's events and the auditor's assurance services thereon. Errors in a computerized system are generated at high speeds and the cost to correct and rerun programs are high. If these errors can be detected and corrected at the point or closest to the point of their occurrence the impact thereof would be the least. Continuous auditing techniques use two bases for collecting audit evidence. One is the use of embedded modules in the system to collect, process, and print audit evidence and the other is special audit records used to store the audit evidence collected. Types of Audit Tools Tracing a transaction is a computerized system can be performed with the help of snapshots or extended records. The snapshot software is built into the system at those points where material processing occurs which takes images of the flow of any transaction as it moves through the application. These images can be utilized to assess the authenticity, accuracy, and completeness of the processing carried out on the transaction. The ITF technique involves the creation of a dummy entity in the application system files and the processing of audit test data against the entity as a means of verifying processing authenticity, accuracy, and completeness. In such cases the auditor has to decide what would be the method to be used to enter test data and the methodology for removal of the effects of the ITF transactions. The system control audit review file (SCARF) technique involves embedding audit software modules within a host application system to provide continuous monitoring of the system’s transactions. The information collected is written onto a special audit file- the SCARF master files. Auditors then examine the information contained on this file to see if some aspect of the application system needs follow-up. This technique can be used to trap exceptions whenever the application system uses a database management system. During application system processing, CIS executes in the following way:
Enterprise Information Systems 4 ashisdesai@gmail.com The database management system reads an application system transaction. It is passed to CIS. CIS then determines whether it wants to examine the transaction further. If yes, the next steps are performed or otherwise it waits to receive further data from the database management system. CIS replicates or simulates the application system processing. Every update to the database that arises from processing the selected transaction will be checked by CIS. Exceptions identified by CIS are written to a exception log file. The advantage of CIS is that it does not require modifications to the application system and yet provides an online auditing capability. There are audit routines that flag suspicious transactions. For example, internal auditors at Insurance Company determined that their policyholder system was vulnerable to fraud every time a policyholder changed his or her name or address and then subsequently withdrew funds from the policy. They devised (plan or developed) a system of audit hooks to tag records with a name or address change. The internal audit department will investigate these tagged records for detecting fraud. When audit hooks are employed, auditors can be informed of questionable transactions as soon as they occur. This approach of real-time notification displays a message on the auditor’s terminal. Audit trails are logs that can be designed to record activity at the system, application, and user level. When properly implemented, audit trails provide an important detective control to help accomplish security policy objectives. An effective audit policy will capture all significant events without cluttering the log with trivial activity. Audit trail controls attempt to ensure that a chronological (sequential) record of all events that have occurred in a system is maintained. This record is needed to answer queries, fulfil statutory requirements, detect the consequences of error and allow system monitoring and tuning. The accounting audit trail shows the source and nature of data and processes that update the database.
Enterprise Information Systems 5 ashisdesai@gmail.com Applications system Controls involve ensuring that individual application systems safeguard assets (reducing expected losses), maintain data integrity (ensuring complete, accurate and authorized data) and achieve objectives effectively and efficiently from the perspective of users of the system from within and outside the organization. AUDIT TRAIL OBJECTIVES: Audit trails can be used to support security objectives in three ways: Detecting unauthorized access to the system, Facilitating the reconstruction of events, and Promoting personal accountability. A. Each of these is described below: 1. Detecting Unauthorized Access Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls. A real-time audit trail can also be used to report on changes in system performance that may indicate infestation by a virus or worm. After-the-fact detection logs can be stored electronically and reviewed periodically or as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed. 2. Reconstructing Events Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. Audit trail analysis also plays an important role in accounting control. For example, by maintaining a record of all changes to account balances, the audit trail can be used to reconstruct accounting data files that were corrupted by a system failure. 3. Personal Accountability Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can be used to influence behaviour. Individual are likely to violate an organization’s security policy if they know that their actions are recorded in an audit log. B. Implementing an Audit Trail: The information contained in audit logs is useful to accountants in measuring the potential damage and financial loss associated with application errors, abuse of authority, or unauthorized access by outside intruders. Logs also provide valuable evidence or assessing both the adequacies of controls in place and the need for additional controls. Audit logs, however, can generate data in overwhelming detail. Important information can easily get lost among the superfluous detail of daily operation. Thus, poorly designed logs can actually be dysfunctional.
Enterprise Information Systems 6 ashisdesai@gmail.com AUDITING ENVIRONMENTAL CONTROLS Role of Auditor in Auditing Environmental Controls: The attack on the World Trade Centre has created a worldwide alert bringing focus on business continuity planning and environmental controls. The IS auditor should satisfy not only the effectiveness of various technical controls but also the overall controls safeguarding the business against environmental risks. Some of the critical audit considerations that an IS auditor should consider while conducting his/her audit is given below: Audit of Environmental Controls: Audit of environmental controls requires the IS auditor to conduct physical inspections and observe practices. The IS auditor needs to be able to determine if such controls are effective and if they are cost-effective. Auditing environmental controls requires attention to these and other factors and activities, including: The IS auditor should determine how frequently power conditioning equipment, such as UPS, line conditioners, surge protectors, or motor generators, are used, inspected and maintained and if this is performed by qualified personnel. The IS auditor should determine if backup power is available via electric generators or UPS and how frequently they are tested. He or she should examine maintenance records to see how frequently these components are maintained and if this is done by qualified personnel. The IS auditor should determine if HVAC systems are providing adequate temperature and humidity levels, and if they are monitored. Also, the auditor should determine if HVAC systems are properly maintained and if qualified persons do this. The IS auditor should determine if any water detectors are used in rooms where computers are used. He or she should determine how frequently these are tested and if they are monitored. The IS auditor should determine if fire detection equipment is adequate, if staff members understand their function, and if they are tested.
Enterprise Information Systems 7 ashisdesai@gmail.com He or she should determine how frequently fire suppression systems are inspected and tested, and if the organization has emergency evacuation plans and conducts fire drills. The IS auditor should examine data centers to see how clean they are. IT equipment air filters and the inside of some IT components should be examined to see if there is an accumulation of dust and dirt. AUDITING PHYSICAL SECURITY CONTROLS Role of IS Auditor in Auditing Physical Access Controls Auditing physical access requires the auditor to review the physical access risk and controls to form an opinion on the effectiveness of the physical access controls. This involves the following: The auditor must satisfy him/herself that the risk assessment procedure adequately covers periodic and timely assessment of all assets, physical access threats, vulnerabilities of safeguards and exposures there from. The auditor based on the risk profile evaluates whether the physical access controls are in place and adequate to protect the IS assets against the risks. It requires examination of relevant documentation such as the security policy and procedures, premises plans, building plans, inventory list and cabling diagrams. Audit of Physical Access Controls: Proximity to hazards: The IS auditor should estimate the building’s distance to natural and manmade hazards, such as Dams; Rivers, lakes; Natural gas and petroleum pipelines; Earthquake faults; Areas prone to landslides; weather such as hurricanes, cyclones, and tornadoes; The IS auditor should determine if any risk assessment regarding hazards has been performed and if any compensating controls that were recommended have been carried out. Marking: The IS auditor should inspect the building and surrounding area to see if building(s) containing information processing equipment identify the organization. Marking may be visible on the building itself, but also on signs or parking stickers on vehicles.
Enterprise Information Systems 8 ashisdesai@gmail.com This includes fencing, walls, barbed/razor wire, bollards, and crash gates. The IS auditor needs to understand how these are used to control access to the facility and determine their effectiveness. The IS auditor needs to understand how video and human surveillance are used to control and monitor access. He or she needs to understand how (and if) video is recorded and reviewed, and if it is effective in preventing or detecting incidents. The IS auditor needs to understand the use and effectiveness of security guards and guard dogs. Processes, policies, procedures, and records should be examined to understand required activities and how they are carried out. The IS auditor needs to understand how key-card systems are used to control access to the facility. Some points to consider include: Work zones: Whether the facility is divided into security zones and which persons are permitted to access which zones whether key- card systems record personnel movement; what processes and procedures are used to issue key-cards to employees? etc. AUDITING LOGICAL ACCESS CONTROLS 1) Role of IS Auditor in Auditing Logical Access Controls This will require considerable effort and may require the use of investigative and technical tools, as well as specialized experts on IT network architecture. The IS auditor should request network architecture and access documentation to compare what was discovered independently against existing documentation. The auditor will need to determine why any discrepancies exist. 2)Audit of Logical Access Controls a) Auditing User Access Controls Authentication: The auditor should examine network and system resources to determine if they require authentication, or whether any resources can be accessed without first authenticating.
Enterprise Information Systems 9 ashisdesai@gmail.com Access violations: These usually exist in the form of system logs showing invalid login attempts, which may indicate intruders who are trying to log in to employee user accounts. User account lockout: The auditor should determine if systems and networks can automatically lock user accounts that are the target of attacks. A typical system configuration is one that will lock a user account after five unsuccessful logins attempts within a short period. Intrusion detection and prevention: The auditor should determine if there are any IDSs or IPSs that would detect authentication-bypass attempts. The auditor should examine these systems to see whether they have up-to- date configurations and signatures, whether they generate alerts, and whether the recipients of alerts act upon them. Dormant accounts: Dormant accounts are user (or system) accounts that exist but are unused. These accounts represent a risk to the environment, as they represent an additional path between intruders and valuable or sensitive data. Shared accounts: The IS auditor should determine if there are any shared user accounts; these are user accounts that are routinely (or even infrequently) used by more than one person. The principal risk with shared accounts is the inability to determine accountability for actions performed with the account. System accounts: The IS auditor should identify all system-level accounts on networks, systems, and applications. The purpose of each system account should be identified, and it should be determined if each system account is still required (some may be artefacts of the initial implementation or of an upgrade or migration). The IS auditor should determine who has the password for each system account, whether accesses by system accounts are logged, and who monitors those logs. b) Auditing Password Management: Password standards: The IS auditor needs to examine password configuration settings on information systems to determine how passwords are controlled.
Enterprise Information Systems 10 ashisdesai@gmail.com Some of the areas requiring examination are- how many characters must a password have and whether there is a maximum length; how frequently must passwords be changed; whether former passwords may be used again; whether the password is displayed when logging in or when creating a new password etc. c) Auditing User Access Provisioning: Access request processes: The IS auditor should identify all user access request processes and determine if these processes are used consistently throughout the organization. Access approvals: The IS auditor needs to determine how requests are approved and by what authority they are approved. The auditor should determine if system or data owners approve access requests, or if any accesses are ever denied. New employee provisioning: The IS auditor should examine the new employee provisioning process to see how a new employee’s user accounts are initially set up. The auditor should determine if new employees’ managers are aware of the access requests that their employees are given and if they are excessive. Segregation of Duties (SOD): The IS auditor should determine if the organization makes any effort to identify segregation of duties. This may include whether there are any SOD matrices in existence and if they are actively used to make user access request decisions. Access reviews: The IS auditor should determine if there are any periodic access reviews and what aspects of user accounts are reviewed; this may include termination reviews, internal transfer reviews, SOD reviews, and dormant account reviews. d) Auditing Employee Terminations: Termination process: The IS auditor should examine the employee termination process and determine its effectiveness. This examination should include understanding on how terminations are performed and how user account management personnel are notified of terminations. Access reviews: The IS auditor should determine if any internal reviews of terminated accounts are performed, which would indicate a pattern of concern for effectiveness in this important activity.
