Transcript Auditing Framework

Part 2- An IT Auditing
Framework
Why do how our systems work matter?
 Why do how we manage our systems
matter?
 How can systems harm a unit’s ability to
accomplish its goals?

What are you hoping to obtain
from these courses?
Foundations of System
Controls
System Control’s Foundation
Blocks
Data Security Database
IT Dependent Manual
Controls
Physical Security
Data Security Operating System
Application Security
Network Security
Job Scheduling and
Management
Change Management
Application Controls
(Automated)
Proposed Foundation Strategy
IT Dependent Manual
Controls
Application Security
Application Controls
(Automated)
Job Scheduling and
Management
Change Management
Data Security Operating System
Data Security Database
Network Security
Physical Security
System Control Pyramid
IT
Dependent Application
Manual Controls Controls
(Automated)
IT General
Controls
Application
Security
Job Scheduling
and Management
Change
Management
Data Security Operating System
Data Security Database
Network Security
Physical Security
High Level Control
Framework
IT General Control Definition
 IT

General Controls (ITGCs) - Provide assurance
that IT-Dependent and Application Controls can be
relied upon
Include controls over the IT environment, computer
operations, access to applications and data
(security), and program changes
Strong ITGC -Prevention and
Detection Controls


Prevention controls stop inappropriate items from
occurring
 New user approval process
 Strong password controls
 Access termination process
Detection controls identify inappropriate items that
can then be corrected
 Periodic Access Review
Strong ITGC Determination

Not all textbook controls must be designed and
operating effectively to address significant risks and
provide a strong ITGC environment
Business Process Controls



Automated (Application) Controls
IT Dependent Manual Controls
(Purely) Manual Control
ITGC Controls and the
Application's House


Sufficient Controls
must act in concert
Consider securing an
application like a
house
ITGC Controls and the
Application’s House


How does a front door
protect your house?
What are the Key
Components?
ITGC Controls and the
Application's House
How (My) Front Door Failed


Burglar smashed
the window on the
door and accessed
the dead bolt lever
Subsequently
battered the door
handle lock until the
frame caved in
How (Application’s) Front
Door Could Fail
Internal hacker exploits
a vulnerability in the
Operating System
 Vulnerability used to
disable application
controls
 Hacker later uses a
“brute force” attack to
gain access via the
network and embezzle
from the University

Compensating Control Detection
For my house’s –
A camera
 For a server –
Intrusion monitor
that monitors OS
activity

Where Should an Audit Start


Where do you believe an audit should start?
What initial items should be confirmed?
IT in the Control Universe
Summary



Strong ITGCs provide assurance that effective
system related controls may be relied upon
 ITGCs build upon each other
 Not all textbook controls are always required
 ITGCs include both Preventative and Detective
controls
System related controls include application
(automated) and IT-dependent (system supported)
controls
(Purely) Manual Controls do
not require system review
Future discussion items
1. Evaluating Code Change Management
Processes
2. Evaluating Disaster Recovery Preparations
3. Evaluating Server Configurations/Security
4. Evaluating Network Concerns and Intrusion
Risks
5. Evaluating Workstation Management
Future discussion items
6. Evaluating Application Design, Controls, and
Integration with the Business Processes
7. Evaluating IT strategies – Strategic vs. Tactical
issues
8. Strategies used to build the overall IT audit
plan for the department
9. Looking at IT governance frameworks -Cobit