Enterprise Information Systems 11 ashisdesai@gmail.com If such reviews are performed, the auditor should determine if any missed terminations are identified and if any process improvements are undertaken. Contractor access and terminations: The IS auditor needs to determine how contractor access and termination is managed and if such management is effective. The IS auditor needs to determine what events are recorded in access logs. Centralized access logs: The IS auditor should determine if the organization’s access logs are aggregated or if they are stored on individual systems. Access log protection: The auditor needs to determine if access logs can be altered, destroyed, or attacked to cause the system to stop logging events. For especially high-value and high-sensitivity environments, the IS auditor needs to determine if logs should be written to optical WORM (write once read many) media. Access log review: The IS auditor needs to determine if there are policies, processes, or procedures regarding access log review. The auditor should determine if access log reviews take place, who performs them, how issues requiring attention are identified, and what actions are taken when necessary. Access log retention: The IS auditor should determine how long access logs are retained by the organization and if they are back up. Investigation policies and procedures: The IS auditor should determine if there are any policies or procedures regarding security investigations. This would include who is responsible for performing investigations, where information about investigations is stored, and to whom the results of investigations are reported. Computer crime investigations: The IS auditor should determine if there are policies, processes, procedures, and records regarding computer crime investigations. The IS auditor should understand how internal investigations are transitioned to law enforcement.
Enterprise Information Systems 12 ashisdesai@gmail.com Computer forensics: The IS auditor should determine if there are procedures for conducting computer forensics. The auditor should also identify tools and techniques that are available to the organization for the acquisition and custody of forensic data. The auditor should identify whether any employees in the organization have received computer forensics training and are qualified to perform forensic investigations. Search engines: Google, Yahoo!, and other search engines should be consulted to see what information about the organization is available. Searches should include the names of company officers and management, key technologists, and any internal-only nomenclature such as the names of projects. Social networking sites: Social networking sites such as Facebook, LinkedIn, Myspace, and Twitter should be searched to see what employees, former employees, and others are saying about the organization. Any authorized or unauthorized "fan pages" should be searched as well. Online sales sites: Sites such as Craigslist and eBay should be searched to see if anything related to the organization is sold online. Domain names: The IS auditor should verify contact information for known domain names, as well as related domain names. For instance, for the organization mycompany.com; organizations should search for domain names such as mycompany.net, mycompany.info, and mycompany.biz to see if they are registered and what contents are available. Justification of Online Presence: The IS auditor should examine business records to determine on what basis the organization established online capabilities such as e-mail, Internet-facing web sites, Internet e-commerce, Internet access for employees, and so on. These services add risk to the business and consume resources. The auditor should determine if a viable business case exists to support these services or if they exist as a "benefit" for employees.
Enterprise Information Systems 13 ashisdesai@gmail.com MANAGERIAL CONTROLS AND THEIR AUDIT TRAILS 1) Top Management and Information Systems Management Control Auditors need to evaluate whether top management has formulated a high-quality information system’s plan or not. A poor-quality information system is ineffective and inefficient leading to losing of its competitive position within the marketplace. Auditors should be concerned about how well top management acquires and manages staff resources for three reasons: 1. The effectiveness of the IS function depends primarily on the quality of its staff. The IS staff need to remain up to date and motivated in their jobs. 2. Intense competition and high turnover have made acquiring and retaining good information system staff a complex activity. 3. Empirical (observed) research indicates that the employees of an organization are the most likely persons to perpetrate (execute) irregularities. Generally, the auditors examine variables that often indicate when motivation problems exist or suggest poor leadership. For example - staff turnover statistics, frequent failure of projects to meet their budget and absenteeism level to evaluate the leading function. Auditors may use both formal and informal sources of evidence to evaluate how well top mangers’ communicate with their staff. The formal sources include IS plans, documents standards and policies. Informal sources of evidence include interviews with IS staff about their level of satisfaction with the top management. Auditors should focus on subset of the control activities that should be performed by top management – namely, those aimed at ensuring that the information systems function accomplishes its objectives at a global level. Auditors must evaluate whether top management’s choice to the means of control over the users of IS services is likely to be effective or not.
Enterprise Information Systems 14 ashisdesai@gmail.com 2)System Development Management Controls Types of Audit Specification Concurrent Audit Auditors are members of the system development team. They assist the team in improving the quality of systems development for the specific system they are building and implementing. Post implementation Audit Auditors seek to help an organization learn from its experiences in the development of a specific application system. In addition, they might be evaluating whether the system needs to be scrapped, continued, or modified in some way. General Audit Auditors evaluate systems development controls overall. They seek to determine whether they can reduce the extent of substantive testing needed to form an audit opinion about management’s assertions relating to the financial statements & systems effectiveness and efficiency. 3)Programming Management Controls System Development Phases Related Controls Planning They should evaluate whether the nature of and extent of planning are appropriate to the different types of software that are developed or acquired. They must evaluate how well the planning work is being undertaken Control They must gather evidence on whether the control procedures are operating reliably. For example - they might first choose a sample of past and current software development and acquisition projects carried out at different locations in the organization they are auditing. Design Auditors should find out whether programmers use some type of systematic approach to design. Auditors can obtain evidence of the design practices used by undertaking interviews, observations, and reviews of documentation. Coding Auditors should seek evidence – o On the level of care exercised by programming management in choosing a module implementation and integration strategy. O To determine whether programming management ensures that programmers follow structured programming conventions.
Enterprise Information Systems 15 ashisdesai@gmail.com o To check whether programmers employ automated facilities to assist them with their coding work. Testing Auditors can use interviews, observations, and examination of documentation to evaluate how well unit testing is conducted Auditors are most likely concerned primarily with the quality of integration testing work carried out by information systems professionals rather than end users. Auditor’s primary concern is to see that whole-of-program tests have been undertaken for all material programs and that these tests have been well-designed and executed. Operation and Maintenance Auditors need to ensure effectively and timely reporting of maintenance needs occurs and maintenance is carried out in a well-controlled manner. Auditors should ensure that management has implemented a review system and assigned responsibility for monitoring the status of operational programs. 4)Data Resource Management Controls Auditors might evaluate how well QA personnel make recommendations for improved standards or processes through interviews, observations, and reviews of documentation. Auditors can evaluate how well QA personnel undertake the reporting function and training through interviews, observations, and reviews of documentation. 5)Quality Assurance Management Controls Auditors must evaluate whether security administrators are conducting ongoing, high- quality security reviews or not; Auditors check whether the organizations audited have appropriate, high-quality disaster recovery plan in place; and Auditors check whether the organizations have opted for an appropriate insurance plan or not. 6)Security Management Control Auditors must evaluate whether security administrators are conducting ongoing, high- quality security reviews or not; Auditors check whether the organizations audited have appropriate, high-quality disaster recovery plan in place; and Auditors check whether the organizations have opted for an appropriate insurance plan or not.
Enterprise Information Systems 16 ashisdesai@gmail.com 7)Operations Management Controls Auditors should pay concern to see whether the documentation is maintained securely and that it is issued only to authorized personnel. Auditors can use interviews, observations, and review of documentation to evaluate – The activities of documentation librarians; How well operations management undertakes the capacity planning add performance monitoring function; The reliability of outsourcing vendor controls; Whether operations management is monitoring compliance with the outsourcing contract; and Whether operations management regularly assesses the financial viability of any outsourcing vendors that an organization uses. APPLICATION CONTROLS AND THEIR AUDIT TRAILS An Accounting Audit Trail - to maintain a record of events within the subsystem; and An Operations Audit Trail - to maintain a record of the resource consumption associated with each event in the subsystem. 1) Boundary Control This maintains the chronology of events that occur when a user attempts to gain access to and employ systems resources. Identity of the would-be user of the system; Authentication information supplied; Resources requested; Action privileges requested; Terminal Identifier; Start and Finish Time; Number of Sign-on attempts; Resources provided/denied; and Action privileges allowed/denied. Resource usage from log-on to log-out time. Log of Resource consumption. 2)Input Control This maintains the chronology of events from the time data and instructions are captured and entered into an application system until the time they are deemed valid and passed onto other subsystems within the application system.
Enterprise Information Systems 17 ashisdesai@gmail.com The identity of the person(organization) who was the source of the data; The identity of the person(organization) who entered the data into the system; The time and date when the data was captured; The identifier of the physical device used to enter the data into the system; The account or record to be updated by the transaction; The standing data to be updated by the transaction; The details of the transaction; and The number of the physical or logical batch to which the transaction belongs. Time to key in a source document or an instrument at a terminal; Number of read errors made by an optical scanning device; Number of keying errors identified during verification; Frequency with which an instruction in a command language is used; and Time taken to invoke an instruction using a light pen versus a mouse. 3)Communication Control This maintains a chronology of the events from the time a sender dispatches a message to the time a receiver obtains the message. Unique identifier of the source/sink node; Unique identifier of each node in the network that traverses the message; Unique identifier of the person or process authorizing dispatch of the message; Time and date at which the message was dispatched; Time and date at which the message was received by the sink node; Time and date at which node in the network was traversed by the message; and Message sequence number; and the image of the message received at each node traversed in the network. Number of messages that have traversed each link and each node; Queue lengths at each node; Number of errors occurring on each link or at each node; Number of retransmissions that have occurred across each link; Log of errors to identify locations and patterns of errors; Log of system restarts; and Message transit times between nodes and at nodes. 4)Processing Control The audit trail maintains the chronology of events from the time data is received from the input or communication subsystem to the time data is dispatched to the database, communication, or output subsystems.
Enterprise Information Systems 18 ashisdesai@gmail.com To trace and replicate the processing performed on a data item. Triggered transactions to monitor input data entry, intermediate results and output data values. A comprehensive log on hardware consumption – CPU time used, secondary storage space used, and communication facilities used. A comprehensive log on software consumption – compilers used, subroutine libraries used, file management facilities used, and communication software used. 5)DB Control The audit trail maintains the chronology of events that occur either to the database definition or the database itself. To attach a unique time stamp to all transactions, To attach before images and afterimages of the data item on which a transaction is applied to the audit trail; and Any modifications or corrections to audit trail transactions accommodating the changes that occur within an application system. To maintain a chronology of resource consumption events that affects the database definition or the database. 6)Output Control The audit trail maintains the chronology of events that occur from the time the content of the output is determined until the time users complete their disposal of output because it no longer should be retained. Accounting Audit Trail What output was presented to users; Who received the output; When the output was received; and What actions were taken with the output? Operations Audit Trail To maintain the record of resources consumed – graphs, images, report pages, printing time and display rate to produce the various outputs.
Enterprise Information Systems 19 ashisdesai@gmail.com The structure of an organization is called an organization chart (org chart). In most organizations, the organization chart is a living structure that changes frequently, based upon several conditions including the following: SHORT- AND LONG-TERM OBJECTIVES: Organizations sometimes move departments from one executive to another so that departments that were once far from each other (in terms of the org chart structure) will be near each other. These organizational changes are usually performed to help an organization meet new objectives that require new partnerships and teamwork that were less important before. Changes in market positions can cause an organization to realign its internal structure in order to strengthen itself. For example, if a competitor lowers its prices based on a new sourcing strategy, an organization may need to respond by changing its organizational structure to put experienced executives in charge of specific activities. New regulations may induce an organization to change its organizational structure.
Enterprise Information Systems 20 ashisdesai@gmail.com When someone leaves the organization (or moves to another position within the organization), particularly in positions of leadership, a space opens in the org chart that often cannot be filled right away. Instead, senior management will temporarily change the structure of the organization by moving the leaderless department under the control of someone else. Often, the decisions of how to change the organization will depend upon the talent and experience of existing leaders, in addition to each leader's workload and other factors. ROLES AND RESPONSIBILITIES It encompasses positions and relationships on the organization chart, it defines specific job titles and duties, and it denotes generic expectations and responsibilities regarding the use and protection of assets. INDIVIDUAL ROLES AND RESPONSIBILITIES EXECUTIVE MANAGEMENT: The most senior managers and executives in an organization are responsible for developing the organization's mission, objectives, and goals, as well as policy. Executives are responsible for enacting security policy, which defines (among other things) the protection of assets. OWNER: An owner is an individual (usually but not necessarily a manager) who is the designated owner-steward of an asset. Depending upon the organization's security policy, an owner may be responsible for the maintenance and integrity of the asset, as well as for deciding who is permitted to access the asset. If the asset is information, the owner may be responsible for determining who may access and make changes to the information. MANAGER: A manager is, in the general sense, responsible for obtaining policies and procedures and making them available to their staff members. They should also, to some extent, be responsible for their staff members' behaviour. USER: Users are individuals (at any level of the organization) who use assets in the performance of their job duties.
Enterprise Information Systems 21 ashisdesai@gmail.com Each user is responsible for how he or she uses the asset, and does not permit others to access the asset in his or her name. Users are responsible for performing their duties lawfully and for conforming to organization policies. JOB TITLES AND JOB DESCRIPTIONS A Job Title is a label that is assigned to a job description. It denotes a position in the organization that has a given set of responsibilities, and which requires a certain level and focus of education and prior experience. Job titles in IT have matured and are quite consistent across organizations. This consistency helps organizations in several ways: Recruiting: When the organization needs to find someone to fill an open position, the use of standard job titles will help prospective candidates more easily find positions that match their criteria. Compensation baselining: Because of the chronic shortage of talented IT workers, organizations are forced to be more competitive when trying to attract new workers. To remain competitive, many organizations periodically undertake a regional compensation analysis to better understand the levels of compensation paid to IT workers in other organizations. The use of standard job titles makes the task of comparing compensation far easier. Career advancement: When an organization uses job titles that are consistent in the industry, IT workers have a better understanding of the functions of positions within their own organizations and can more easily plan how they can advance. The remainder of this section includes many IT job titles with a short description (not a full job description by any measure) of the function of that position. Virtually all organizations also include titles that denote the level of experience, leadership, or span of control in an organization. These titles may include executive vice president, senior vice president, vice president, senior director, director, general manager, senior manager, manager and supervisor. Larger organizations will use more of these, and possibly additional titles such as district manager, group manager, or area manager.
Enterprise Information Systems 22 ashisdesai@gmail.com A. Executive Management: Executive managers are the chief leaders and policymakers in an organization. They set objectives and work directly with the organization’s most senior management to help make decisions affecting the future strategy of the organization. This is the title of the top most leader in a larger IT organization. This position is usually responsible for an organization's overall technology strategy. Depending upon the purpose of the organization, this position may be separate from lT. This position is responsible for all aspects of security, including information security, physical security, and possibly executive protection (protecting the safety of senior executives). This position is responsible for all aspects of data-related security. This usually includes incident management, disaster recovery, vulnerability management, and compliance. This position is responsible for the protection and use of personal information. This position is found in organizations that collect and store sensitive information for large numbers of persons. B. Software Development This position is usually responsible for the overall information systems architecture in the organization. This may or may not include overall data architecture as well as interfaces to external organizations. A systems analyst is involved with the design of applications, including changes in an application’s original design. This position may develop technical requirements, program design, and software test plans. In cases where organizations license applications developed by other companies, systems analysts design interfaces to other applications.
Enterprise Information Systems 23 ashisdesai@gmail.com This position develops application software. Depending upon the level of experience, persons in this position may also design programs or applications. In organizations that utilize purchased application software, developers often create custom interfaces, application customizations, and custom reports. This position tests changes in programs made by software developers. C. Data Management This position develops logical and physical designs of data models for applications. With sufficient experience, this person may also design an organization's overall data architecture. This position builds and maintains databases designed by the database architect and those databases that are included as a part of purchased applications. The DBA monitors databases, tunes them for performance and efficiency, and troubleshoots problems. This position performs tasks that are junior to the database administrator, carrying out routine data maintenance and monitoring tasks. D. Network Management This position designs data and (increasingly) voice networks and designs changes and upgrades to the network as needed to meet new organization objectives. This position builds and maintains network devices such as routers, switches, firewalls, and gateways. This position performs routine tasks in the network such as making minor configuration changes and monitoring event logs. E. Systems Management This position is responsible for the overall architecture of systems (usually servers), both in terms of the internal architecture of a system, as well as the relationship between systems.
Enterprise Information Systems 24 ashisdesai@gmail.com This position is usually also responsible for the design of services such as authentication, e-mail, and time synchronization. This position is responsible for designing, building, and maintaining servers and server operating systems. This position is responsible for designing, building, and maintaining storage subsystems. This position is responsible for performing maintenance and configuration operations on systems. F. General Operations This position is responsible for overall operations that are carried out by others. Responsibilities will include establishing operations shift schedules. This position may be responsible for the development of operational procedures; examining the health of networks, systems, and databases; setting and monitoring the operations schedule; and maintaining operations records. This position is responsible for monitoring batch jobs, data entry work, and other tasks to make sure that they are operating correctly. This position is responsible for monitoring systems and networks, performing backup tasks, running batch jobs, printing reports, and other operational tasks. This position is responsible for keying batches of data from hard copy sources. This position is responsible for maintaining and tracking the use and whereabouts of backup tapes and other media. G. Security Operations This position is responsible for the design of security controls and systems such as authentication, audit logging, intrusion detection systems, intrusion prevention systems, and firewalls. This position is responsible for designing, building, and maintaining security services and systems that are designed by the security architect.
Enterprise Information Systems 25 ashisdesai@gmail.com This position is responsible for examining logs from firewalls, intrusion detection systems, and audit logs from systems and applications. This position may also be responsible for issuing security advisories to others in IT. This position is responsible for accepting approved requests for user access management changes and performing the necessary changes at the network, system, database, or application level. Often this position is carried out by personnel in network and systems management functions; only in larger organizations is user account management performed in security or even in a separate user access department H. Service Desk This position is responsible for providing front line user support services to personnel in the organization. This position is responsible for providing technical support services to other IT personnel, and perhaps also to IT customers. Information systems often process large volumes of information that is sometimes highly valuable or sensitive. Measures need to be taken in IT organizations to ensure that individuals do not possess sufficient privileges to carry out potentially harmful actions on their own. The concept of Segregation of Duties (SOD), also known as separation of duties, ensures that single individuals do not possess excess privileges that could result in unauthorized activities such as fraud or the manipulation or exposure of sensitive data. SEGREGATION OF DUTIES CONTROLS Preventive and detective controls should be put into place to manage segregation of duties matters. In most organizations, both the preventive and detective controls will be manual, particularly when it comes to unwanted combinations of access between different applications. However, in some transaction- related situations, controls can be automated, although they may still require intervention by others.
Enterprise Information Systems 26 ashisdesai@gmail.com SOME EXAMPLES OF SEGREGATION OF DUTIES CONTROLS Transaction Authorization: Information systems can be programmed or configured to require two (or more) persons to approve certain transactions. Many of us see this in retail establishments where a manager is required to approve a large transaction or a refund. In IT applications, transactions meeting certain criteria (for example, exceeding normally accepted limits or conditions) may require a manager's approval to be able to proceed. Split custody of high-value assets: Assets of high importance or value can be protected using various means of split custody. For example, a password to an encryption key that protects a highly-valued asset can be split in two halves, one half assigned to two persons, and the other half assigned to two persons, so that no single individual knows the entire password. Banks do this for central vaults, where a vault combination is split into two or more pieces so that two or more are required to open it. Workflow: Applications that are workflow-enabled can use a second (or third) level of approval before certain high-value or high-sensitivity activities can take place. For example, a workflow application that is used to provision user accounts can include extra management approval steps in requests for administrative privileges. Periodic reviews: IT or internal audit personnel can periodically review user access rights to identify whether any segregation of duties issues exist. The access privileges for each worker can be compared against a segregation of duties control matrix. When SOD issues are encountered during a segregation of duties review, management will need to decide how to mitigate the matter. The choices for mitigating a SOD issue include: Management can reduce individual user privileges so that the conflict no longer exists. If management has determined that the person(s) need to retain privileges that are viewed as a conflict, then new preventive or detective controls need to be introduced that will prevent or detect unwanted activities.
Enterprise Information Systems 27 ashisdesai@gmail.com Examples of mitigating controls include increased logging to record the actions of personnel, improved exception reporting to identify possible issues, reconciliations of data sets, and external reviews of high-risk controls.

More Related Content

PDF
Information systems and its components ii
Ashish Desai
 
PDF
1. Automated Business Process
Ashish Desai
 
PPTX
Chapter 1 - The Information System: An Accountant's Perspective
ermin08
 
PDF
accounting information systems romney 12th edition chapter 1 manual solution
IqbalFebriyanto
 
PPT
James hall ch 1
David Julian
 
PPT
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Sharing Slides Training
 
PPT
Ais Romney 2006 Slides 06 Control And Ais Part 1
Sharing Slides Training
 
PDF
2. Financial and Accounting System
Ashish Desai
 
Information systems and its components ii
Ashish Desai
 
1. Automated Business Process
Ashish Desai
 
Chapter 1 - The Information System: An Accountant's Perspective
ermin08
 
accounting information systems romney 12th edition chapter 1 manual solution
IqbalFebriyanto
 
James hall ch 1
David Julian
 
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Sharing Slides Training
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Sharing Slides Training
 
2. Financial and Accounting System
Ashish Desai
 

What's hot (20)

DOCX
Introduction to accounting information system
Abhishek Ghosh
 
PPSX
AIS Lecture 1
Cheng Olayvar
 
PPTX
Lecture 15 fraud schemes - james a. hall book chapter 3
Habib Ullah Qamar
 
PPT
James hall ch 15
David Julian
 
PPTX
Lecture 2 the information system by an accountant's prospective- ais an over...
Habib Ullah Qamar
 
PPTX
Accounting information system presentation
S M Maruf Siddiqe
 
PPTX
management information systems
Nisha Choudhary
 
PPT
Ch02
Badrul Hisham
 
DOCX
Accounting information systems 13th ed .
phayes833
 
PPT
James hall ch 3
David Julian
 
PPTX
Topic 3 Accounting System And Control
guest441011
 
PPT
Ais
Bandri Nikhil
 
PPTX
IS Audit and Internal Controls
Bharath Rao
 
PPTX
Financial Information Systems
catch_ashutosh
 
DOCX
Ais in banking sector
Moez Ansary
 
PDF
Business Process Management and Information Technology
Ashish Desai
 
PPTX
Accounting Information System BY Ahmed Yasir Khan.
Ahmed Yasir Khan
 
PPT
Introduction to Transaction Processing Chapter No. 2
Qamar Farooq
 
PPT
Accounting information system
sellyhood
 
PPT
James hall ch 2
David Julian
 
Introduction to accounting information system
Abhishek Ghosh
 
AIS Lecture 1
Cheng Olayvar
 
Lecture 15 fraud schemes - james a. hall book chapter 3
Habib Ullah Qamar
 
James hall ch 15
David Julian
 
Lecture 2 the information system by an accountant's prospective- ais an over...
Habib Ullah Qamar
 
Accounting information system presentation
S M Maruf Siddiqe
 
management information systems
Nisha Choudhary
 
Ch02
Badrul Hisham
 
Accounting information systems 13th ed .
phayes833
 
James hall ch 3
David Julian
 
Topic 3 Accounting System And Control
guest441011
 
Ais
Bandri Nikhil
 
IS Audit and Internal Controls
Bharath Rao
 
Financial Information Systems
catch_ashutosh
 
Ais in banking sector
Moez Ansary
 
Business Process Management and Information Technology
Ashish Desai
 
Accounting Information System BY Ahmed Yasir Khan.
Ahmed Yasir Khan
 
Introduction to Transaction Processing Chapter No. 2
Qamar Farooq
 
Accounting information system
sellyhood
 
James hall ch 2
David Julian
 
Ad

Similar to Information systems and its components iii (20)

DOCX
Information 2nd lesson
Anne ndolo
 
PPT
IT System & Security Audit
Mufaddal Nullwala
 
PPTX
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
DOCX
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
PPTX
Icai seminar kolkata
sunil patro
 
DOCX
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 
PPTX
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
 
PPTX
CONTROL AND AUDIT
Ros Dina
 
PPTX
Information Security ELECTIVE SUBJECT.pptx
PRINCIPALAMREDDY
 
PPT
Bankauditin it env
Dr Vijay Pithadia Director
 
PPT
bankauditinITEnv
Dr Vijay Pithadia Director
 
PPT
bankauditinITEnv
Dr Vijay Pithadia Director
 
DOCX
Security Audits of Electronic Health I.docx
bagotjesusa
 
DOCX
Security Audits of Electronic Health I.docx
kenjordan97598
 
PPTX
Accounting information system.pptx
MohammedRasel9
 
PPT
Security audit
Rosaria Dee
 
PPTX
Strengthening Audit Preparedness with a Compliance Management System.pptx
bidhanbarman2508
 
DOCX
IS Audits and Internal Controls
Bharath Rao
 
DOCX
Building Information System
Rabia Jabeen
 
DOCX
OverviewYou have been hired as an auditor for a local univer.docx
aman341480
 
Information 2nd lesson
Anne ndolo
 
IT System & Security Audit
Mufaddal Nullwala
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
Icai seminar kolkata
sunil patro
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
 
CONTROL AND AUDIT
Ros Dina
 
Information Security ELECTIVE SUBJECT.pptx
PRINCIPALAMREDDY
 
Bankauditin it env
Dr Vijay Pithadia Director
 
bankauditinITEnv
Dr Vijay Pithadia Director
 
bankauditinITEnv
Dr Vijay Pithadia Director
 
Security Audits of Electronic Health I.docx
bagotjesusa
 
Security Audits of Electronic Health I.docx
kenjordan97598
 
Accounting information system.pptx
MohammedRasel9
 
Security audit
Rosaria Dee
 
Strengthening Audit Preparedness with a Compliance Management System.pptx
bidhanbarman2508
 
IS Audits and Internal Controls
Bharath Rao
 
Building Information System
Rabia Jabeen
 
OverviewYou have been hired as an auditor for a local univer.docx
aman341480
 
Ad

More from Ashish Desai (9)

PDF
2. Account and Financial Information System
Ashish Desai
 
PPTX
5. Core Banking System
Ashish Desai
 
PDF
4. E-Commerce, M-Commerce and Emerging Technologies
Ashish Desai
 
PDF
Study Abroad for USA and UK
Ashish Desai
 
PDF
Higher Studies in Australia
Ashish Desai
 
PDF
Information Technology
Ashish Desai
 
PDF
5. Core Banking System
Ashish Desai
 
PDF
4. e commerce, m-commerce and emerging technologies 2018
Ashish Desai
 
PDF
Information systems and its components 1
Ashish Desai
 
2. Account and Financial Information System
Ashish Desai
 
5. Core Banking System
Ashish Desai
 
4. E-Commerce, M-Commerce and Emerging Technologies
Ashish Desai
 
Study Abroad for USA and UK
Ashish Desai
 
Higher Studies in Australia
Ashish Desai
 
Information Technology
Ashish Desai
 
5. Core Banking System
Ashish Desai
 
4. e commerce, m-commerce and emerging technologies 2018
Ashish Desai
 
Information systems and its components 1
Ashish Desai
 

Recently uploaded (20)

PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
Pre independence Education in Inndia.pdf
goofy5603
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 

Information systems and its components iii

  • 2. Enterprise Information Systems Prepared By: Ashish Desai IPCC NEED FOR AUDIT OF INFORMATION SYSTEMS IS AUDIT AND AUDIT EVIDENCE INHERENT LIMITATIONS OF AUDIT CONCURRENT OR CONTINUOUS AUDIT AUDITING ENVIRONMENTAL CONTROLS AUDITING PHYSICAL SECURITY CONTROLS AUDITING LOGICAL ACCESS CONTROLS MANAGERIAL CONTROLS AND THEIR AUDIT TRAILS APPLICATION CONTROLS AND THEIR AUDIT TRAILS ROLES AND RESPONSIBILITIES INDIVIDUAL ROLES AND RESPONSIBILITIES JOB TITLES AND JOB DESCRIPTIONS SEGREGATION OF DUTIES CONTROLS SOME EXAMPLES OF SEGREGATION OF DUTIES CONTROLS
  • 3. Enterprise Information Systems 1 ashisdesai@gmail.com IS Auditing is defined as the process of attesting (indicating) objectives that focus on asset safeguarding, data integrity and management objectives (those of the internal auditor) that include effectiveness and efficiency both. This enables organizations to better achieve four major objectives that are as follows: NEED FOR AUDIT OF INFORMATION SYSTEMS Asset Safeguarding Objectives: The information system assets (hardware, software, data information etc.) must be protected by a system of internal controls from unauthorized access. Data Integrity Objectives: It is a fundamental attribute of IS Auditing. The importance to maintain integrity of data of an organization requires all the time. It is also important from the business perspective of the decision maker, competition and the market environment. System Effectiveness Objectives: Effectiveness of a system is evaluated by auditing the characteristics and objective of the system to meet business and user requirements. System Efficiency Objectives: To optimize the use of various information system resources (machine time, peripherals, system software and labor) along with the impact on its computing environment. NEED FOR AUDIT OF INFORMATION SYSTEMS Organizational Costs of Data Loss: Data is a critical resource of an organization for its present and future process and its ability to adapt and survive in a changing environment. Cost of Incorrect Decision Making: Management and operational controls taken by managers involve detection, investigations and correction of the processes. These high-level decisions require accurate data to make quality decision rules. Costs of Computer Abuse: Unauthorized access to computer systems, malwares, unauthorized physical access to computer facilities and unauthorized copies of sensitive data can lead to destruction of assets (hardware, software, data, information etc.) Value of Computer Hardware, Software and Personnel: These are critical resources of an organization, which has a credible impact on its infrastructure and business competitiveness.
  • 4. Enterprise Information Systems 2 ashisdesai@gmail.com High Costs of Computer Error: In a computerized enterprise environment where many critical business processes are performed, a data error during entry or process would cause great damage. Maintenance of Privacy: Today, data collected in a business process contains private information about an individual too. These data were also collected before computers but now, there is a fear that privacy has eroded beyond acceptable levels. Controlled evolution of computer Use: Use of Technology and reliability of complex computer systems cannot be guaranteed and the consequences of using unreliable systems can be destructive. IS AUDIT AND AUDIT EVIDENCE According to SA-230, Audit Documentation refers to the record of audit procedures performed, relevant audit evidence obtained, and conclusions the auditor reached (terms such as "working papers" or "work papers" are also sometimes used). Evidences are also necessary for the following purposes: Means of controlling current audit work; Evidence of audit work performed; Schedules supporting or additional item in the accounts; and Information about the business being audited, including the recent history. In IS environment, the critical issue is that evidences are not available in physical form, but are in electronic form. INHERENT LIMITATIONS OF AUDIT To be able to prepare proper report, auditor needs documented evidences. Following is list of actions that auditor needs to take to address the problems: Use of special audit techniques, referred to as Computer Assisted Audit Techniques, for documenting evidences. Elaborated under this part, later on. Audit timing can be so planned that auditor is able to validate transactions as they occur in system. As per (SA 200) "Overall Objectives of An Independent Auditor and Conduct of An Audit in Accordance With Standards of Auditing”, any opinion formed by the auditor is subject to inherent limitations of an audit, which include: The nature of financial reporting; The nature of audit procedures; The need for the audit to be conducted within a reasonable period of time and at a reasonable cost. The matter of difficulty, time, or cost involved is not in itself a valid basis for the auditor to omit an audit procedure. Fraud, particularly fraud involving senior management or collusion. The existence and completeness of related party relationships and transactions. The occurrence of non-compliance with laws and regulations.
  • 5. Enterprise Information Systems 3 ashisdesai@gmail.com CONCURRENT OR CONTINUOUS AUDIT Today, organizations produce information on a real-time, online basis. Real-time recordings needs real-time auditing to provide continuous assurance about the quality of the data. Continuous auditing enables auditors to significantly reduce and perhaps eliminate the time between occurrence of the client's events and the auditor's assurance services thereon. Errors in a computerized system are generated at high speeds and the cost to correct and rerun programs are high. If these errors can be detected and corrected at the point or closest to the point of their occurrence the impact thereof would be the least. Continuous auditing techniques use two bases for collecting audit evidence. One is the use of embedded modules in the system to collect, process, and print audit evidence and the other is special audit records used to store the audit evidence collected. Types of Audit Tools Tracing a transaction is a computerized system can be performed with the help of snapshots or extended records. The snapshot software is built into the system at those points where material processing occurs which takes images of the flow of any transaction as it moves through the application. These images can be utilized to assess the authenticity, accuracy, and completeness of the processing carried out on the transaction. The ITF technique involves the creation of a dummy entity in the application system files and the processing of audit test data against the entity as a means of verifying processing authenticity, accuracy, and completeness. In such cases the auditor has to decide what would be the method to be used to enter test data and the methodology for removal of the effects of the ITF transactions. The system control audit review file (SCARF) technique involves embedding audit software modules within a host application system to provide continuous monitoring of the system’s transactions. The information collected is written onto a special audit file- the SCARF master files. Auditors then examine the information contained on this file to see if some aspect of the application system needs follow-up. This technique can be used to trap exceptions whenever the application system uses a database management system. During application system processing, CIS executes in the following way:
  • 6. Enterprise Information Systems 4 ashisdesai@gmail.com The database management system reads an application system transaction. It is passed to CIS. CIS then determines whether it wants to examine the transaction further. If yes, the next steps are performed or otherwise it waits to receive further data from the database management system. CIS replicates or simulates the application system processing. Every update to the database that arises from processing the selected transaction will be checked by CIS. Exceptions identified by CIS are written to a exception log file. The advantage of CIS is that it does not require modifications to the application system and yet provides an online auditing capability. There are audit routines that flag suspicious transactions. For example, internal auditors at Insurance Company determined that their policyholder system was vulnerable to fraud every time a policyholder changed his or her name or address and then subsequently withdrew funds from the policy. They devised (plan or developed) a system of audit hooks to tag records with a name or address change. The internal audit department will investigate these tagged records for detecting fraud. When audit hooks are employed, auditors can be informed of questionable transactions as soon as they occur. This approach of real-time notification displays a message on the auditor’s terminal. Audit trails are logs that can be designed to record activity at the system, application, and user level. When properly implemented, audit trails provide an important detective control to help accomplish security policy objectives. An effective audit policy will capture all significant events without cluttering the log with trivial activity. Audit trail controls attempt to ensure that a chronological (sequential) record of all events that have occurred in a system is maintained. This record is needed to answer queries, fulfil statutory requirements, detect the consequences of error and allow system monitoring and tuning. The accounting audit trail shows the source and nature of data and processes that update the database.
  • 7. Enterprise Information Systems 5 ashisdesai@gmail.com Applications system Controls involve ensuring that individual application systems safeguard assets (reducing expected losses), maintain data integrity (ensuring complete, accurate and authorized data) and achieve objectives effectively and efficiently from the perspective of users of the system from within and outside the organization. AUDIT TRAIL OBJECTIVES: Audit trails can be used to support security objectives in three ways: Detecting unauthorized access to the system, Facilitating the reconstruction of events, and Promoting personal accountability. A. Each of these is described below: 1. Detecting Unauthorized Access Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls. A real-time audit trail can also be used to report on changes in system performance that may indicate infestation by a virus or worm. After-the-fact detection logs can be stored electronically and reviewed periodically or as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed. 2. Reconstructing Events Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. Audit trail analysis also plays an important role in accounting control. For example, by maintaining a record of all changes to account balances, the audit trail can be used to reconstruct accounting data files that were corrupted by a system failure. 3. Personal Accountability Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can be used to influence behaviour. Individual are likely to violate an organization’s security policy if they know that their actions are recorded in an audit log. B. Implementing an Audit Trail: The information contained in audit logs is useful to accountants in measuring the potential damage and financial loss associated with application errors, abuse of authority, or unauthorized access by outside intruders. Logs also provide valuable evidence or assessing both the adequacies of controls in place and the need for additional controls. Audit logs, however, can generate data in overwhelming detail. Important information can easily get lost among the superfluous detail of daily operation. Thus, poorly designed logs can actually be dysfunctional.
  • 8. Enterprise Information Systems 6 ashisdesai@gmail.com AUDITING ENVIRONMENTAL CONTROLS Role of Auditor in Auditing Environmental Controls: The attack on the World Trade Centre has created a worldwide alert bringing focus on business continuity planning and environmental controls. The IS auditor should satisfy not only the effectiveness of various technical controls but also the overall controls safeguarding the business against environmental risks. Some of the critical audit considerations that an IS auditor should consider while conducting his/her audit is given below: Audit of Environmental Controls: Audit of environmental controls requires the IS auditor to conduct physical inspections and observe practices. The IS auditor needs to be able to determine if such controls are effective and if they are cost-effective. Auditing environmental controls requires attention to these and other factors and activities, including: The IS auditor should determine how frequently power conditioning equipment, such as UPS, line conditioners, surge protectors, or motor generators, are used, inspected and maintained and if this is performed by qualified personnel. The IS auditor should determine if backup power is available via electric generators or UPS and how frequently they are tested. He or she should examine maintenance records to see how frequently these components are maintained and if this is done by qualified personnel. The IS auditor should determine if HVAC systems are providing adequate temperature and humidity levels, and if they are monitored. Also, the auditor should determine if HVAC systems are properly maintained and if qualified persons do this. The IS auditor should determine if any water detectors are used in rooms where computers are used. He or she should determine how frequently these are tested and if they are monitored. The IS auditor should determine if fire detection equipment is adequate, if staff members understand their function, and if they are tested.
  • 9. Enterprise Information Systems 7 ashisdesai@gmail.com He or she should determine how frequently fire suppression systems are inspected and tested, and if the organization has emergency evacuation plans and conducts fire drills. The IS auditor should examine data centers to see how clean they are. IT equipment air filters and the inside of some IT components should be examined to see if there is an accumulation of dust and dirt. AUDITING PHYSICAL SECURITY CONTROLS Role of IS Auditor in Auditing Physical Access Controls Auditing physical access requires the auditor to review the physical access risk and controls to form an opinion on the effectiveness of the physical access controls. This involves the following: The auditor must satisfy him/herself that the risk assessment procedure adequately covers periodic and timely assessment of all assets, physical access threats, vulnerabilities of safeguards and exposures there from. The auditor based on the risk profile evaluates whether the physical access controls are in place and adequate to protect the IS assets against the risks. It requires examination of relevant documentation such as the security policy and procedures, premises plans, building plans, inventory list and cabling diagrams. Audit of Physical Access Controls: Proximity to hazards: The IS auditor should estimate the building’s distance to natural and manmade hazards, such as Dams; Rivers, lakes; Natural gas and petroleum pipelines; Earthquake faults; Areas prone to landslides; weather such as hurricanes, cyclones, and tornadoes; The IS auditor should determine if any risk assessment regarding hazards has been performed and if any compensating controls that were recommended have been carried out. Marking: The IS auditor should inspect the building and surrounding area to see if building(s) containing information processing equipment identify the organization. Marking may be visible on the building itself, but also on signs or parking stickers on vehicles.
  • 10. Enterprise Information Systems 8 ashisdesai@gmail.com This includes fencing, walls, barbed/razor wire, bollards, and crash gates. The IS auditor needs to understand how these are used to control access to the facility and determine their effectiveness. The IS auditor needs to understand how video and human surveillance are used to control and monitor access. He or she needs to understand how (and if) video is recorded and reviewed, and if it is effective in preventing or detecting incidents. The IS auditor needs to understand the use and effectiveness of security guards and guard dogs. Processes, policies, procedures, and records should be examined to understand required activities and how they are carried out. The IS auditor needs to understand how key-card systems are used to control access to the facility. Some points to consider include: Work zones: Whether the facility is divided into security zones and which persons are permitted to access which zones whether key- card systems record personnel movement; what processes and procedures are used to issue key-cards to employees? etc. AUDITING LOGICAL ACCESS CONTROLS 1) Role of IS Auditor in Auditing Logical Access Controls This will require considerable effort and may require the use of investigative and technical tools, as well as specialized experts on IT network architecture. The IS auditor should request network architecture and access documentation to compare what was discovered independently against existing documentation. The auditor will need to determine why any discrepancies exist. 2)Audit of Logical Access Controls a) Auditing User Access Controls Authentication: The auditor should examine network and system resources to determine if they require authentication, or whether any resources can be accessed without first authenticating.
  • 11. Enterprise Information Systems 9 ashisdesai@gmail.com Access violations: These usually exist in the form of system logs showing invalid login attempts, which may indicate intruders who are trying to log in to employee user accounts. User account lockout: The auditor should determine if systems and networks can automatically lock user accounts that are the target of attacks. A typical system configuration is one that will lock a user account after five unsuccessful logins attempts within a short period. Intrusion detection and prevention: The auditor should determine if there are any IDSs or IPSs that would detect authentication-bypass attempts. The auditor should examine these systems to see whether they have up-to- date configurations and signatures, whether they generate alerts, and whether the recipients of alerts act upon them. Dormant accounts: Dormant accounts are user (or system) accounts that exist but are unused. These accounts represent a risk to the environment, as they represent an additional path between intruders and valuable or sensitive data. Shared accounts: The IS auditor should determine if there are any shared user accounts; these are user accounts that are routinely (or even infrequently) used by more than one person. The principal risk with shared accounts is the inability to determine accountability for actions performed with the account. System accounts: The IS auditor should identify all system-level accounts on networks, systems, and applications. The purpose of each system account should be identified, and it should be determined if each system account is still required (some may be artefacts of the initial implementation or of an upgrade or migration). The IS auditor should determine who has the password for each system account, whether accesses by system accounts are logged, and who monitors those logs. b) Auditing Password Management: Password standards: The IS auditor needs to examine password configuration settings on information systems to determine how passwords are controlled.
  • 12. Enterprise Information Systems 10 ashisdesai@gmail.com Some of the areas requiring examination are- how many characters must a password have and whether there is a maximum length; how frequently must passwords be changed; whether former passwords may be used again; whether the password is displayed when logging in or when creating a new password etc. c) Auditing User Access Provisioning: Access request processes: The IS auditor should identify all user access request processes and determine if these processes are used consistently throughout the organization. Access approvals: The IS auditor needs to determine how requests are approved and by what authority they are approved. The auditor should determine if system or data owners approve access requests, or if any accesses are ever denied. New employee provisioning: The IS auditor should examine the new employee provisioning process to see how a new employee’s user accounts are initially set up. The auditor should determine if new employees’ managers are aware of the access requests that their employees are given and if they are excessive. Segregation of Duties (SOD): The IS auditor should determine if the organization makes any effort to identify segregation of duties. This may include whether there are any SOD matrices in existence and if they are actively used to make user access request decisions. Access reviews: The IS auditor should determine if there are any periodic access reviews and what aspects of user accounts are reviewed; this may include termination reviews, internal transfer reviews, SOD reviews, and dormant account reviews. d) Auditing Employee Terminations: Termination process: The IS auditor should examine the employee termination process and determine its effectiveness. This examination should include understanding on how terminations are performed and how user account management personnel are notified of terminations. Access reviews: The IS auditor should determine if any internal reviews of terminated accounts are performed, which would indicate a pattern of concern for effectiveness in this important activity.
  • 13. Enterprise Information Systems 11 ashisdesai@gmail.com If such reviews are performed, the auditor should determine if any missed terminations are identified and if any process improvements are undertaken. Contractor access and terminations: The IS auditor needs to determine how contractor access and termination is managed and if such management is effective. The IS auditor needs to determine what events are recorded in access logs. Centralized access logs: The IS auditor should determine if the organization’s access logs are aggregated or if they are stored on individual systems. Access log protection: The auditor needs to determine if access logs can be altered, destroyed, or attacked to cause the system to stop logging events. For especially high-value and high-sensitivity environments, the IS auditor needs to determine if logs should be written to optical WORM (write once read many) media. Access log review: The IS auditor needs to determine if there are policies, processes, or procedures regarding access log review. The auditor should determine if access log reviews take place, who performs them, how issues requiring attention are identified, and what actions are taken when necessary. Access log retention: The IS auditor should determine how long access logs are retained by the organization and if they are back up. Investigation policies and procedures: The IS auditor should determine if there are any policies or procedures regarding security investigations. This would include who is responsible for performing investigations, where information about investigations is stored, and to whom the results of investigations are reported. Computer crime investigations: The IS auditor should determine if there are policies, processes, procedures, and records regarding computer crime investigations. The IS auditor should understand how internal investigations are transitioned to law enforcement.
  • 14. Enterprise Information Systems 12 ashisdesai@gmail.com Computer forensics: The IS auditor should determine if there are procedures for conducting computer forensics. The auditor should also identify tools and techniques that are available to the organization for the acquisition and custody of forensic data. The auditor should identify whether any employees in the organization have received computer forensics training and are qualified to perform forensic investigations. Search engines: Google, Yahoo!, and other search engines should be consulted to see what information about the organization is available. Searches should include the names of company officers and management, key technologists, and any internal-only nomenclature such as the names of projects. Social networking sites: Social networking sites such as Facebook, LinkedIn, Myspace, and Twitter should be searched to see what employees, former employees, and others are saying about the organization. Any authorized or unauthorized "fan pages" should be searched as well. Online sales sites: Sites such as Craigslist and eBay should be searched to see if anything related to the organization is sold online. Domain names: The IS auditor should verify contact information for known domain names, as well as related domain names. For instance, for the organization mycompany.com; organizations should search for domain names such as mycompany.net, mycompany.info, and mycompany.biz to see if they are registered and what contents are available. Justification of Online Presence: The IS auditor should examine business records to determine on what basis the organization established online capabilities such as e-mail, Internet-facing web sites, Internet e-commerce, Internet access for employees, and so on. These services add risk to the business and consume resources. The auditor should determine if a viable business case exists to support these services or if they exist as a "benefit" for employees.
  • 15. Enterprise Information Systems 13 ashisdesai@gmail.com MANAGERIAL CONTROLS AND THEIR AUDIT TRAILS 1) Top Management and Information Systems Management Control Auditors need to evaluate whether top management has formulated a high-quality information system’s plan or not. A poor-quality information system is ineffective and inefficient leading to losing of its competitive position within the marketplace. Auditors should be concerned about how well top management acquires and manages staff resources for three reasons: 1. The effectiveness of the IS function depends primarily on the quality of its staff. The IS staff need to remain up to date and motivated in their jobs. 2. Intense competition and high turnover have made acquiring and retaining good information system staff a complex activity. 3. Empirical (observed) research indicates that the employees of an organization are the most likely persons to perpetrate (execute) irregularities. Generally, the auditors examine variables that often indicate when motivation problems exist or suggest poor leadership. For example - staff turnover statistics, frequent failure of projects to meet their budget and absenteeism level to evaluate the leading function. Auditors may use both formal and informal sources of evidence to evaluate how well top mangers’ communicate with their staff. The formal sources include IS plans, documents standards and policies. Informal sources of evidence include interviews with IS staff about their level of satisfaction with the top management. Auditors should focus on subset of the control activities that should be performed by top management – namely, those aimed at ensuring that the information systems function accomplishes its objectives at a global level. Auditors must evaluate whether top management’s choice to the means of control over the users of IS services is likely to be effective or not.
  • 16. Enterprise Information Systems 14 ashisdesai@gmail.com 2)System Development Management Controls Types of Audit Specification Concurrent Audit Auditors are members of the system development team. They assist the team in improving the quality of systems development for the specific system they are building and implementing. Post implementation Audit Auditors seek to help an organization learn from its experiences in the development of a specific application system. In addition, they might be evaluating whether the system needs to be scrapped, continued, or modified in some way. General Audit Auditors evaluate systems development controls overall. They seek to determine whether they can reduce the extent of substantive testing needed to form an audit opinion about management’s assertions relating to the financial statements & systems effectiveness and efficiency. 3)Programming Management Controls System Development Phases Related Controls Planning They should evaluate whether the nature of and extent of planning are appropriate to the different types of software that are developed or acquired. They must evaluate how well the planning work is being undertaken Control They must gather evidence on whether the control procedures are operating reliably. For example - they might first choose a sample of past and current software development and acquisition projects carried out at different locations in the organization they are auditing. Design Auditors should find out whether programmers use some type of systematic approach to design. Auditors can obtain evidence of the design practices used by undertaking interviews, observations, and reviews of documentation. Coding Auditors should seek evidence – o On the level of care exercised by programming management in choosing a module implementation and integration strategy. O To determine whether programming management ensures that programmers follow structured programming conventions.
  • 17. Enterprise Information Systems 15 ashisdesai@gmail.com o To check whether programmers employ automated facilities to assist them with their coding work. Testing Auditors can use interviews, observations, and examination of documentation to evaluate how well unit testing is conducted Auditors are most likely concerned primarily with the quality of integration testing work carried out by information systems professionals rather than end users. Auditor’s primary concern is to see that whole-of-program tests have been undertaken for all material programs and that these tests have been well-designed and executed. Operation and Maintenance Auditors need to ensure effectively and timely reporting of maintenance needs occurs and maintenance is carried out in a well-controlled manner. Auditors should ensure that management has implemented a review system and assigned responsibility for monitoring the status of operational programs. 4)Data Resource Management Controls Auditors might evaluate how well QA personnel make recommendations for improved standards or processes through interviews, observations, and reviews of documentation. Auditors can evaluate how well QA personnel undertake the reporting function and training through interviews, observations, and reviews of documentation. 5)Quality Assurance Management Controls Auditors must evaluate whether security administrators are conducting ongoing, high- quality security reviews or not; Auditors check whether the organizations audited have appropriate, high-quality disaster recovery plan in place; and Auditors check whether the organizations have opted for an appropriate insurance plan or not. 6)Security Management Control Auditors must evaluate whether security administrators are conducting ongoing, high- quality security reviews or not; Auditors check whether the organizations audited have appropriate, high-quality disaster recovery plan in place; and Auditors check whether the organizations have opted for an appropriate insurance plan or not.
  • 18. Enterprise Information Systems 16 ashisdesai@gmail.com 7)Operations Management Controls Auditors should pay concern to see whether the documentation is maintained securely and that it is issued only to authorized personnel. Auditors can use interviews, observations, and review of documentation to evaluate – The activities of documentation librarians; How well operations management undertakes the capacity planning add performance monitoring function; The reliability of outsourcing vendor controls; Whether operations management is monitoring compliance with the outsourcing contract; and Whether operations management regularly assesses the financial viability of any outsourcing vendors that an organization uses. APPLICATION CONTROLS AND THEIR AUDIT TRAILS An Accounting Audit Trail - to maintain a record of events within the subsystem; and An Operations Audit Trail - to maintain a record of the resource consumption associated with each event in the subsystem. 1) Boundary Control This maintains the chronology of events that occur when a user attempts to gain access to and employ systems resources. Identity of the would-be user of the system; Authentication information supplied; Resources requested; Action privileges requested; Terminal Identifier; Start and Finish Time; Number of Sign-on attempts; Resources provided/denied; and Action privileges allowed/denied. Resource usage from log-on to log-out time. Log of Resource consumption. 2)Input Control This maintains the chronology of events from the time data and instructions are captured and entered into an application system until the time they are deemed valid and passed onto other subsystems within the application system.
  • 19. Enterprise Information Systems 17 ashisdesai@gmail.com The identity of the person(organization) who was the source of the data; The identity of the person(organization) who entered the data into the system; The time and date when the data was captured; The identifier of the physical device used to enter the data into the system; The account or record to be updated by the transaction; The standing data to be updated by the transaction; The details of the transaction; and The number of the physical or logical batch to which the transaction belongs. Time to key in a source document or an instrument at a terminal; Number of read errors made by an optical scanning device; Number of keying errors identified during verification; Frequency with which an instruction in a command language is used; and Time taken to invoke an instruction using a light pen versus a mouse. 3)Communication Control This maintains a chronology of the events from the time a sender dispatches a message to the time a receiver obtains the message. Unique identifier of the source/sink node; Unique identifier of each node in the network that traverses the message; Unique identifier of the person or process authorizing dispatch of the message; Time and date at which the message was dispatched; Time and date at which the message was received by the sink node; Time and date at which node in the network was traversed by the message; and Message sequence number; and the image of the message received at each node traversed in the network. Number of messages that have traversed each link and each node; Queue lengths at each node; Number of errors occurring on each link or at each node; Number of retransmissions that have occurred across each link; Log of errors to identify locations and patterns of errors; Log of system restarts; and Message transit times between nodes and at nodes. 4)Processing Control The audit trail maintains the chronology of events from the time data is received from the input or communication subsystem to the time data is dispatched to the database, communication, or output subsystems.
  • 20. Enterprise Information Systems 18 ashisdesai@gmail.com To trace and replicate the processing performed on a data item. Triggered transactions to monitor input data entry, intermediate results and output data values. A comprehensive log on hardware consumption – CPU time used, secondary storage space used, and communication facilities used. A comprehensive log on software consumption – compilers used, subroutine libraries used, file management facilities used, and communication software used. 5)DB Control The audit trail maintains the chronology of events that occur either to the database definition or the database itself. To attach a unique time stamp to all transactions, To attach before images and afterimages of the data item on which a transaction is applied to the audit trail; and Any modifications or corrections to audit trail transactions accommodating the changes that occur within an application system. To maintain a chronology of resource consumption events that affects the database definition or the database. 6)Output Control The audit trail maintains the chronology of events that occur from the time the content of the output is determined until the time users complete their disposal of output because it no longer should be retained. Accounting Audit Trail What output was presented to users; Who received the output; When the output was received; and What actions were taken with the output? Operations Audit Trail To maintain the record of resources consumed – graphs, images, report pages, printing time and display rate to produce the various outputs.
  • 21. Enterprise Information Systems 19 ashisdesai@gmail.com The structure of an organization is called an organization chart (org chart). In most organizations, the organization chart is a living structure that changes frequently, based upon several conditions including the following: SHORT- AND LONG-TERM OBJECTIVES: Organizations sometimes move departments from one executive to another so that departments that were once far from each other (in terms of the org chart structure) will be near each other. These organizational changes are usually performed to help an organization meet new objectives that require new partnerships and teamwork that were less important before. Changes in market positions can cause an organization to realign its internal structure in order to strengthen itself. For example, if a competitor lowers its prices based on a new sourcing strategy, an organization may need to respond by changing its organizational structure to put experienced executives in charge of specific activities. New regulations may induce an organization to change its organizational structure.
  • 22. Enterprise Information Systems 20 ashisdesai@gmail.com When someone leaves the organization (or moves to another position within the organization), particularly in positions of leadership, a space opens in the org chart that often cannot be filled right away. Instead, senior management will temporarily change the structure of the organization by moving the leaderless department under the control of someone else. Often, the decisions of how to change the organization will depend upon the talent and experience of existing leaders, in addition to each leader's workload and other factors. ROLES AND RESPONSIBILITIES It encompasses positions and relationships on the organization chart, it defines specific job titles and duties, and it denotes generic expectations and responsibilities regarding the use and protection of assets. INDIVIDUAL ROLES AND RESPONSIBILITIES EXECUTIVE MANAGEMENT: The most senior managers and executives in an organization are responsible for developing the organization's mission, objectives, and goals, as well as policy. Executives are responsible for enacting security policy, which defines (among other things) the protection of assets. OWNER: An owner is an individual (usually but not necessarily a manager) who is the designated owner-steward of an asset. Depending upon the organization's security policy, an owner may be responsible for the maintenance and integrity of the asset, as well as for deciding who is permitted to access the asset. If the asset is information, the owner may be responsible for determining who may access and make changes to the information. MANAGER: A manager is, in the general sense, responsible for obtaining policies and procedures and making them available to their staff members. They should also, to some extent, be responsible for their staff members' behaviour. USER: Users are individuals (at any level of the organization) who use assets in the performance of their job duties.
  • 23. Enterprise Information Systems 21 ashisdesai@gmail.com Each user is responsible for how he or she uses the asset, and does not permit others to access the asset in his or her name. Users are responsible for performing their duties lawfully and for conforming to organization policies. JOB TITLES AND JOB DESCRIPTIONS A Job Title is a label that is assigned to a job description. It denotes a position in the organization that has a given set of responsibilities, and which requires a certain level and focus of education and prior experience. Job titles in IT have matured and are quite consistent across organizations. This consistency helps organizations in several ways: Recruiting: When the organization needs to find someone to fill an open position, the use of standard job titles will help prospective candidates more easily find positions that match their criteria. Compensation baselining: Because of the chronic shortage of talented IT workers, organizations are forced to be more competitive when trying to attract new workers. To remain competitive, many organizations periodically undertake a regional compensation analysis to better understand the levels of compensation paid to IT workers in other organizations. The use of standard job titles makes the task of comparing compensation far easier. Career advancement: When an organization uses job titles that are consistent in the industry, IT workers have a better understanding of the functions of positions within their own organizations and can more easily plan how they can advance. The remainder of this section includes many IT job titles with a short description (not a full job description by any measure) of the function of that position. Virtually all organizations also include titles that denote the level of experience, leadership, or span of control in an organization. These titles may include executive vice president, senior vice president, vice president, senior director, director, general manager, senior manager, manager and supervisor. Larger organizations will use more of these, and possibly additional titles such as district manager, group manager, or area manager.
  • 24. Enterprise Information Systems 22 ashisdesai@gmail.com A. Executive Management: Executive managers are the chief leaders and policymakers in an organization. They set objectives and work directly with the organization’s most senior management to help make decisions affecting the future strategy of the organization. This is the title of the top most leader in a larger IT organization. This position is usually responsible for an organization's overall technology strategy. Depending upon the purpose of the organization, this position may be separate from lT. This position is responsible for all aspects of security, including information security, physical security, and possibly executive protection (protecting the safety of senior executives). This position is responsible for all aspects of data-related security. This usually includes incident management, disaster recovery, vulnerability management, and compliance. This position is responsible for the protection and use of personal information. This position is found in organizations that collect and store sensitive information for large numbers of persons. B. Software Development This position is usually responsible for the overall information systems architecture in the organization. This may or may not include overall data architecture as well as interfaces to external organizations. A systems analyst is involved with the design of applications, including changes in an application’s original design. This position may develop technical requirements, program design, and software test plans. In cases where organizations license applications developed by other companies, systems analysts design interfaces to other applications.
  • 25. Enterprise Information Systems 23 ashisdesai@gmail.com This position develops application software. Depending upon the level of experience, persons in this position may also design programs or applications. In organizations that utilize purchased application software, developers often create custom interfaces, application customizations, and custom reports. This position tests changes in programs made by software developers. C. Data Management This position develops logical and physical designs of data models for applications. With sufficient experience, this person may also design an organization's overall data architecture. This position builds and maintains databases designed by the database architect and those databases that are included as a part of purchased applications. The DBA monitors databases, tunes them for performance and efficiency, and troubleshoots problems. This position performs tasks that are junior to the database administrator, carrying out routine data maintenance and monitoring tasks. D. Network Management This position designs data and (increasingly) voice networks and designs changes and upgrades to the network as needed to meet new organization objectives. This position builds and maintains network devices such as routers, switches, firewalls, and gateways. This position performs routine tasks in the network such as making minor configuration changes and monitoring event logs. E. Systems Management This position is responsible for the overall architecture of systems (usually servers), both in terms of the internal architecture of a system, as well as the relationship between systems.
  • 26. Enterprise Information Systems 24 ashisdesai@gmail.com This position is usually also responsible for the design of services such as authentication, e-mail, and time synchronization. This position is responsible for designing, building, and maintaining servers and server operating systems. This position is responsible for designing, building, and maintaining storage subsystems. This position is responsible for performing maintenance and configuration operations on systems. F. General Operations This position is responsible for overall operations that are carried out by others. Responsibilities will include establishing operations shift schedules. This position may be responsible for the development of operational procedures; examining the health of networks, systems, and databases; setting and monitoring the operations schedule; and maintaining operations records. This position is responsible for monitoring batch jobs, data entry work, and other tasks to make sure that they are operating correctly. This position is responsible for monitoring systems and networks, performing backup tasks, running batch jobs, printing reports, and other operational tasks. This position is responsible for keying batches of data from hard copy sources. This position is responsible for maintaining and tracking the use and whereabouts of backup tapes and other media. G. Security Operations This position is responsible for the design of security controls and systems such as authentication, audit logging, intrusion detection systems, intrusion prevention systems, and firewalls. This position is responsible for designing, building, and maintaining security services and systems that are designed by the security architect.
  • 27. Enterprise Information Systems 25 ashisdesai@gmail.com This position is responsible for examining logs from firewalls, intrusion detection systems, and audit logs from systems and applications. This position may also be responsible for issuing security advisories to others in IT. This position is responsible for accepting approved requests for user access management changes and performing the necessary changes at the network, system, database, or application level. Often this position is carried out by personnel in network and systems management functions; only in larger organizations is user account management performed in security or even in a separate user access department H. Service Desk This position is responsible for providing front line user support services to personnel in the organization. This position is responsible for providing technical support services to other IT personnel, and perhaps also to IT customers. Information systems often process large volumes of information that is sometimes highly valuable or sensitive. Measures need to be taken in IT organizations to ensure that individuals do not possess sufficient privileges to carry out potentially harmful actions on their own. The concept of Segregation of Duties (SOD), also known as separation of duties, ensures that single individuals do not possess excess privileges that could result in unauthorized activities such as fraud or the manipulation or exposure of sensitive data. SEGREGATION OF DUTIES CONTROLS Preventive and detective controls should be put into place to manage segregation of duties matters. In most organizations, both the preventive and detective controls will be manual, particularly when it comes to unwanted combinations of access between different applications. However, in some transaction- related situations, controls can be automated, although they may still require intervention by others.
  • 28. Enterprise Information Systems 26 ashisdesai@gmail.com SOME EXAMPLES OF SEGREGATION OF DUTIES CONTROLS Transaction Authorization: Information systems can be programmed or configured to require two (or more) persons to approve certain transactions. Many of us see this in retail establishments where a manager is required to approve a large transaction or a refund. In IT applications, transactions meeting certain criteria (for example, exceeding normally accepted limits or conditions) may require a manager's approval to be able to proceed. Split custody of high-value assets: Assets of high importance or value can be protected using various means of split custody. For example, a password to an encryption key that protects a highly-valued asset can be split in two halves, one half assigned to two persons, and the other half assigned to two persons, so that no single individual knows the entire password. Banks do this for central vaults, where a vault combination is split into two or more pieces so that two or more are required to open it. Workflow: Applications that are workflow-enabled can use a second (or third) level of approval before certain high-value or high-sensitivity activities can take place. For example, a workflow application that is used to provision user accounts can include extra management approval steps in requests for administrative privileges. Periodic reviews: IT or internal audit personnel can periodically review user access rights to identify whether any segregation of duties issues exist. The access privileges for each worker can be compared against a segregation of duties control matrix. When SOD issues are encountered during a segregation of duties review, management will need to decide how to mitigate the matter. The choices for mitigating a SOD issue include: Management can reduce individual user privileges so that the conflict no longer exists. If management has determined that the person(s) need to retain privileges that are viewed as a conflict, then new preventive or detective controls need to be introduced that will prevent or detect unwanted activities.
  • 29. Enterprise Information Systems 27 ashisdesai@gmail.com Examples of mitigating controls include increased logging to record the actions of personnel, improved exception reporting to identify possible issues, reconciliations of data sets, and external reviews of high-risk controls.